From netramet-owner Sat Mar 8 02:58:47 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id CAA26216 for netramet-outgoing; Sat, 8 Mar 1997 02:37:23 +1300 (NZDT) Received: from csu-e.csuohio.edu (csu-e.csuohio.edu [137.148.5.27]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id CAA26211 for ; Sat, 8 Mar 1997 02:37:20 +1300 (NZDT) Received: from athena.csuohio.edu (athena.csuohio.edu [137.148.5.13]) by csu-e.csuohio.edu (8.6.12/8.6.12) with SMTP id IAA00599 for ; Fri, 7 Mar 1997 08:42:28 -0500 Message-Id: <3.0.32.19970307083717.0074b0a8@popmail.csuohio.edu> X-Sender: m.thomson@popmail.csuohio.edu X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 07 Mar 1997 08:37:18 -0500 To: netramet@auckland.ac.nz From: "Matthew B. Thomson" Subject: Porting NeTraMet Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: netramet-owner@auckland.ac.nz Precedence: bulk Has anyone successfully ported NeTraMet to the NeXT operating system? Thanks, Matt ---------------------------------------------------------------- - Matthew B. Thomson - - Network Support Specialist - - Cleveland State University Information Services & Technology - - m.thomson@csuohio.edu - 216-687-9217 - Fax 216-687-9200 - ---------------------------------------------------------------- From netramet-owner Sun Mar 9 09:05:57 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id IAA01907 for netramet-outgoing; Sun, 9 Mar 1997 08:45:08 +1300 (NZDT) Received: from www.ifqsc.sc.usp.br (www.ifqsc.sc.usp.br [143.107.229.70]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id IAA01893 for ; Sun, 9 Mar 1997 08:44:59 +1300 (NZDT) Received: (from sergio@localhost) by www.ifqsc.sc.usp.br (8.6.12/8.6.12) id QAA15573; Sat, 8 Mar 1997 16:44:00 GMT Date: Sat, 8 Mar 1997 16:43:59 +0000 () From: Sergio Henrique Oliveira Pereira To: Lista Netramet Subject: Capturing SYN Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello, I need capture the bit (SYN), of the TCP header, anybody help-me ?? __ +|oo|+ +|oo|+ Instituto de Fisica de Sao Carlos - USP || Departamento de Fisica e Informatica || Grupo de Instrumentacao e Eletronica || || || E-mail : sergio@www.ifqsc.sc.usp.br _ || _ sergiop@ifqsc.sc.usp.br \\_||_// | [] | | || | http://www.ifqsc.sc.usp.br/hpp/sergio/sergio.html / [] \ \______/ From netramet-owner Thu Mar 13 09:22:26 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id IAA21109 for netramet-outgoing; Thu, 13 Mar 1997 08:58:09 +1300 (NZDT) Received: from akira.ucpel.tche.br (akira.ucpel.tche.br [200.17.82.33]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id IAA21100 for ; Thu, 13 Mar 1997 08:58:02 +1300 (NZDT) Received: from localhost by akira.ucpel.tche.br (AIX 3.2/UCB 5.64/4.03) id AA23983; Wed, 12 Mar 1997 17:01:29 -0300 Date: Wed, 12 Mar 1997 17:01:29 -0300 (GRNLNDST) From: Alexandre Timm Vieira To: netramet@auckland.ac.nz Subject: Converting Flow Files In-Reply-To: <3.0.32.19970307083717.0074b0a8@popmail.csuohio.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello, I'm a student at the Catholic University of Pelotas, in the south of Brazil. I've been using Netramet with success for around a month, but still in an experimental character, and I use the provided rules with a few modifications. I'd like to know the following: How is the people on this list converting the flow files to a friendlier format? I've already used FD_FILTER and FD_EXTRACT to turn the data into a simpler format. Is there any tool to convert the data to HTML? Like the site CSIRO - Netramet Stats http://www.adl.dmt.csiro.au/unix/netramet.html ? I use Netramet/Nemac 3.4 on an Intel Pentium 166MHz with 64MB of RAM and RedHat Linux 4.0. Thanks in advance for any help on tools and scripts to convert flow data files. ) \ / ( /|\ )\_/( /|\ * / | \ (/\|/\) / | \ * |`.____________________/__|__o____\`|'/___o__|__\___________________.'| | '^` \|/ '^` | | Alexandre Vieira xandi@akira.ucpel.tche.br | | Pelotas - RS - Brasil xanditv@nutecnet.com.br | | http://akira.ucpel.tche.br/~xandi Sysop NutecNet Pelotas | | Analise de Sistemas Universidade Catolica Pelotas | | Network Admin - Linux Rulez | | ._________________________________________________________________. | |' l /\ / \\ \ /\ l `| * l / V )) V \ l * l/ // \I From netramet-owner Thu Mar 13 23:49:08 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id XAA22162 for netramet-outgoing; Thu, 13 Mar 1997 23:39:33 +1300 (NZDT) Received: from nc3a.nato.int (issun3.nc3a.nato.int [192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id XAA22034 for ; Thu, 13 Mar 1997 23:38:43 +1300 (NZDT) Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA14050 (5.67b/IDA-1.5 for ); Thu, 13 Mar 1997 11:35:38 +0100 Message-Id: <2.2.16.19970313113834.6f57e0fe@nc3a.nato.int> X-Sender: selm@nc3a.nato.int X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_858253114==_" Date: Thu, 13 Mar 1997 11:38:34 +0000 To: Alexandre Timm Vieira , netramet@auckland.ac.nz From: Marc van Selm Subject: Re: Converting Flow Files X-Attachments: D:\PROGRAM\NM2WEB.C; D:\PROGRAM\NM_RC.C; D:\WINDOWS\TOOLS\WPEDIT\NM_DISPL; D:\PROGRAM\NEMAC.SHT; Sender: netramet-owner@auckland.ac.nz Precedence: bulk --=====================_858253114==_ Content-Type: text/plain; charset="us-ascii" At 05:01 PM 3/12/97 -0300, Alexandre Timm Vieira wrote: > >Hello, > >I'm a student at the Catholic University of Pelotas, in the south of Brazil. >I've been using Netramet with success for around a month, but still in an >experimental character, and I use the provided rules with a few >modifications. > >I'd like to know the following: How is the people on this list converting >the flow files to a friendlier format? I've already used FD_FILTER and >FD_EXTRACT to turn the data into a simpler format. Is there any tool to >convert the data to HTML? Like the site CSIRO - Netramet Stats >http://www.adl.dmt.csiro.au/unix/netramet.html ? I have a few tools. I'll attach the sources (mime) They are in C-code. I hope this isn't a problem. You'll have to make some modifications to it to tune it to your needs (for example get rid of the references to me on the web-page) I use nm_rc to display a top 15 (I modified nm_rc to display a top-15 and not a top-10) of internet-users. You can use your own rules-file to get the kind of info you like. The tools should support other formats but this isn't tested. This data is piped to nm2web. nm2web prints the trace on the screen of my management machine and also creates a web-page. You can get rid of the screen-copy by deleting the appropriate printf in nm2web.c The command-line should look something like this: nm_rc -c 120 -r ... | nm2web The trace is updated by nm_rc and saved by nm2web as a server-parsed include-file. The main html-file looks like nemac.sht (rename to nemac.shtml, sorry 8.3 chars) The webserver includes the trace-file on-the-fly into nemac.shtml (your server must support server-parsed html) To get this working you have to make a small modification in nm_rc. Basically you have to add a fflush(stdout) in the file nm_rc.c, line 695. This flush empties the pipe-buffer to nm2web. If you don't do this, data is written to the pipe-buffer and will stay there until there is enough data. So resulting in no updates for a long time and when the buffer is full you'll get them as bulk... I also made some modifications to nm_display.c (modifications attached as nm_displ) so it shows more protocols (some protocols we used were missing and were displayed as a number) If you want to add more just look into the nm_display.c file and my nm_displ file how it is done. You may need RFC1700 here) The documentation is poor, on diff-files for the modifications I've made and support is not there but if you know about C and html you'll find out how to get it to work. If some-one likes to create some path-files so it can be installed more easily, be my guest. Just send me a copy...) Good luck. Marc --=====================_858253114==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="NM2WEB.C" /* File: nm2web.c * Builds a web interface from data forwarded via stdinput * (c) Marc van Selm *, NATO C3 Agency, Communication Systems Division * 17 December 1996 * Copyright: Not for external distribution without prior aproval. */ #include #include #define BUFLEN 256 #define ZEROIP "Extern" char nemacfile[129]; char flowfile[129]; void create_mainpage(char *lanname) { FILE *fp; char fname[129]; sprintf(fname, "nemac/%s", nemacfile); if ( !( fp=fopen(fname, "w") ) ) { perror(fname); exit(1); } fprintf(fp, "\n" "" "NeMaC\n" "\n" "
\n" "

NeTraMet Accounting

\n" "Accounting is running on: %s\n
" "

\n" "
\n" "\n" "
\n" "

Get more info...
\n" /* "

Experimental data: ignore!

" */ "
\n\n" "NeMaC Web, Dec 1996, NC3A, CSD, " "Marc van Selm" "\n", nemacfile, lanname, flowfile); fclose(fp); } void addline(char *buf, char *hline) { FILE *fp; char fname[129]; int nr, cnt, rt; char ent[15*20]; sprintf(fname, "nemac/%s", flowfile); if ( !( fp=fopen(fname, "a") ) ) { perror(fname); exit(2); } if (buf[0]=='#') { buf[strlen(buf)-4]=0; rt=fprintf(fp, "%s\n", buf+5); if (rt<0) { perror(fname); exit(3); } rt=fprintf(fp, "%s", hline); } else { nr=sscanf(buf, " %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s", ent, ent+20, ent+40, ent+60, ent+80, ent+100, ent+120, ent+140, ent+160, ent+180, ent+200, ent+220, ent+240, ent+260, ent+280); rt=fprintf(fp, ""); if (rt<0) { perror(fname); exi|(;); } for (cnt=0; cnt%s", ZEROIP); else rt=fprintf(fp, "%s", ent+cnt*20); if (rt<0) { perror(fname); exit(3); } } rt=fprintf(fp, "\n"); if (rt<0) { perror(fname); exit(3); } } fclose(fp); } /* print the not running page */ void termsighandler() { FILE *fp; char fname[129]; sprintf(fname, "nemac/%s", nemacfile); if ( !( fp=fopen(fname, "w") ) ) { perror(fname); exit(1); } fprintf(fp, "\n" "" "NeMaC\n" "\n" "
\n" "

NeTraMet Accounting

\n" "

\nAccounting is currently not running!\n
\n" "

\n
