From netramet-owner Thu Nov 5 05:09:27 1998

From netramet-owner Thu Nov 5 05:09:27 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id FAA00597
for netramet-outgoing; Thu, 5 Nov 1998 05:02:42 +1300 (NZDT)
Received: from oscar.broadcom.ie (oscar.broadcom.ie [192.107.110.20])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id FAA00589
for <[email protected]>; Thu, 5 Nov 1998 05:02:35 +1300 (NZDT)
Received: from broadcom.ie (pc93.broadcom.ie [192.107.110.193])
by oscar.broadcom.ie (8.8.8/8.8.8) with ESMTP id PAA18504
for <[email protected]>; Wed, 4 Nov 1998 15:58:41 GMT
Message-ID: <[email protected]>
Date: Wed, 04 Nov 1998 15:54:19 +0000
From: Denys Miranda <[email protected]>
Organization: Broadcom Eireann Research Ltd.
X-Mailer: Mozilla 4.5b2 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: TOS discrimination.
X-Priority: 1 (Highest)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

Hi all,

Is there any way to get NeTraMet to identify flows based on the
Type Of Service (TOS) bit in the IP header.

i.e.: right now, the criteria for assigning a packet to a flow is
the source/dest address pair, or port number etc. I my case, I
would like to assing packets to a flow based on the value of the
TOS.

In case this has not been implemented in NeTraMet is there any
way to work this out.
Thanks in adavnce.
Denys.

--
Denys Miranda.
Broadcom Eireann Research Ltd.
Kestrel House, Clanwilliam Place. Dublin 2, IRELAND
Tel:+353-1-6046000 Fax:+353-1-6761532
mailto:[email protected] http://www.broadcom.ie

From netramet-owner Sat Nov 7 12:20:01 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id MAA16461
for netramet-outgoing; Sat, 7 Nov 1998 12:04:36 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (jane.tcc-comp.com.au [203.36.225.253])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id MAA16455
for <[email protected]>; Sat, 7 Nov 1998 12:04:33 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (bsd.tcc-comp.com.au [203.36.225.1])
by bsd.tcc-comp.com.au (8.9.1/8.9.1) with SMTP id KAA04783
for <[email protected]>; Sat, 7 Nov 1998 10:17:08 +1100 (EST)
Date: Sat, 7 Nov 1998 10:17:08 +1100 (EST)
From: Stephen Walsh <[email protected]>
To: [email protected]
Subject: Compiling NeTraMet 4.2 on FreeBSD 2.2.6-Release (fwd)
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

I've just downloaded netramet 4.2, read the install info. Done the steps
to compile the program, but I keep on getting this error.

./src/manager/x_nm_rc.c:44: Xm/Xm.h: No such file or directory
In file included from ../src/snmplib/ausnmp.h:94
from ../src/manager/x_nm_tc.c:48
*** Error code 1

Stop.

what is Xm.h used for? From it's file name I take it it's a Xwindows
program? Xwindows is'nt installed on this machine, and wont be in the
future (it's a Pentium 100 with 16mb of ram).

I also tryed to compile netramet on my Redhat 5.1 linux machine, that does
have Xwindows. It generated the same error and exit's with a Error code 1
a well.

===
Stephen Walsh - TCC Computers
http://www.tcc-comp.com.au
Ph: +61-3-53334699
Mobile: +61-17-849641

From netramet-owner Sat Nov 7 13:26:08 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id NAA20350
for netramet-outgoing; Sat, 7 Nov 1998 13:25:33 +1300 (NZDT)
Received: from mimosa.noc.empnet.com (IDENT:[email protected] [12.7.96.6])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id NAA20345
for <[email protected]>; Sat, 7 Nov 1998 13:25:30 +1300 (NZDT)
Received: from localhost (chris@localhost)
by mimosa.noc.empnet.com (8.9.1a/EmpireNet) with ESMTP id QAA10733;
Fri, 6 Nov 1998 16:25:38 -0800 (PST)
X-Authentication-Warning: mimosa.noc.empnet.com: chris owned process doing -bs
Date: Fri, 6 Nov 1998 16:25:38 -0800 (PST)
From: Chris Cappuccio <[email protected]>
X-Sender: [email protected]
To: Stephen Walsh <[email protected]>
cc: [email protected]
Subject: Re: Compiling NeTraMet 4.2 on FreeBSD 2.2.6-Release (fwd)
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Xm is for Motif. You can't use it if you don't have motif....Except, there
is a free Motif clone called Lesstif http://www.lesstif.org/ which you can
try...

On Sat, 7 Nov 1998, Stephen Walsh wrote:

|
| I've just downloaded netramet 4.2, read the install info. Done the steps
| to compile the program, but I keep on getting this error.
|
|
| ../src/manager/x_nm_rc.c:44: Xm/Xm.h: No such file or directory
| In file included from ../src/snmplib/ausnmp.h:94
| from ../src/manager/x_nm_tc.c:48
| *** Error code 1
|
| Stop.
|
|
| what is Xm.h used for? From it's file name I take it it's a Xwindows
| program? Xwindows is'nt installed on this machine, and wont be in the
| future (it's a Pentium 100 with 16mb of ram).
|
| I also tryed to compile netramet on my Redhat 5.1 linux machine, that does
| have Xwindows. It generated the same error and exit's with a Error code 1
| a well.
|
|
|
|
| ===
| Stephen Walsh - TCC Computers
| http://www.tcc-comp.com.au
| Ph: +61-3-53334699
| Mobile: +61-17-849641
|
|
|
|

--
Regard everything I say with suspicion; Regard every one of your own thoughts
with suspicion. For everything I think and everything you think could be a
blatant attempt to corrupt the scheme of things.

From netramet-owner Sat Nov 7 15:53:06 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id PAA25953
for netramet-outgoing; Sat, 7 Nov 1998 15:52:34 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (jane.tcc-comp.com.au [203.36.225.253])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id PAA25944
for <[email protected]>; Sat, 7 Nov 1998 15:52:30 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (bsd.tcc-comp.com.au [203.36.225.1])
by bsd.tcc-comp.com.au (8.9.1/8.9.1) with SMTP id OAA06568;
Sat, 7 Nov 1998 14:04:37 +1100 (EST)
Date: Sat, 7 Nov 1998 14:04:36 +1100 (EST)
From: Stephen Walsh <[email protected]>
To: Chris Cappuccio <[email protected]>
cc: [email protected]
Subject: Re: Compiling NeTraMet 4.2 on FreeBSD 2.2.6-Release (fwd)
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Do i have to install this or can I just pinch the file(s) that NeTraMet
wants?