\n\n" "NeMaC Web, Oct 1996, NC3A, CSD, " "Marc van Selm" "\n", nemacfile); fclose(fp); unlink(flowfile); exit(0); } void headline(char *buf, char *line) { char ent[15*20]; int nr, cnt; nr=sscanf(buf, " %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s", ent, ent+20, ent+40, ent+60, ent+80, ent+100, ent+120, ent+140, ent+160, ent+180, ent+200, ent+220, ent+240, ent+260, ent+280); strcpy(line, "%"); for (cnt=0; cntFrom"); if ( !strcmp(ent+cnt*20, "destpeeraddress") ) strcat(line, "To"); if ( !strcmp(ent+cnt*20, "sourcepeertype") ) strcat(line, "L3"); if ( !strcmp(ent+cnt*20, "sourcetranstype") ) strcat(line, "L4"); if ( !strcmp(ent+cnt*20, "sourcetransaddress") ) strcat(line, "Port"); if ( !strcmp(ent+cnt*20, "desttransaddress") ) strcat(line, "Port"); if ( !strcmp(ent+cnt*20, "topdus") ) strcat(line, "Rpkt"); if ( !strcmp(ent+cnt*20, "tooctets") ) strcat(line, "Rbyte"); if ( !strcmp(ent+cnt*20, "frompdus") ) strcat(line, "Xpkt"); if ( !strcmp(ent+cnt*20, "fromoctets") ) strcat(line, "Xbyte"); } strcat(line, "\n"); } void main(int argc, char *argv[]) { char buf[BUFLEN], strng[BUFLEN], hline[256]; char fname[129]; if (argc!=3) { fprintf(stderr, "Format: %s lanname\n", argv[0]); exit(0); } /* create main-filename */ sprintf(nemacfile, "nemac.%s.shtml", argv[2]); sprintf(flowfile, "current_trace.%s", argv[2]); sprintf(fname, "nemac/%s", flowfile); /* set SIGTERM handler */ if ( signal(SIGTERM, SIG_IGN) != SIG_IGN ) signal(SIGTERM, termsighandler); if ( signal(SIGINT, SIG_IGN) != SIG_IGN ) signal(SIGINT, termsighandler); /* read stdinput */ while ( fgets(buf, BUFLEN, stdin) ) { printf("%s", buf); sscanf(buf, " %s", strng); /* printf("strng=>>%s<<\n", strng); */ if ( !strcmp(strng, "#Format:") ) { create_mainpage(argv[1]); headline(buf, hline); } else if ( !strcmp(strng, "#---") ) { unlink(fname); addline(buf, hline); } else addline(buf, hline); } } --=====================_858253114==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="NM_RC.C" /* 1400, Sun 26 May 96 NM_RC.C: A simple remote display console for NeTraMet Copyright (C) 1992-1996 by Nevil Brownlee, ITSS Technology Development, The University of Auckland */ /* a few minor patches: Number of flows is now 15 More protocols are known stdout is now flushed after displaying. Now you can pipe the output to another tool and get instand responce. Marc van Selm Feb 24, 1997 */ #define MAXNRFLOWS 15 /* maximum number of flows displayed */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ausnmp.h" #include "asn1.h" #include "snmp.h" #include "snmpimpl.h" #include "snmpapi.h" #include "snmpclnt.h" #include "mib.h" #define EXTERN #include "nmc.h" unsigned int max_flows; struct flow_data { /* Sample-to-sample differences */ unsigned short ruleset; unsigned int starttime, upbci, /* To byte rate */ dnbci, /* From byte rate */ uppci, /* To packet rate */ dnpci; /* From packet rate */ }; struct flow_data *flow_table, curr_rate, total_rate; int nd_flows; /* Nbr of flows to display */ struct display_data { unsigned int traffic; struct flow_info *fi; }; struct flow_info *dflowi; struct display_data *dflows; char show_names; char rfname[NAME_LN], meter[NAME_LN], community[NAME_LN]; unsigned int def_sync, def_sample_interval, def_lag, def_download, def_no_write_meter, def_GCIntervalReqd, def_InactivityTime, def_HighWaterMark, def_FloodMark; int no_user_format, plain_format; int sort_cmp(const void *a, const void *b) { if (((struct display_data *)a)->traffic < /* Reverse numeric order */ ((struct display_data *)b)->traffic) return 1; else if (((struct display_data *)a)->traffic == ((struct display_data *)b)->traffic) return 0; else return -1; } void no_write_warning(struct meter_status *ms) { if (ms->no_write_warned) return; fprintf(stdout,"Community %s doesn't have write access to meter %s!\n" " Collections won't trigger recovery of idle flows <<<\n", ms->community,ms->name); ms->no_write_warned = 1; } void add_event(struct calendar_entry *entry, struct meter_status *ms) { struct calendar_entry *cp, *lcp; entry->next_event = ms->next_event; entry->ms = ms; entry->next = NULL; if (calendar == NULL) { /* First entry in queue */ calendar = entry; return; } lcp = NULL; cp = calendar; do { if (ms->next_event < cp->next_event) { entry->next = cp; if (lcp == NULL) calendar = entry; /* Add to head */ else lcp->next = entry; /* Link into queue */ return; } lcp = cp; cp = cp->next; } while (cp != NULL); lcp->next = entry; /* Add to tail */ } int create_meter(struct meter_status *ms, time_t first_t) { struct calendar_entry *entry; int a,b,n, syntax; if (ms->name[0] == '\0' || ms->community[0] == '\0') { fprintf(stdout,"Meter name or community not specified !!!\n"); return 0; } if (testing) printf("About to create_meter name=%s, community=%s\n", ms->name, ms->community); if (!start_snmp_session(ms)) return 0; ms->status = MT_MANAGE; if (meter_info(ms)) { ms->status |= (MT_UP | MT_INFO); ms->next_event = ms->next_sample = first_t; /* Get first sample immediately */ entry = (struct calendar_entry *)calloc( sizeof(struct calendar_entry), 1); add_event(entry,ms); if (testing) printf("t=%u, next_event=%u, next_keepalive=%u, next_sample=%u\n", first_t, ms->next_event, ms->next_keepalive, ms->next_sample); if (!meter_is_current(ms)) { fprintf(stdout,"Warning: meter %s (version %s) not same as nm_rc!\n", ms->name,ms->version); } if (ms->MaxFlows > max_flows) max_flows = ms->MaxFlows; } else { fprintf(stdout,"Couldn't get meter info from %s!\n" " Does community %s have read or write access to the meter?