On Fri, 6 Nov 1998, Chris Cappuccio wrote:

> Xm is for Motif. You can't use it if you don't have motif....Except, there
> is a free Motif clone called Lesstif http://www.lesstif.org/ which you can
> try...
>
> | I've just downloaded netramet 4.2, read the install info. Done the steps
> | to compile the program, but I keep on getting this error.
> |
> | ../src/manager/x_nm_rc.c:44: Xm/Xm.h: No such file or directory
> | In file included from ../src/snmplib/ausnmp.h:94
> | from ../src/manager/x_nm_tc.c:48
> | *** Error code 1
> |
> | Stop.

===
Stephen Walsh - TCC Computers
http://www.tcc-comp.com.au
Ph: +61-3-53334699
Mobile: +61-17-849641

From netramet-owner Mon Nov 9 09:32:35 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id JAA08214
for netramet-outgoing; Mon, 9 Nov 1998 09:18:24 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id JAA08207
for <netramet@auckland>; Mon, 9 Nov 1998 09:18:20 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Subject: Re: Compiling NeTraMet 4.2 on FreeBSD 2.2.6-Release
Message-ID: <[email protected]>
Date: Mon, 9 Nov 1998 09:29:00 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

--- Begin Forwarded Message ---
Sender: [email protected]
To: Stephen Walsh <[email protected]>
Cc: [email protected]
Subject: Re: Compiling NeTraMet 4.2 on FreeBSD 2.2.6-Release (fwd)
References: <[email protected]>
X-Dog: Basset
X-Car: MGB Mark II
X-Attribution: NPG
Organization: BT Labs (http://www.labs.bt.com)
From: Nicolai Guba <[email protected]>
In-Reply-To: Stephen Walsh's message of "Sat, 7 Nov 1998 10:17:08 +1100 (EST)"
Date: 08 Nov 1998 10:05:46 +0000
Message-ID: <[email protected]>
Lines: 39
X-Mailer: Gnus v5.6.44/Emacs 20.3

>>>>> "Stephen" == Stephen Walsh <[email protected]> writes:

Stephen> I've just downloaded netramet 4.2, read the install info. Done the steps
Stephen> to compile the program, but I keep on getting this error.

Stephen> ../src/manager/x_nm_rc.c:44: Xm/Xm.h: No such file or directory
Stephen> In file included from ../src/snmplib/ausnmp.h:94
Stephen> from ../src/manager/x_nm_tc.c:48
Stephen> *** Error code 1

Stephen> Stop.

Yep. Been there :)

Stephen> what is Xm.h used for? From it's file name I take it it's a Xwindows
Stephen> program? Xwindows is'nt installed on this machine, and wont be in the
Stephen> future (it's a Pentium 100 with 16mb of ram).

Motif. Nifty wants Motif.

Stephen> I also tryed to compile netramet on my Redhat 5.1 linux machine,
Stephen> that does have Xwindows. It generated the same error and exit's
Stephen> with a Error code 1 a well.

It's a slight oversight in the autoconf (./configure) process. I've modified
the configure script not attempting to build nifty when Motif is not
installed. You don't need nifty in order to start metering with NeTraMet
(although nifty is a very handy tool). Nevil should have received the file
with the changes by now. Guess he'll put it in the beta-versions directory
should he decide to take my improvements on board ;)

I have lesstif installed on my Debian box. No problems with nifty and
lesstif. Compiles and runs fine.

Happy Hacking!
--
Nicolai P Guba
BT Labs GNU
[email protected] [email protected]
--- End Forwarded Message ---

From netramet-owner Mon Nov 9 09:42:36 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id JAA11375
for netramet-outgoing; Mon, 9 Nov 1998 09:37:52 +1300 (NZDT)
Received: from mako.netlink.co.nz (mako.netlink.co.nz [202.20.93.10])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id JAA11361
for <[email protected]>; Mon, 9 Nov 1998 09:37:48 +1300 (NZDT)
Received: from angel.office.netlink.net.nz (angel.office.netlink.net.nz [203.97.244.128]) by mako.netlink.co.nz (8.8.6/8.8.6)
with ESMTP id JAA20923; Mon, 9 Nov 1998 09:37:44 +1300 (NZDT)
Received: from lemon.office.netlink.net.nz ([203.97.244.37]) by angel.office.netlink.net.nz with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2232.9)
id VWR87KYS; Mon, 9 Nov 1998 09:33:09 +1300
Date: Mon, 9 Nov 1998 09:37:43 +1300 (NZDT)
From: Daniel Ayers <[email protected]>
To: Stephen Walsh <[email protected]>
cc: [email protected]
Subject: Re: Compiling NeTraMet 4.2 on FreeBSD 2.2.6-Release (fwd)
In-Reply-To: <[email protected]>
Message-ID: <Pine.GSO.4.00.9811090935490.1460-100000@lemon.office.netlink.net.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

> ../src/manager/x_nm_rc.c:44: Xm/Xm.h: No such file or directory
> In file included from ../src/snmplib/ausnmp.h:94
> from ../src/manager/x_nm_tc.c:48
> *** Error code 1
>
> Stop.

I had the same problem compiling 4.2, 4.21 and 4.3b1 on FreeBSD 2.2.6.

The error occurs while attempting to compile nifty, which I didn't need so
I just commented out the nifty target in the makefile in the src/manager/
directory.

Daniel.

------------------------------------------------------------------------------
Daniel Ayers, B.Sc (Hons), M.Sc Email: [email protected]
Network Security Specialist DDI Phone: +64-4-916-5622
Netlink Fax: +64-4-916-5300
23 Waring Taylor St, PO Box 5358 Mobile: +64-21-387-334
Wellington, New Zealand URL: http://www.netlink.co.nz

From netramet-owner Wed Nov 11 11:55:38 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id LAA27513
for netramet-outgoing; Wed, 11 Nov 1998 11:48:48 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (jane.tcc-comp.com.au [203.36.225.253])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id LAA27508
for <[email protected]>; Wed, 11 Nov 1998 11:48:45 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (bsd.tcc-comp.com.au [203.36.225.1])
by bsd.tcc-comp.com.au (8.9.1/8.9.1) with SMTP id KAA23946
for <[email protected]>; Wed, 11 Nov 1998 10:01:58 +1100 (EST)
Date: Wed, 11 Nov 1998 10:01:58 +1100 (EST)
From: Stephen Walsh <[email protected]>
To: [email protected]
Subject: Compiling NeTramet
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

Ok, I've not compiled netramet after commenting out the nifty lines in the
make file, as a poster to the list sujested.