\n", ms->name,ms->community); return 0; } set_meter_params(ms); syntax = ms->download_level != 0; /* 0 => initial download of rules */ if (ms->rulefile[0] == '\0') /* No rule file specified */ ms->ruleset = ms->CurrentRuleSet; else { /* Download the rules we want to use */ parse_rulefile(ms,listrules,syntax,0,0); /* Initial load */ if (rferrors != 0) return 0; } /* Make sure we get the info we need to select 'top n' flows */ ms->required[FTFLOWINDEX] = ms->required[FTRULESET] = ms->required[FTFIRSTTIME] = ms->required[FTUPOCTETS] = ms->required[FTDOWNOCTETS] = ms->required[FTUPPDUS] = ms->required[FTDOWNPDUS] = ms->required[FTLOWPEERTYPE] = 1; if (no_user_format = ms->format[0] == 0) { /* No format specified */ ms->format[0] = FTFIRSTTIME; ms->format[1] = FTUPPDUS; ms->format[2] = FTDOWNPDUS; ms->format[3] = FTUPOCTETS; ms->format[4] = FTDOWNOCTETS; ms->format[5] = FTLOWPEERTYPE; ms->format[6] = FTLOWPEERADDRESS; ms->required[FTLOWPEERADDRESS] = 1; ms->format[7] = FTHIPEERADDRESS; ms->required[FTHIPEERADDRESS] = 1; ms->format[8] = FTLOWDETAILTYPE; ms->required[FTLOWDETAILTYPE] = 1; ms->format[9] = FTLOWDETAILADDRESS; ms->required[FTLOWDETAILADDRESS] = 1; ms->format[10] = FTHIDETAILADDRESS; ms->required[FTHIDETAILADDRESS] = 1; ms->format[11] = 0; for (a = 0; a != 13; ++a) ms->separator[a] = " "; } ++nmeters; if (!ms->write_OK) no_write_warning(ms); ms->OurLastCollectTime = 1L; ms->snmp_delay = 90; /* Wait 90 ms after an snmp request */ fprintf(stdout, "#Format: "); if ((n = ms->format[a = 0]) != 0) for (;;) { for (b = 1; attribs[b].index != n; ++b) ; fprintf(stdout,attribs[b].name); if ((n = ms->format[a+1]) == 0) break; fprintf(stdout,ms->separator[a++]); } fprintf(stdout,"\n"); } void main(int argc, char *argv[]) { int syntax; char *ap, arg[NAME_LN]; int a, j; time_t t1,t2; int busy_seconds; struct meter_status *ms, *nms; struct calendar_entry *cp; struct stat stat_buf; char have_config_file; FILE *cnf; char download_only; if (argc < 2) { fprintf(stderr,"NeMaC [options] meter-name community\n\n"); exit(0); } fprintf(stdout,"nm_rc: Remote Console for NeTraMet: V3.4\n"); /* Check on meter version done in nmc_snmp.c */ incl_depth = syntax = verbose = testing = listrules = standard = 0; def_sync = 1; /* Samples synchronised with TOD clock */ def_sample_interval = 120; /* Default 2 minutes */ def_lag = 0; /* No time lag for collections */ rfname[0] = meter[0] = community[0] = '\0'; max_flows = 0; def_download = 0; /* Download rule sets on startup */ def_no_write_meter = 0; nd_flows = MAXNRFLOWS; /* Display top 10 flows by default */ def_GCIntervalReqd = /* Use meter defaults for MIB variables */ def_InactivityTime = def_HighWaterMark = def_FloodMark = 0; plain_format = 0; show_names = 0; for (a = 1; a < argc; ++a) { if (argv[a][0] == '-') { ap = argv[a]+2; switch (argv[a][1]) { case 'a': if (*ap == '\0') ap = argv[++a]; def_lag = atoi(ap); break; case 'c': if (*ap == '\0') ap = argv[++a]; j = atoi(ap); if (j == 0) download_only = 1; else def_sample_interval = j; break; case 'd': snmp_dump_packet++; break; case 'g': if (*ap == '\0') ap = argv[++a]; def_GCIntervalReqd = atoi(ap); break; case 'h': if (*ap == '\0') ap = argv[++a]; def_HighWaterMark = atoi(ap); break; case 'i': if (*ap == '\0') ap = argv[++a]; def_InactivityTime = atoi(ap); break; case 'l': listrules++; break; case 'n': if (*ap == '\0') ap = argv[++a]; nd_flows = atoi(ap); /* Nbr of flows to display */ break; case 'o': if (*ap == '\0') ap = argv[++a]; def_FloodMark = atoi(ap); break; case 'p': plain_format++; break; case 'r': if (*ap == '\0') ap = argv[++a]; strcpy(rfname, ap); /* Rule file name */ break; case 's': syntax++; break; case 't': testing++; break; case 'u': def_sync = 0; /* Unsynchronised */ break; case 'v': verbose++; break; case 'w': if (*ap == '\0') ap = argv[++a]; def_download = atoi(ap); break; case 'x': def_no_write_meter++; break; case 'N': show_names = 1; break; case 'S': standard++; break; default: fprintf(stderr,"Invalid option: -%c\n", argv[a][1]); break; } continue; } if (meter[0] == '\0') strcpy(meter,argv[a]); else if (community[0] == '\0') strcpy(community,argv[a]); } if (syntax) { /* Test a rule file */ ms = (struct meter_status *)calloc(sizeof(struct meter_status), 1); strcpy(ms->rulefile,rfname); if (ms->emergency_rulefile[0] != '\0') parse_rulefile(ms,listrules,1,1,0); parse_rulefile(ms,1,1,0,0); fprintf(stderr,"\n%d errors in rule file(s) %s\n\n", rferrors,rfname); exit(0); } if (nd_flows < 1) nd_flows = 1; init_mib(); /* Initialise SNMP handler */ first_meter = (struct meter_status *)calloc (sizeof(struct meter_status), 1); strcpy(first_meter->rulefile,rfname); strcpy(first_meter->name,meter); strcpy((char *)first_meter->community, community[0] != '\0' ? community : "public"); first_meter->synchronised = def_sync; first_meter->sample_interval = def_sample_interval; first_meter->lag_seconds = def_lag; first_meter->download_level = def_download; first_meter->no_write_meter = rfname[0] == '\0' ? 1 : def_no_write_meter; first_meter->write_OK = 1; first_meter->GCIntervalReqd = def_GCIntervalReqd; first_meter->InactivityTime = def_InactivityTime; first_meter->lag_seconds = def_lag; first_meter->HighWaterMark = def_HighWaterMark; first_meter->FloodMark = def_FloodMark; time(&t1); for (nmeters = 0, ms = first_meter; ms; ms = ms->next) create_meter(ms, t1); if (nmeters == 0) { fprintf(stderr,"No meters to monitor !!!\n"); exit(0); } /* Allocate two extra flows since they start from 2 not 0 */ if ((flow_table = (struct flow_data *)calloc( max_flows+2, sizeof(struct flow_data))) == NULL) { fprintf(stderr, "Failed to allocate memory for flow table!\n"); exit(11); } if ((dflowi = (struct flow_info *)calloc( nd_flows, sizeof(struct flow_info))) == NULL) { fprintf(stderr, "Failed to allocate memory for display info!\n"); exit(11); } if ((dflows = (struct display_data *)calloc( nd_flows, sizeof(struct display_data))) == NULL) { fprintf(stderr, "Failed to allocate memory for display data!\n"); exit(11); } for (;;) { for (;;) { time(&t1); if (calendar->next_event > t1) break; /* Wait a while */ cp = calendar; calendar = cp->next; /* Take entry from queue */ ms = cp->ms; if (ms->status & MT_MANAGE) monitor(ms); add_event(cp,ms); } if (testing) fflush(stdout); time(&t1); if (calendar->next_event > t1) sleep(calendar->next_event-t1); } } unsigned short getshort(ucp) unsigned char *ucp; { return ucp[0]<<8 | ucp[1]; } unsigned long getlong(ucp) unsigned char *ucp; { return ucp[0]<<24 | ucp[1]<<16 | ucp[2]<<8 | ucp[3]; } unsigned short get_slice(struct meter_status *ms, unsigned short first_row, unsigned char col, unsigned char first) { int fn, row, len, n, r, sz; struct flow_info *fp; unsigned char *ucp; fn = first_row; row = 0; if (column_info(ms,column_blob, col,ms->OurLastCollectTime,&fn,&len) && len != 0) { for (ucp = column_blob; row < MX_BLOB_FLOWS; ) { fp = &flows[row]; n = getshort(ucp); ucp += 2; /* Flow nbr */ if (n < 2) break; /* No more active flows in blob */ sz = attribs[col].len; switch (col) { case FTFLOWINDEX: /* Used to synchronise column blobs */ break; case FTFLOWSTATUS: fp->FlowStatus = *ucp; break; case FTLOWINTERFACE: fp->LowInterface = *ucp; break; case FTLOWADJACENTTYPE: fp->LowAdjType = *ucp; break; case FTLOWADJACENTADDRESS: memcpy(fp->LowAdjAddress,ucp,MAC_ADDR_LEN); break; case FTLOWADJACENTMASK: memcpy(fp->LowAdjMask,ucp,MAC_ADDR_LEN); break; case FTLOWPEERTYPE: fp->LowPeerType = *ucp; break; case FTLOWPEERADDRESS: memset((char *)fp->LowPeerAddress,0,PEER_ADDR_LEN); sz = *ucp++; memcpy(fp->LowPeerAddress,ucp,sz); break; case FTLOWPEERMASK: memset((char *)fp->LowPeerMask,0,PEER_ADDR_LEN); sz = *ucp++; memcpy(fp->LowPeerMask,ucp,sz); break; case FTLOWDETAILTYPE: fp->LowDetailType = *ucp; break; case FTLOWDETAILADDRESS: memcpy(fp->LowDetailAddress,ucp,DETAIL_ADDR_LEN); break; case FTLOWDETAILMASK: memcpy(fp->LowDetailMask,ucp,DETAIL_ADDR_LEN); break; case FTHIINTERFACE: fp->HighInterface = *ucp; break; case FTHIADJACENTTYPE: fp->HighAdjType = *ucp; break; case FTHIADJACENTADDRESS: memcpy(fp->HighAdjAddress,ucp,MAC_ADDR_LEN); break; case FTHIADJACENTMASK: memcpy(fp->HighAdjMask,ucp,MAC_ADDR_LEN); break; case FTHIPEERTYPE: fp->HighPeerType = *ucp; break; case FTHIPEERADDRESS: memset((char *)fp->HighPeerAddress,0,PEER_ADDR_LEN); sz = *ucp++; memcpy(fp->HighPeerAddress,ucp,sz); break; case FTHIPEERMASK: memset((char *)fp->HighPeerMask,0,PEER_ADDR_LEN); sz = *ucp++; memcpy(fp->HighPeerMask,ucp,sz); break; case FTHIDETAILTYPE: fp->HighDetailType = *ucp; break; case FTHIDETAILADDRESS: memcpy(fp->HighDetailAddress,ucp,DETAIL_ADDR_LEN); break; case FTHIDETAILMASK: memcpy(fp->HighDetailMask,ucp,DETAIL_ADDR_LEN); break; case FTRULESET: fp->FlowRuleSet = *ucp; break; case FTUPOCTETS: fp->FwdBytes = getlong(ucp); break; case FTUPPDUS: fp->FwdPackets = getlong(ucp); break; case FTDOWNOCTETS: fp->BackBytes = getlong(ucp); break; case FTDOWNPDUS: fp->BackPackets = getlong(ucp); break; case FTFIRSTTIME: fp->FirstTime = getlong(ucp); break; case FTLASTTIME: fp->LastTime = getlong(ucp); break; case FTSOURCECLASS: fp->SourceClass = *ucp; break; case FTDESTCLASS: fp->DestClass = *ucp; break; case FTFLOWCLASS: fp->FlowClass = *ucp; break; case FTSOURCEKIND: fp->SourceKind = *ucp; break; case FTDESTKIND: fp->DestKind = *ucp; break; case FTFLOWKIND: fp->FlowKind = *ucp; break; } ucp += sz; if (first) { fp->FlowIndex = n; ++row; } else { if (n == fp->FlowIndex) ++row; } } } if (len == 0) return 0; /* No flows found */ if (first) flows[row].FlowIndex = n; /* Return end-of-blob marker */ return row; /* Nbr of rows may decrease with later columns */ } void monitor(ms) /* Called every interval for each meter */ struct meter_status *ms; { time_t t, nst,si; char *ts; unsigned short activeflows, first_row, nrows, r; unsigned char reachable, a, col, first, keepalive, s_statsreqd; unsigned long last_uptime, tb, tp; unsigned int i,j; char fdfbuf[250], *fbp; struct flow_info *fp; unsigned int fi, t_count,x; struct display_data *ddp, *mdp; char buf[50], *bp; time(&t); ts = fmt_time(&t); if (!ms->write_OK) no_write_warning(ms); last_uptime = ms->uptime; s_statsreqd = ms->statsreqd; /* Save stats request through keepalive */ reachable = 1; if (meter_info(ms) == 0) { /* Lost contact */ if (ms->status & MT_UP) { /* Was up */ fprintf(stdout,"%s -- %s: No response\n", ts,ms->name); } ms->status &= ~MT_UP; /* Mark as 'down' */ reachable = 0; } else if (!