I've now got the executable files on my system, and it's now just a matter
of working out how to do a config file etc...

Can anyone give me some pointers?

Our ip range is a full 256 ip's, subnetted down into four subnet's at the
moment (not all ip's are assigned [most used are in the lower block,
except for our router]. We will shortly have a number of 24hour/7days
connected clients connecting to us. Most of them are single ip's, one is a
subnet (they are yet to work out how many ip's they will require). All of
our clients that have perm. connections will be volume charged...

Btw: does anyone have the current documentation in text format (I generaly
hate pdf formated docs), but will read the pdf ones if there is no
straight text ones.

===
Stephen Walsh - TCC Computers
http://www.tcc-comp.com.au
Ph: +61-3-53334699
Mobile: +61-17-849641

From netramet-owner Sat Nov 14 04:07:05 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id EAA04653
for netramet-outgoing; Sat, 14 Nov 1998 04:01:28 +1300 (NZDT)
Received: from nosc.ja.net (nosc.ja.net [128.86.16.20])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id DAA04354
for <[email protected]>; Sat, 14 Nov 1998 03:56:11 +1300 (NZDT)
Received: from nosc.ja.net by nosc.ja.net with Internet SMTP
id <[email protected]>; Fri, 13 Nov 1998 14:55:44 +0000
To: [email protected]
From: Kevin Hoadley <[email protected]>
Subject: Problems running NeTraMet 4.21 on FreeBSD
Date: Fri, 13 Nov 1998 14:55:43 +0000
Message-ID: <[email protected]>
Sender: [email protected]
Precedence: bulk

I seem to recall various meassages about problems compiling v4.21 on
FreeBSD, but has anyone actually had any success running it once compiled ?

Two problems:

- NeMaC dumps core. Problem appears to be in nmc_pars.c:init_symbol_table

for (j = 0; j != SZ_ATTRIBS; ++j) {
add_symbol(attribs[j].name, TOK_ATTRIB, attribs[j].index);
symbol_table[st_index].size = attribs[j].len;
}

When I compile it I get SZ_ATTRIBS == 71, unfortunately there doesn't
appear to be that many entries in the attribs[] array. Thus we run past
the end and end up calling add_symbol with various null pointers, at
which point everything blows up with a segmentation violation ...

Looking in nmc.h where SZ_ATTRIBS is set, it adds 6 for:
"6: 'detail' is a synonym for 'trans' in old attribs"
Taking this out seems to stop the segmentation errors, but:

- NeMaC is successfully loading a ruleset into the meter (also a FreeBSD
box running NetFlowMet), and the memory and CPU usage on the meter seems
to increase in a way that suggests the meter is running. However the
manager only ever records timestamps and #end records, with no real data.
This is regardless of rulesets (I've tried various, including the simple
samples that come with NeTraMet).

Anyone else had any better luck (or indeed have a 4.21 binary that works ?)

Kevin Hoadley, JANET.

From netramet-owner Sat Nov 14 11:39:27 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id LAA25273
for netramet-outgoing; Sat, 14 Nov 1998 11:37:50 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (jane.tcc-comp.com.au [203.36.225.253])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id LAA25266
for <[email protected]>; Sat, 14 Nov 1998 11:37:47 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (bsd.tcc-comp.com.au [203.36.225.1])
by bsd.tcc-comp.com.au (8.9.1/8.9.1) with SMTP id JAA18857;
Sat, 14 Nov 1998 09:51:25 +1100 (EST)
Date: Sat, 14 Nov 1998 09:51:25 +1100 (EST)
From: Stephen Walsh <[email protected]>
To: Kevin Hoadley <[email protected]>
cc: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

On Fri, 13 Nov 1998, Kevin Hoadley wrote:

> I seem to recall various meassages about problems compiling v4.21 on
> FreeBSD, but has anyone actually had any success running it once compiled ?

I've compiled NeTraMet on FreeBSD 2.2.6-Release. I had to comment out the
parts to do with niffty though (this machine does'nt have Xwindows
installed).

I've had the system running, but not understanding the config file etc.
has ment I've put it aside for a little while (got other work to do).

===
Stephen Walsh - TCC Computers (Internet Services)
http://www.tcc-comp.com.au
Ph: +61-3-53334699
Mobile: +61-17-849641

From netramet-owner Sun Nov 15 16:49:55 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id QAA21878
for netramet-outgoing; Sun, 15 Nov 1998 16:44:53 +1300 (NZDT)
Received: from mako.netlink.co.nz (mako.netlink.co.nz [202.20.93.10])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id QAA21873
for <[email protected]>; Sun, 15 Nov 1998 16:44:51 +1300 (NZDT)
Received: from angel.office.netlink.net.nz (angel.office.netlink.net.nz [203.97.244.128]) by mako.netlink.co.nz (8.8.6/8.8.6)
with ESMTP id QAA17867; Sun, 15 Nov 1998 16:44:44 +1300 (NZDT)
Received: from lemon.office.netlink.net.nz ([203.97.244.37]) by angel.office.netlink.net.nz with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2232.9)
id VWR87422; Sun, 15 Nov 1998 16:39:40 +1300
Date: Sun, 15 Nov 1998 16:44:43 +1300 (NZDT)
From: Daniel Ayers <[email protected]>
To: Kevin Hoadley <[email protected]>
cc: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
In-Reply-To: <[email protected]>
Message-ID: <Pine.GSO.4.00.9811151643280.5060-100000@lemon.office.netlink.net.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

> I seem to recall various meassages about problems compiling v4.21 on
> FreeBSD, but has anyone actually had any success running it once compiled ?

4.2 worked for me, 4.21 failed in the way you describe. I downloaded
4.3b1 at Nevil's suggestion and it has worked well for me.

I suggest you download the latest beta and try that.

Daniel.