(ms->status & MT_UP)) { /* Have contact now, was down */ fprintf(stdout,"%s -- %s: Regained contact\n", ts,ms->name); ms->write_OK = 1; ms->no_write_warned = 0; } ms->status |= MT_UP; ms->statsreqd = s_statsreqd; /* Restore stats request from rule file */ /* Meter processing .. */ if (reachable) { set_collect_time(ms,1); /* Tell meter we're starting a collection */ memset(&total_rate, 0, sizeof(struct flow_data)); memset(dflows, 0, nd_flows*sizeof(struct display_data)); activeflows = 0; first_row = 1; do { for (first = 1, a = 0; (col = col_order[a]) != '\0'; ++a) { if (ms->required[col] == 0) continue; r = get_slice(ms, first_row,col, first); if (first) { nrows = r; first = 0; } else if (r < nrows) nrows = r; if (nrows == 0) break; } if (nrows == 0) break; if (testing) fprintf(stdout, "#monitor(): frst_row=%u, nrows=%u, nxt_row=%d, end_mark=%u\n", first_row, nrows, nrows != 0 ? flows[nrows-1].FlowIndex : -1, flows[nrows].FlowIndex); activeflows += nrows; first_row = flows[nrows-1].FlowIndex; /* Last data row */ for (r = 0; r != nrows; ++r) { fp = &flows[r]; fi = fp->FlowIndex; if (flow_table[fi].ruleset == 0 || flow_table[fi].ruleset != fp->FlowRuleSet || flow_table[fi].starttime != fp->FirstTime) { /* It's a new flow */ memset(&flow_table[fi], 0, sizeof(struct flow_data)); flow_table[fi].ruleset = fp->FlowRuleSet; flow_table[fi].starttime = fp->FirstTime; } memset(&curr_rate, 0, sizeof(struct flow_data)); if (fp->FwdPackets) { curr_rate.uppci = fp->FwdPackets - flow_table[fi].uppci; total_rate.uppci += curr_rate.uppci; flow_table[fi].uppci = fp->FwdPackets; } if (fp->BackPackets) { curr_rate.dnpci = fp->BackPackets - flow_table[fi].dnpci; total_rate.dnpci += curr_rate.dnpci; flow_table[fi].dnpci = fp->BackPackets; } if (fp->FwdBytes) { curr_rate.upbci = fp->FwdBytes - flow_table[fi].upbci; total_rate.upbci += curr_rate.upbci; flow_table[fi].upbci = fp->FwdBytes; } if (fp->BackBytes) { curr_rate.dnbci = fp->BackBytes - flow_table[fi].dnbci; total_rate.dnbci += curr_rate.dnbci; flow_table[fi].dnbci = fp->BackBytes; } mdp = &dflows[0]; x = mdp->traffic; j = 0; for (i = 1; i != nd_flows; ++i) { /* Find min display flow */ ddp = &dflows[i]; if (ddp->traffic < x) { mdp = ddp; x = ddp->traffic; j = i; } } tb = curr_rate.upbci+curr_rate.dnbci; if (tb > x) { mdp->traffic = tb; mdp->fi = &dflowi[j]; memcpy(mdp->fi, fp, sizeof(struct flow_info)); mdp->fi->FwdPackets = curr_rate.uppci; mdp->fi->BackPackets = curr_rate.dnpci; mdp->fi->FwdBytes = curr_rate.upbci; mdp->fi->BackBytes = curr_rate.dnbci; } } } while (flows[nrows].FlowIndex != 0); if (verbose) printf( "%s %s: %d active flows from %lu to %lu\n", ts,ms->name, activeflows, ms->OurLastCollectTime,ms->uptime); qsort(dflows, nd_flows,sizeof(struct display_data), sort_cmp); tb = total_rate.upbci+total_rate.dnbci; tp = total_rate.uppci+total_rate.dnpci; fprintf(stdout,"#--- %s %s Mxflow=%d %u flows ", ms->name,ms->interface, MAXNRFLOWS, activeflows,ts); bp = sdisplay_number(buf,tp/ms->sample_interval); bp = strmov(bp,"pps "); bp = sdisplay_number(bp,tb/ms->sample_interval); *bp = '\0'; fprintf(stdout,buf); fprintf(stdout,"Bps %s ---\n", ts); for (i = 0; i != nd_flows; ++i) { ddp = &dflows[i]; if (ddp->traffic == 0) break; fp = ddp->fi; fbp = fdfbuf; /* Build flow data file line */ if (!plain_format) { fprintf(stdout,"%3lu%% ", (fp->FwdBytes+fp->BackBytes)*100/tb); } for (col = ms->format[a = 0]; ; ) { if (col != '\0') { if (plain_format) fbp = sfmt_attrib(fbp, fp,col); else fbp = sdisplay_attrib(fbp, fp,col,ms); } if ((col = ms->format[a+1]) == '\0') break; fbp = strmov(fbp,ms->separator[a++]); } *fbp = '\0'; fprintf(stdout,fdfbuf); fprintf(stdout,"\n"); fflush(stdout); } } ms->OurLastCollectTime = ms->uptime - 1L; /* -1 to make sure we don't miss any flows. We may collect some of them twice, but we don't mind that */ if (testing) printf("Sample: t=%u",ms->next_event); if (ms->synchronised) { nst = ms->next_sample + (si = ms->sample_interval); ms->next_sample = (nst / si) * si + ms->lag_seconds; } else ms->next_sample += ms->sample_interval; ms->next_event = ms->next_sample; if (testing) printf(", sync=%d, next_sample=%u, next_keepalive=%u\n", ms->synchronised, ms->next_sample, ms->next_keepalive); } --=====================_858253114==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="NM_DISPL" Modifications in nm_displ.c: in function: char *sdisplay_transtype() case AT_IP: switch(transtype) { case 1: return strmov(d,"icmp"); case 2: return strmov(d,"igmp"); case 4: return strmov(d,"igmp"); case 6: return strmov(d,"tcp "); case 17: return strmov(d,"udp "); case 27: return strmov(d,"rdp "); case 28: return strmov(d,"irtp"); case 46: return strmov(d,"rsvp"); case 89: return strmov(d,"ospf"); default: sprintf(buf,"%u",transtype); } break; in function: char *sdisplay_transaddr() { unsigned int p = a[0] << 8 | a[1]; char buf[20]; switch (peertype) { case AT_IP: switch(p) { case 20: return strmov(d,"ftpdata"); case 21: return strmov(d,"ftp"); case 22: return strmov(d,"ssh"); case 23: return strmov(d,"telnet"); case 25: return strmov(d,"smtp"); case 53: return strmov(d,"dns"); case 70: return strmov(d,"gopher"); case 79: return strmov(d,"finger"); case 80: return strmov(d,"www"); case 110: return strmov(d,"pop"); case 113: return strmov(d,"imap"); case 119: return strmov(d,"nntp"); case 123: return strmov(d,"ntp"); case 138: return strmov(d,"nbio"); /* netBIOS */ case 161: return strmov(d,"snmp"); case 513: return strmov(d,"login"); case 1515: return strmov(d,"printer"); case 2049: return strmov(d,"nfs"); case 6000: return strmov(d,"xwin"); case 8080: return strmov(d,"proxy"); default: sprintf(buf,"%u",p); } break; --=====================_858253114==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="NEMAC.SHT" NeMaC

NeTraMet Accounting

Accounting is running on: 192.41.140.x




Get more info...

NeMaC Web, Dec 1996, NC3A, CSD, Marc van Selm --=====================_858253114==_ Content-Type: text/plain; charset="us-ascii" --------------------------------------------------------------------- Marc van Selm NATO C3 Agency Communication Systems Division, A-Branch E-Mail: marc.van.selm@nc3a.nato.int --------------------------------------------------------------------- PGP key: http://www.cistron.nl/~selm/keymarc.asc My Direct-Mail policy: http://www.cistron.nl/~selm/directpolicy.html --=====================_858253114==_-- From netramet-owner Fri Mar 14 21:12:32 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id UAA13886 for netramet-outgoing; Fri, 14 Mar 1997 20:56:18 +1300 (NZDT) Received: from nc3a.nato.int (issun3.nc3a.nato.int [192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id UAA13821 for ; Fri, 14 Mar 1997 20:55:55 +1300 (NZDT) Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA28879 (5.67b/IDA-1.5 for ); Fri, 14 Mar 1997 08:54:17 +0100 Message-Id: <2.2.16.19970314085724.08afd3da@nc3a.nato.int> X-Sender: selm@nc3a.nato.int X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 14 Mar 1997 08:57:24 +0000 To: Alexandre Timm Vieira From: Marc van Selm Subject: Re: Converting Flow Files Cc: netramet@auckland.ac.nz Sender: netramet-owner@auckland.ac.nz Precedence: bulk At 06:44 PM 3/13/97 -0300, Alexandre Timm Vieira wrote: > > Hello Marc, ... > You help me very much on modifications in NM_RC.C and NM_DISPLAY.C, but >i cant run nm2web , something is wrong, appear "Format: nm2web lannam"... >What is wrong ? > > I use something like this: > > nm_rc -c120 -h20 -g11 -r rules.ipport myserver mycommunity | nm2web Sorry I was a bit quick in writing the documentation. The format should be: nm_rc -c 120 -r rules.file metername community | nm2web XXX.XXX.XXX.x metername Here is XXX.XXX.XXX.x your IP (like 192.168.10.x for example) metername is the name of the Netramet meter. These parameters for nm2web are created because I monitor more than one LAN using more than one probe. The IP-number parameter is only to display in the web-page so people know what is monitored. The metername is also used in the filenames so you can make some kind of an index and to distinguish between the flow-files of multiple probes. Because I don't want to type such long commands I've made some shell-scripts to start the manager and the meter. You should be able to set up your own. You could also tailor your the c-code to suit your specific needs. It reduces the flexibility though. Also please edit the nm2web.c file so the mailto:selm@nc3a.nato.int is removed. Its there to show what you could do but I don't think you want users to ask questions to me on your accounting data. (I certainly don't) > > Only this... > > I change line 76 of nm2web.c from exi|(;); to exit(3); > ^^^^^^^^ I would do the same. I don't know what happened. I looked at the original source and it wasn't there. I think gremlins.... mmm..... Regards Marc van Selm --------------------------------------------------------------------- Marc van Selm NATO C3 Agency Communication Systems Division, A-Branch E-Mail: marc.van.selm@nc3a.nato.int --------------------------------------------------------------------- PGP key: http://www.cistron.nl/~selm/keymarc.asc My Direct-Mail policy: http://www.cistron.nl/~selm/directpolicy.html From netramet-owner Thu Mar 20 20:00:10 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id TAA17696 for netramet-outgoing; Thu, 20 Mar 1997 19:40:03 +1200 (NZST) Received: from nc3a.nato.int (issun3.nc3a.nato.int [192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id TAA17627 for ; Thu, 20 Mar 1997 19:39:48 +1200 (NZST) Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA11215 (5.67b/IDA-1.5 for ); Thu, 20 Mar 1997 08:38:06 +0100 Message-Id: <2.2.16.19970320084147.25273470@nc3a.nato.int> X-Sender: selm@nc3a.nato.int X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 20 Mar 1997 08:41:47 +0000 To: netramet@auckland.ac.nz From: Marc van Selm Subject: Netramet, Linux and more than 1 LAN-segments Sender: netramet-owner@auckland.ac.nz Precedence: bulk As you all know NeTraMet is capable to monitor up to 4 LAN-segments. It turns out the Linux binary had a bit of a problem with that. When more than 1 interface was specified (like -ieth0 -ieth1) it only monitored the first one in the list (independent of what sequence of interfaces specified) Recompiling the NeTraMet and the libpcap source myself fixed it for me. I asume the libpcap used in the binary wasn't to compatible with my system or just doesn't like more than 1 interface. I use a i486, Linux 2.0.20, 20Mb mem, 2x Etherlink III, 100Mb disk and this works perfect (at it has CPU-cycles left to do other work also) I also have a i386, Linux 2.0.20, 8Mb mem etc This can also cope with our internet traffic but is a bit bussy. Responce to telnets for example is a bit poor. Just for your info.... Marc van Selm --------------------------------------------------------------------- Marc van Selm NATO C3 Agency Communication Systems Division, A-Branch E-Mail: marc.van.selm@nc3a.nato.int --------------------------------------------------------------------- PGP key: http://www.cistron.nl/~selm/keymarc.asc My Direct-Mail policy: http://www.cistron.nl/~selm/directpolicy.html From netramet-owner Fri Mar 21 21:04:28 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id UAA09318 for netramet-outgoing; Fri, 21 Mar 1997 20:43:39 +1200 (NZST) Received: from nc3a.nato.int ([192.41.140.225]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id UAA09304 for ; Fri, 21 Mar 1997 20:43:19 +1200 (NZST) Received: from compc12.nc3a.nato.int by nc3a.nato.int with SMTP id AA28341 (5.67b/IDA-1.5 for ); Fri, 21 Mar 1997 09:40:30 +0100 Message-Id: <2.2.16.19970321094424.231f0f86@nc3a.nato.int> X-Sender: selm@nc3a.nato.int X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 21 Mar 1997 09:44:24 +0000 To: Timothy You From: Marc van Selm Subject: Re: Netramet, Linux and more than 1 LAN-segments Cc: netramet@auckland.ac.nz Sender: netramet-owner@auckland.ac.nz Precedence: bulk At 09:21 AM 3/21/97 +0800, Timothy You wrote: >Hello, > Sorry to distribute you but I have try to use NeTraMet on two >segment and no successfull as well. Would you published how you fixed the >problem? > OK, This is how I've got it to work: At first I also couldn't get it to work. I assumed my i386 with 2 Etherlink II cards couldn't cope with the load. I had been using the Linux binary until last week so, just out of academic curiosity, I decided to compile the kit from the source for Linux. You also need libpcap installed first (ftp://ftp.ee.lbl.gov/libpcap.tar.Z) This fixed things for me. Monitoring 2 ports works for now on my kit. I haven't tried with more than 2 but according to Nevil it should support 4 ports. The libpcap installation can be a bit tricky. What I had to do is manually copy the linux-includes to /usr/include/ (I had 1 file missing in my Linux distribution. I'm not sure this is standard problem. I'm not really using one of the official distributions. It's