------------------------------------------------------------------------------
Daniel Ayers, B.Sc (Hons), M.Sc Email: [email protected]
Network Security Specialist DDI Phone: +64-4-916-5622
Netlink Fax: +64-4-916-5300
23 Waring Taylor St, PO Box 5358 Mobile: +64-21-387-334
Wellington, New Zealand URL: http://www.netlink.co.nz

From netramet-owner Mon Nov 16 07:50:00 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id HAA15954
for netramet-outgoing; Mon, 16 Nov 1998 07:47:24 +1300 (NZDT)
Received: from ultra3000.ifsc.sc.usp.br (uspfsc.ifqsc.sc.usp.br [143.107.228.1])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id HAA15947
for <[email protected]>; Mon, 16 Nov 1998 07:47:20 +1300 (NZDT)
Received: from ifsc.sc.usp.br (atm7.ifqsc.sc.usp.br [143.107.228.29])
by ultra3000.ifsc.sc.usp.br (8.8.8/8.8.8) with ESMTP id QAA22864
for <[email protected]>; Sun, 15 Nov 1998 16:51:14 -0200 (EDT)
Message-ID: <[email protected]>
Date: Sun, 15 Nov 1998 16:45:47 -0200
From: Marcelo <[email protected]>
X-Mailer: Mozilla 4.5b2 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
To: [email protected]
Subject: Problems: /dev/bpf0: Device not configured
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [email protected]
Precedence: bulk

I have problems here ...
I compile fine NeTraMet43b in my FreeBSD-2.2.6 but when I try to run
(./NeTraMet -i ed0)
appear the mesage:
/dev/bpf0: device not configured
I put the line:
pseudo-device bpfilter 4
in my kernel config file and recompiled it ....
After, I try to run again and appear the same mesage.
Is there anything more that I must to do?
Thanks.

From netramet-owner Mon Nov 16 11:33:43 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id LAA18128
for netramet-outgoing; Mon, 16 Nov 1998 11:32:32 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (jane.tcc-comp.com.au [203.36.225.253])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id LAA18112
for <[email protected]>; Mon, 16 Nov 1998 11:32:27 +1300 (NZDT)
Received: from bsd.tcc-comp.com.au (bsd.tcc-comp.com.au [203.36.225.1])
by bsd.tcc-comp.com.au (8.9.1/8.9.1) with SMTP id JAA09295;
Mon, 16 Nov 1998 09:46:05 +1100 (EST)
Date: Mon, 16 Nov 1998 09:45:52 +1100 (EST)
From: Stephen Walsh <[email protected]>
To: Marcelo <[email protected]>
cc: [email protected]
Subject: Re: Problems: /dev/bpf0: Device not configured
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

On Sun, 15 Nov 1998, Marcelo wrote:

> I have problems here ...
> I compile fine NeTraMet43b in my FreeBSD-2.2.6 but when I try to run
> (./NeTraMet -i ed0)
> appear the mesage:
> /dev/bpf0: device not configured
> I put the line:
> pseudo-device bpfilter 4
> in my kernel config file and recompiled it ....
> After, I try to run again and appear the same mesage.
> Is there anything more that I must to do?

add:

options IPFIREWALL
options IPFIREWALL_VERBOSE

to your kernel config and recompile the kernel...

===
Stephen Walsh - TCC Computers (Internet Services)
http://www.tcc-comp.com.au
Ph: +61-3-53334699
Mobile: +61-17-849641

From netramet-owner Mon Nov 16 12:14:48 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id MAA24811
for netramet-outgoing; Mon, 16 Nov 1998 12:13:40 +1300 (NZDT)
Received: from mako.netlink.co.nz (mako.netlink.co.nz [202.20.93.10])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id MAA24805
for <[email protected]>; Mon, 16 Nov 1998 12:13:37 +1300 (NZDT)
Received: from angel.office.netlink.net.nz (angel.office.netlink.net.nz [203.97.244.128]) by mako.netlink.co.nz (8.8.6/8.8.6)
with ESMTP id MAA19509; Mon, 16 Nov 1998 12:13:16 +1300 (NZDT)
Received: from lemon.office.netlink.net.nz ([203.97.244.37]) by angel.office.netlink.net.nz with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2232.9)
id VWR87VJH; Mon, 16 Nov 1998 12:08:09 +1300
Date: Mon, 16 Nov 1998 12:13:16 +1300 (NZDT)
From: Daniel Ayers <[email protected]>
To: Marcelo <[email protected]>
cc: [email protected]
Subject: Re: Problems: /dev/bpf0: Device not configured
In-Reply-To: <[email protected]>
Message-ID: <Pine.GSO.4.00.9811161210140.5060-100000@lemon.office.netlink.net.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk

> I have problems here ...
> I compile fine NeTraMet43b in my FreeBSD-2.2.6 but when I try to run
> (./NeTraMet -i ed0)
> appear the mesage:
> /dev/bpf0: device not configured
> I put the line:
> pseudo-device bpfilter 4
> in my kernel config file and recompiled it ....
> After, I try to run again and appear the same mesage.
> Is there anything more that I must to do?

I've not seen that message before, but it sounds like you haven't
completed the process of compiling and installing your new kernel (with
BPF support).

I suggest you double-check the instructions for compiling/installing a
kernel. (Did you compile it, and forget to install it with "make install"
by any chance?).

Check the name and date on the kernel you are booting with (during the
boot/login process). Does it match the name/time of your newly-compiled
kernel?

The other thing you need to check is that /dev/bpf{0,1,2,3,...} exists.
To create them:

% cd /dev
% MAKEDEV bpf0
% MAKEDEV bpf1
(etc)

Daniel.

------------------------------------------------------------------------------
Daniel Ayers, B.Sc (Hons), M.Sc Email: [email protected]
Network Security Specialist DDI Phone: +64-4-916-5622
Netlink Fax: +64-4-916-5300
23 Waring Taylor St, PO Box 5358 Mobile: +64-21-387-334
Wellington, New Zealand URL: http://www.netlink.co.nz

From netramet-owner Tue Nov 17 09:25:45 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id JAA26386
for netramet-outgoing; Tue, 17 Nov 1998 09:21:02 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id JAA26355;
Tue, 17 Nov 1998 09:20:54 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: Kevin Hoadley <[email protected]>
Cc: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Tue, 17 Nov 1998 09:26:52 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Kevin:

> I seem to recall various meassages about problems compiling v4.21 on
> FreeBSD, but has anyone actually had any success running it once compiled ?

Thanks for your note reporting problems with release 4.2.1.
You're quite right about my bungle in nmc.h; with that fixed I was able
to make and run nm_rc and NeTraMet. I've put up release 4.2.2 with this
change made.

The next version (4.3) is available for beta testing in the beta-versions
directory. This has some further improvements to the meter's memory
management (which should make a little faster when running with large
numbers of flows), and a reorganised release directory structure (no
autoconf or OS-specific directories) plus a cleaner, simpler
configure/make/install system (have a llok at the README & INSTALL files.
As usual I'd appreciate any feedback, bug reports, etc!

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Thu Nov 19 06:40:48 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id GAA19798
for netramet-outgoing; Thu, 19 Nov 1998 06:36:00 +1300 (NZDT)
Received: from nosc.ja.net (nosc.ja.net [128.86.16.20])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id GAA19793
for <[email protected]>; Thu, 19 Nov 1998 06:35:56 +1300 (NZDT)
Received: from nosc.ja.net by nosc.ja.net with Internet SMTP
id <[email protected]>; Wed, 18 Nov 1998 17:35:41 +0000
To: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
In-reply-to: Your message of "Sun, 15 Nov 1998 16:44:43 +1300." <Pine.GSO.4.00.9811151643280.5060-100000@lemon.office.netlink.net.nz>
Date: Wed, 18 Nov 1998 17:35:38 +0000
Message-ID: <[email protected]>
From: Kevin Hoadley <[email protected]>
Sender: [email protected]
Precedence: bulk

> > I seem to recall various meassages about problems compiling v4.21 on
> > FreeBSD, but has anyone actually had any success running it once compiled ?
>
> 4.2 worked for me, 4.21 failed in the way you describe. I downloaded
> 4.3b1 at Nevil's suggestion and it has worked well for me.
>
> I suggest you download the latest beta and try that.

Thanks - I've now tried that (4.3b2). It fixed the attribs[] overrun core
dump in NeMaC, but I still got no data. Further investigation suggests that
NetFlowMet has some endian problems:

- I'm running NetFlowMet on a FreeBSD box collecting v5 export records. It
failed to record anything because it rejected all the flow records
as being of an unknown version number (NetFlow version 1280, which of
course is version 5 byte swapped in 16 bits). Adding an ntohs into
getVersionNumber in flowdata.h seems to fix this

- I then get a core dump in meter_ux.c:interface_read as it tries to
step through all the flow records within the packet - it runs off the
end of the packet as nf5->header.count is far too large. Replacing this
with (int)(ntohs(nf5->header.count)) fixes this problem. (Arguably j
should be a ushort rather than an int)

- I've added ntohs's to the lines that copy the interface number across
as well (also in interface_read).

This is sufficient to get the meter running to the extent that I can see
some data. However there are still some problems - retry isn't working and
I'm getting zero in the AS number fields. I'm also somewhat worried about
the accuracy of what I am getting, given the possibility of other endian
bugs lurking.

Has anyone else thrashed through getting NetFlowMet working ?

Odds and sods:

- uptime_delta in meter_ux.c:interface_read doesn't appear to be
initialised for version 1 NetFlow packets

- I think NetFlowMet might get ICMP type and code fields wrong. From what I
remember, NetFlow codes type and code values for ICMP in the top and
bottom bytes of the source port field. However NetFlowMet seems to expect
to find the ICMP type in the source port and the code in the dest port
(Disclaimer: I've not actually managed to get enough of this going to
test this)

- if I understand the way NetFlowMet is handling times, it is comparing the
flow last time with meter time for the purposes of garbage collection.
This assumes that the router actually has reasonable real world time:
not a problem but something that ought to be documented (most of our
routers don't have anything like the real time). Also what would happen
around the transition into/out of daylight savings time, when there could
potentially be large time differences betwene the router and the meter ?

(All this is on 4.3b2)

Kevin Hoadley, JANET.

From netramet-owner Fri Nov 20 02:02:33 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id CAA10860
for netramet-outgoing; Fri, 20 Nov 1998 02:00:54 +1300 (NZDT)
Received: from nosc.ja.net (nosc.ja.net [128.86.16.20])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id CAA10838
for <[email protected]>; Fri, 20 Nov 1998 02:00:36 +1300 (NZDT)
Received: from nosc.ja.net by nosc.ja.net with Internet SMTP
id <[email protected]>; Thu, 19 Nov 1998 13:00:33 +0000
cc: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
In-reply-to: Your message of "Wed, 18 Nov 1998 17:35:38 GMT." <[email protected]>
Date: Thu, 19 Nov 1998 13:00:31 +0000
Message-ID: <[email protected]>
From: Kevin Hoadley <[email protected]>
Sender: [email protected]
Precedence: bulk

(Taking this off the main list, as there's probably little interest.

> I'm also somewhat worried about
> the accuracy of what I am getting, given the possibility of other endian
> bugs lurking.

There are also endian problem in the NetFlow version of interface_read in
meter_ux.c for:

time handling (dFirst, dLast, uptime_delta)
packet and byte counts (dPkts, dOctets)

I've had to add an ntohl to all of these.

However I'm still left with one major problem, namely in the area of
handling s->d vs d->s. This seems to have come in around 4.2; rulesets that
have worked fine for 3.2+, 4.0 and on our own version of NetFlowMet (based
on 4.1) just don't seem to work on v4.2 or later.

We're monitoring our boundary routers, and are only interested in the
addresses on our side of the boundary (ie we don't care who our Universities
are talking to). The rulesets all include something like the following:

# Has this come from LINX ?
SourceInterface & 255 = 1 : Goto, source_ok ;
Null & 0 = 0 : NoMatch, 0;

source_ok:
DestPeerAddress & 255.255.255.255 = 194.83.179.102 : GotoAct, push_9982;
DestPeerAddress & 255.255.255.255 = 194.81.62.9 : GotoAct, push_9982;
..

the idea is to turn the flows around so we always have the JANET address on
the destination side (the NeTraMet versions match against the adjacent
address of our border gateways to get the same effect)

This has worked fine for over 2 years, however trying with NetFlowMet v4.2
or later, traffic is only ever recorded in one direction:

#Format: flowruleset flowindex firsttime destpeeraddress sourcetransaddress
desttransaddress topdus tooctets frompdus fromoctets sourceasn
13 2 5850 0.24.0.0 80 1 2714 2151311 0 0 0
13 3 2774 0.122.0.0 80 1 987 1017673 0 0 0
13 4 8383 0.36.0.0 80 1 10172 6451687 0 0 0
13 5 9919 0.41.0.0 53 2 125 20687 0 0 0

I don't know whether it is recording the total traffic in both directions
in that, or whether it is simply only recording one direction and
discarding the other.

I've spent hours looking at the code, but I don't know enough about how the
hashing works to really trace the problem down. Do you have any ideas ?

Kevin Hoadley.

PS. Why is there both a Low.AdjType and a High.AdjType ? I would have thought
that the AdjType should be the same in both directions (as for PeerAddrType
and TransAddrType) ...

From netramet-owner Fri Nov 20 08:51:07 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id IAA02662
for netramet-outgoing; Fri, 20 Nov 1998 08:47:38 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id IAA02655
for <netramet@auckland>; Fri, 20 Nov 1998 08:47:36 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
Message-ID: <[email protected]>
Date: Fri, 20 Nov 1998 08:54:34 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

--- Begin Forwarded Message ---
To: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
In-reply-to: Your message of "Thu, 19 Nov 1998 13:00:31 GMT."
<[email protected]>
From: "Tony Stoneley" <[email protected]>
Date: Thu, 19 Nov 1998 17:38:22 +0100
Message-Id: <[email protected]>
Sender: Tony Stoneley <[email protected]>

Kevin Hoadley <[email protected]> wrote:
>This has worked fine for over 2 years, however trying with NetFlowMet v4.2
>or later, traffic is only ever recorded in one direction:

Hey! That chimes with a problem I'm investigating. It's early days yet
and I'm nowhere near the bottom of it, but it seems worth recording
a "me too" straight off. I'm a relative newcomer to this game, and was
more or less expecting to find the problem is in my understanding, but
maybe not after all. Whichever the answer, I'll be pleased to get to
the bottom of it.

Although a NetFlowMet observation triggered the investigation, I'm
seeing the problem in more closely controlled experiments using
NeTraMet on my local ether. Using something like

sourcepeertype & 255 = 1: goto, s1;
null & 0 = 0: ignore, 0;
s1:
sourcetranstype & 255 = 6: goto, a1;
null & 0 = 0: ignore, 0;
a1:
destpeeraddress & 255.255.255.255 = 131.111.10.87: pushruleto, x_87;
destpeeraddress & 255.255.255.255 = 131.111.10.189: pushruleto, x_189;
null & 0 = 0: ignore, 0;
x_87:
sourcepeeraddress & 255.255.255.255 = 131.111.10.189: pushruletoact, c;
null & 0 = 0: ignore, 0;
x_189:
sourcepeeraddress & 255.255.255.255 = 131.111.10.87: pushruletoact, c;
null & 0 = 0: ignore, 0;
c:
null & 0 = 0: count,0;

and watching an ftp session between the two machines, I see only
traffic (recorded as) from the initiating machine (.87) in the flow
file, whereas of course there will be traffic both ways, whichever
direction the actual transfer may be. I'm running NeTraMet 4.2 on
Solaris 2.5 (and yes, on a third machine, not one of the two being
observed). Investigation continues, probably gunning for an even
simpler set of circumstances, but any clues would be most welcome.

--
Tony Stoneley Email: [email protected]
Computing Service Phone: +44 1223 334710
Cambridge University

--- End Forwarded Message ---

From netramet-owner Fri Nov 20 09:36:43 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id JAA09778
for netramet-outgoing; Fri, 20 Nov 1998 09:36:27 +1300 (NZDT)
Received: from nosc.ja.net (nosc.ja.net [128.86.16.20])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id JAA09767
for <[email protected]>; Fri, 20 Nov 1998 09:36:22 +1300 (NZDT)
Received: from nosc.ja.net by nosc.ja.net with Internet SMTP
id <[email protected]>; Thu, 19 Nov 1998 20:36:18 +0000
To: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
In-reply-to: Your message of "Fri, 20 Nov 1998 08:54:34 +1300." <[email protected]>
Date: Thu, 19 Nov 1998 20:36:17 +0000
Message-ID: <[email protected]>
From: Kevin Hoadley <[email protected]>
Sender: [email protected]
Precedence: bulk

> From: "Tony Stoneley" <[email protected]>

> >This has worked fine for over 2 years, however trying with NetFlowMet v4.2
> >or later, traffic is only ever recorded in one direction:
>
> Hey! That chimes with a problem I'm investigating. It's early days yet
> and I'm nowhere near the bottom of it, but it seems worth recording
> a "me too" straight off.

Odd. I don't think it is the same problem, as I think I've got to the bottom
of my problems (I've sent Nevil details, but basically Source and Dest
Interfaces weren't being swapped on a Retry, thus any ruleset that tried to
match an interface only ever worked one way)

> Although a NetFlowMet observation triggered the investigation, I'm
> seeing the problem in more closely controlled experiments using
> NeTraMet on my local ether. Using something like
>
> sourcepeertype & 255 = 1: goto, s1;
> null & 0 = 0: ignore, 0;
> s1:
> sourcetranstype & 255 = 6: goto, a1;
> null & 0 = 0: ignore, 0;
> a1:
> destpeeraddress & 255.255.255.255 = 131.111.10.87: pushruleto, x_87;
> destpeeraddress & 255.255.255.255 = 131.111.10.189: pushruleto, x_189;
> null & 0 = 0: ignore, 0;
> x_87:
> sourcepeeraddress & 255.255.255.255 = 131.111.10.189: pushruletoact, c;
> null & 0 = 0: ignore, 0;
> x_189:
> sourcepeeraddress & 255.255.255.255 = 131.111.10.87: pushruletoact, c;
> null & 0 = 0: ignore, 0;
> c:
> null & 0 = 0: count,0;
>
> and watching an ftp session between the two machines, I see only
> traffic (recorded as) from the initiating machine (.87) in the flow
> file, whereas of course there will be traffic both ways, whichever
> direction the actual transfer may be. I'm running NeTraMet 4.2 on
> Solaris 2.5 (and yes, on a third machine, not one of the two being
> observed). Investigation continues, probably gunning for an even
> simpler set of circumstances, but any clues would be most welcome.

Nothing obviously wrong ... have you tried this on an earlier version of
NeTraMet ?

Kevin Hoadley, JANET.

From netramet-owner Fri Nov 20 10:35:32 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id KAA18059
for netramet-outgoing; Fri, 20 Nov 1998 10:34:56 +1300 (NZDT)
Received: from pointer.teuto.de (IDENT:[email protected] [194.231.152.193])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id KAA18044
for <[email protected]>; Fri, 20 Nov 1998 10:34:49 +1300 (NZDT)
Received: (qmail 3849 invoked by uid 501); 19 Nov 1998 21:34:44 -0000
Message-ID: <[email protected]>
Date: Thu, 19 Nov 1998 22:34:44 +0100
From: =?iso-8859-1?Q?Lars_Marowsky-Br=E9e?= <[email protected]>
To: [email protected]
Subject: What packets are measured?
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Mailer: Mutt 0.91.1i
X-Ctuhulu: HASTUR
Sender: [email protected]
Precedence: bulk

Good morning,

I am running netramet 4.2 on Linux.

If I specify the "-i eth0" option to the meter, it will only count packets
comeing in or leaving eth0, right?

I am trying to find out if this might not be working completely right - the
differences I get for NNTP are about 30-40% of what the newsserver sees...

Sincerely,
Lars Marowsky-Br�e

--
Lars Marowsky-Br�e
Network Management

teuto.net Netzdienste GmbH - DPN Verbund-Partner

From netramet-owner Fri Nov 20 16:00:49 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id PAA02196
for netramet-outgoing; Fri, 20 Nov 1998 15:59:30 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id PAA02015;
Fri, 20 Nov 1998 15:58:14 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: What packets are measured?
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Fri, 20 Nov 1998 16:05:14 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Lars:

> If I specify the "-i eth0" option to the meter, it will only count packets
> comeing in or leaving eth0, right?
>
> I am trying to find out if this might not be working completely right - the
> differences I get for NNTP are about 30-40% of what the newsserver sees...

By default NeTraMet counts the total number of bytes in each packet. You
can set the -l option to count the IP data lengths instead, which may
well be the 30-40% difference you're seeing.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Mon Nov 23 13:51:19 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id NAA29979
for netramet-outgoing; Mon, 23 Nov 1998 13:46:58 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id NAA29756;
Mon, 23 Nov 1998 13:45:43 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: What packets are measured?
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Mon, 23 Nov 1998 13:53:36 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: [email protected]
Precedence: bulk

Hello Lars:

> > By default NeTraMet counts the total number of bytes in each packet. Y=
ou=20
> > can set the -l option to count the IP data lengths instead, which may=
=20
> > well be the 30-40% difference you're seeing.
>=20
> I am using the "-l" option already.=20
> /usr/bin/NeTraMet -f 64000 -l -r XXXXXX -w XXXXX -k -s -i eth0 &
> is what I use.
>
> Lars Marowsky-Br=E9e
> Network Management
> teuto.net Netzdienste GmbH - DPN Verbund-Partner

Another thing to check is for some of your packets being counted twice=20
because they are traversing the metered network segment twice, e.g. by=20
being routed back out the same router port. One or two NeTraMet users=20
have reported finding this happening unexpectedly.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Mon Nov 23 14:10:47 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id OAA03061
for netramet-outgoing; Mon, 23 Nov 1998 14:10:32 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id OAA03045;
Mon, 23 Nov 1998 14:10:28 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: Nevil Brownlee <[email protected]>
Cc: [email protected]
Subject: Re: Problems running NeTraMet 4.21 on FreeBSD
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Mon, 23 Nov 1998 14:18:21 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello Tony:

> Although a NetFlowMet observation triggered the investigation, I'm
> seeing the problem in more closely controlled experiments using
> NeTraMet on my local ether. Using something like
>
> sourcepeertype & 255 = 1: goto, s1;
> null & 0 = 0: ignore, 0;
> s1:
> sourcetranstype & 255 = 6: goto, a1;
> null & 0 = 0: ignore, 0;
> a1:
> destpeeraddress & 255.255.255.255 = 131.111.10.87: pushruleto, x_87;
> destpeeraddress & 255.255.255.255 = 131.111.10.189: pushruleto, x_189;
> null & 0 = 0: ignore, 0;
> x_87:
> sourcepeeraddress & 255.255.255.255 = 131.111.10.189: pushruletoact, c;
> null & 0 = 0: ignore, 0;
> x_189:
> sourcepeeraddress & 255.255.255.255 = 131.111.10.87: pushruletoact, c;
> null & 0 = 0: ignore, 0;
> c:
> null & 0 = 0: count,0;
>
> and watching an ftp session between the two machines, I see only
> traffic (recorded as) from the initiating machine (.87) in the flow
> file, whereas of course there will be traffic both ways, whichever
> direction the actual transfer may be. I'm running NeTraMet 4.2 on
> Solaris 2.5 (and yes, on a third machine, not one of the two being
> observed). Investigation continues, probably gunning for an even
> simpler set of circumstances, but any clues would be most welcome.

The problem with this ruleset is that it overdoes the use of the 'ignore'
action. Here's my version (which I've tested and which does work!) in
SRL ..

# Ruleset to watch an ftp session
#
# Nevil's version in SRL, Mon 23 Nov 98

if SourcePeerType == IP && SourceTransType == TCP
save;
else ignore; # Not IP/TCP

if destpeeraddress == 131.111.10.87 &&
sourcepeeraddress == 131.111.10.189
save, count;

set 7;
format
FlowRuleSet FlowIndex FirstTime " "
SourcePeerType SourceTransType " "
ToPDUs ToOctets " " FromPDUs FromOctets " "
SourcePeerAddress DestPeerAddress;

If the packet isn't an IP/TCP packet is ignored. No problems with that,
since NeTraMet makes sure that the 'type' source and dest fields have the
same values. If the source- and dest- peeraddresses are what we want,
we count the packet (after saving the addresses). The meter's default
action when it runs off the bottom of a ruleset is a 'nomatch,' i.e. the
match is retried with the source and dest addresses interchanged. Your
ruleset supplied an ignore action instead of a nomatch.

As a guide when writing rulesets -
* First select out the packets of interest, taking care that the
attributes used to do this (source*type above) will have the
same values regardless of the packet's direction.
* Then specify the order by ANDing together the combination of
address attribute values you want (above it was both source-
and dest- peeraddress, but it's often useful to use only
sourcepeeraddress).

Hope this makes it a little clearer!

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P

From netramet-owner Tue Nov 24 07:35:37 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id HAA05183
for netramet-outgoing; Tue, 24 Nov 1998 07:34:02 +1300 (NZDT)
Received: from taurus.cus.cam.ac.uk ([email protected] [131.111.8.48])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id HAA05173
for <[email protected]>; Tue, 24 Nov 1998 07:33:59 +1300 (NZDT)
Received: from ajms by taurus.cus.cam.ac.uk with local-smtp (Exim 2.053 #2)
id 0zi0o7-00072n-00
for [email protected]; Mon, 23 Nov 1998 18:33:55 +0000
To: [email protected]
Subject: Reciprocal flows [Was: Problems running NeTraMet 4.21 on FreeBSD ]
In-reply-to: Your message of "Mon, 23 Nov 1998 14:18:21 +1300."
<[email protected]>
From: "Tony Stoneley" <[email protected]>
Date: Mon, 23 Nov 1998 18:33:55 +0100
Message-Id: <[email protected]>
Sender: [email protected]
Precedence: bulk

Hello Nevil, and many thanks for your time and hints.

[Q: should I be continuing to intrude in this public forum or not?]

Unfortunately I think you've missed the point of what I was trying to
achieve, which may be my fault for jumping in at the middle. The
essence of your suggestion (trimming for brevity) was

if destpeeraddress == 131.111.10.87 &&
sourcepeeraddress == 131.111.10.189
save, count;
# drop through to default nomatch, i.e. reverse addresses and retry

but this conflates the flows in the two directions, whereas I'm
deliberately trying to record them separately (because one is charged
and the other isn't). I was therefore trying to avoid/defeat the
"nomatch"ing with something like

if destpeeraddress == 131.111.10.87 &&
sourcepeeraddress == 131.111.10.189
save, count;
# else fall through to -
if destpeeraddress == 131.111.10.189 &&
sourcepeeraddress == 131.111.10.87
save, count;
# else fall through to -
ignore;
# only because there shouldn't now be any point in retrying reversed

[I'd gone down from SRL to PME code simply to try to eliminate one
level of doubt. I've rechecked with exactly the above.]

and expecting to see separate flows recorded for the two directions,
but I only see the one. It's as though source and dest were being
conflated anyway. I feel sure my understanding is at fault, but I
can't see where.

With thanks for everyone's patience
-Tony

--
Tony Stoneley Email: [email protected]
Computing Service Phone: +44 1223 334710
Cambridge University

From netramet-owner Wed Nov 25 07:03:26 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id GAA03554
for netramet-outgoing; Wed, 25 Nov 1998 06:59:13 +1300 (NZDT)
Received: from taurus.cus.cam.ac.uk ([email protected] [131.111.8.48])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with ESMTP id GAA03546
for <[email protected]>; Wed, 25 Nov 1998 06:59:09 +1300 (NZDT)
Received: from ajms by taurus.cus.cam.ac.uk with local-smtp (Exim 2.054 #1)
id 0ziMjy-0004ME-00
for [email protected]; Tue, 24 Nov 1998 17:59:06 +0000
To: [email protected]
Subject: Re: Reciprocal flows [Was: Problems running NeTraMet 4.21 on FreeBSD ]
In-reply-to: Your message of "Mon, 23 Nov 1998 18:33:55 +0100."
From: "Tony Stoneley" <[email protected]>
Date: Tue, 24 Nov 1998 17:59:05 +0100
Message-Id: <[email protected]>
Sender: [email protected]
Precedence: bulk

I wrote:
>...and expecting to see separate flows recorded for the two directions,
>but I only see the one. It's as though source and dest were being
>conflated anyway. I feel sure my understanding is at fault, but I
>can't see where.

Well folks, it was indeed at fault and I now do see why. I have
re-read rfc2063, in particular the flow chart on page 19, and noted
more clearly the "current(S->D)" test. I apologise to those who have
taken the trouble to read my maunderings, and thank you again for your
patience.

--
Tony Stoneley Email: [email protected]
Computing Service Phone: +44 1223 334710
Cambridge University

From netramet-owner Wed Nov 25 17:30:33 1998
Received: by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) id RAA23649
for netramet-outgoing; Wed, 25 Nov 1998 17:28:21 +1300 (NZDT)
Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79])
by mailhost.auckland.ac.nz (8.9.1/8.9.1/8.9.1-ua) with SMTP id RAA23644;
Wed, 25 Nov 1998 17:28:15 +1300 (NZDT)
From: Nevil Brownlee <[email protected]>
To: Tony Stoneley <[email protected]>
Cc: [email protected]
Subject: Reciprocal flows (closing comment)
In-Reply-To: <[email protected]>
Message-ID: <[email protected]>
Date: Wed, 25 Nov 1998 17:36:44 +1300 (New Zealand Daylight Time)
Priority: NORMAL
X-Mailer: Simeon for Win32 Version 4.1.4 Build (40)
X-Authentication: none
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: [email protected]
Precedence: bulk

Hello again Tony:

If you really want separate flow data records for each direction of a
flow you can store a value for one of the computed attributes so as to
break the (bi-directional) flow into two unidirectional flows. Like this:

if SourcePeerType == IP && SourceTransType == TCP
save;
else ignore;

if destpeeraddress == 130.216.4.28 &&
sourcepeeraddress == 130.216.4.79 save, {
if MatchingStoD == 1 store FlowClass := 1;
else store FlowClass := 2;
count;
}

Here's the output from nm_rc, watching an ftp session between the two
hosts:

#Format: flowruleset flowindex firsttime sourcepeertype sourcetranstype topdus tooctets frompdus fromoctets sourcepeeraddress destpeeraddress flowclass
#--- bluebottle.itss le0 2 flows 1pps 275Bps 17:18:20 Wed 25 Nov 1998 ---
81% 15 6 8s ip4 tcp 0 0B 17 4kB 130.216.4.79 130.216.4.28 2
19% 15 5 8s ip4 tcp 17 1kB 0 0B 130.216.4.79 130.216.4.28 1
0% bytes in 0 other flows
#--- bluebottle.itss le0 2 flows 1pps 294Bps 17:18:40 Wed 25 Nov 1998 ---
69% 15 6 28s ip4 tcp 0 0B 20 4kB 130.216.4.79 130.216.4.28 2
31% 15 5 28s ip4 tcp 19 2kB 0 0B 130.216.4.79 130.216.4.28 1
0% bytes in 0 other flows

However, since you can easily specify which end of a bidirectional flow
is the source, you know which of the two counts is for ingoing and which
for outgoing. Seems to me it's simpler to do it this way.

Cheers, Nevil

+---------------------------------------------------------------------+
| Nevil Brownlee Director, Technology Development |
| Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland |
| FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand |
+---------------------------------------------------------------------P