a modified Openworld distribution upgraded to support the current standards. I don't think it is available anymore. The kernel is a standard ELF V2.0.20, gcc2.7.2) But for me libpcap installed fine. It complained that I had to run a fixincludes script from gcc. I didn't want to do this so I ignored it. It turns out that this wasn't needed after all. Read the INSTALL file for more info. When this is done you have to re-compile NeTraMet from the source (Nemac is not important here but you can do it if you want) Compilation is simple (assuming you know about installing these kind of source-code based applications) First the snmplib (go to linux/snmplib and run make). When do the same for linux/meter. I had to modify the meter-Makefile a bit. Libpcap installs per default on /usr/local/lib and the makefile assumes it is installed in the source-path. You can modify the makefile so it links /usr/local/lib/libpcap.a or just copy libpcap to the linux/meter directory. This worked for me. Now you can run NeTraMet -ieth0 -ieth1 -wyourcommunity >I am try the following configuration but have not successful config the >Linux yet: >Linux with 2x 3Com 10/100 Ethernet card. >eth0 - for transfer information gathered by NeTraMet >eth1 - collect statistic (from the Monitoring port on Cisco switch) >eth2 - collect statistic (from the Monitoring port on Cisco switch) Makes sense to do it like this. I assume the eth0 is not on one of the Cisco-ports but on a separate LAN-segment. A separate monitor segment will create some kind of out-of-band management. The flow data can be extensive.... I'm not sure if you already got the 3 ethernet cards to work. I can only help you with 2. I don't have any experience with more than one but I understand this isn't a major problem. There is an ethernet how-to explaining this. You have to do something like this in the lilo.conf: append ether=0,0x300,eth0 ether=0,0x280,eth1 >Do you think a 586-133 with 32MB RAM able to monitoring two FDDI interface >simultanously? The manual states: 40Mhz i486: 3000 packets per sec peak. A 60Mhz i586 + PCI nic's will do a steady 6000 packets/second. I'm not sure what a 133 will do but just assuming 2x the speed and an average packet size of about 1000 kbyte we are talking about a steady load of about 100Mbps. It depends a lot of the average load (and if there are long bursts of almost maximum load) Also the performance of the FDDI nic is important here. I would give it a go and compare (if possible under controlled conditions) monitoring with 2 ports and with 1. You have to do it at a quiet time and run a file transfer on both segments monitored. My guess is that it should work fine and only under extreme conditions you will lose some packets. One thing you have to prevent is swapping. This reduces the performance a lot. My experience is that 8 meg works but is on the limit (depending on the amount of flows and other services enabled on the NeTraMet machine) 16 meg is better. Swap partition are touched in all in my probes anymore. Hope this helps, Good luck! Marc > >Best Regards >Tim > >_________________________________________________________________________ >Tim K.H.You Internet : tim@ln.edu.hk, >Computer Services Centre >Lingnan College, Tuen Mun, Tel no. : (852) 26168418 >NT, HONG KONG. Fax no. : (852) 25758763 >__________________________________________________________________________ > > > > > --------------------------------------------------------------------- Marc van Selm NATO C3 Agency Communication Systems Division, A-Branch E-Mail: marc.van.selm@nc3a.nato.int --------------------------------------------------------------------- PGP key: http://www.cistron.nl/~selm/keymarc.asc My Direct-Mail policy: http://www.cistron.nl/~selm/directpolicy.html From netramet-owner Thu Mar 27 22:24:46 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id WAA09254 for netramet-outgoing; Thu, 27 Mar 1997 22:01:16 +1200 (NZST) Received: from n.brownlee4.itss.auckland.ac.nz (nevil.slip.auckland.ac.nz [130.216.8.3]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id WAA09246; Thu, 27 Mar 1997 22:01:10 +1200 (NZST) From: Nevil Brownlee Reply-To: Nevil Brownlee To: netramet@auckland.ac.nz, rtfm@auckland.ac.nz Subject: Security Considerations for RTFM Meters Message-ID: Date: Fri, 28 Mar 1997 09:59:34 +1200 (New Zealand Standard Time) Priority: NORMAL X-Mailer: Simeon for Win32 Version 4.1 Build (3) X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello all: At the RTFM session in Memphis we intend to discuss security considerations for inclusion in any new RTFM RFCs. I've made a start on that in the new meter draft, basically saying that meters should be installed in a secure network environment - but to some extent that's dodging the issue. Here at Auckland we've encountered two further interesting situations. 1) Choosing SNMP communities. Most NeTraMet users use the write community to limit access to the meter. In addition, the NeTraMet manual suggests setting the read community to something other than 'public.' We've identified a need for a third community; let's call it inspect. This could be used to allow a reader (such as nifty) to read data from the flow table and to set LastTime variables so as to tell the meter that a data collection is starting. It would not give write access to any other variables. Any comments on this idea? 2) Port Scan Attacks In a port scan attack a remote user sends packets to all possible IP addresses within a network. If an RTFM meter is observing these packets and creating flows with full details of soure/dest PeerAddresses, the meter will create new flows for each of the port scan packets. This usually means it will run out of flow memory and switch to Flood Mode. The best way to guard against this is to put the meter behind a firewall, so as to reduce the number of scan packets reaching the meter. If this is not possible - perhaps because the meter is being used to detect such attacks - then how should the meter behave in the face of them? Have any NeTraMet users encountered other security / attack situations? Any suggestions on how to deal with them? Comments to the list before the meeting (next Wednesday week) would be very welcome. Cheers, Nevil +---------------------------------------------------------------------+ | Nevil Brownlee Director, Technology Development | | Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland | | FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand | +---------------------------------------------------------------------P From netramet-owner Fri Mar 28 01:49:06 1997 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id BAA07595 for netramet-outgoing; Fri, 28 Mar 1997 01:45:36 +1200 (NZST) Received: from rap.cefriel.it (rap.cefriel.it [131.175.5.7]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id BAA07588 for ; Fri, 28 Mar 1997 01:45:23 +1200 (NZST) Received: from suzuki (suzuki [131.175.5.78]) by rap.cefriel.it (8.8.5/8.8.5) with SMTP id OAA29505 for ; Thu, 27 Mar 1997 14:42:33 +0100 (MET) Message-ID: <333A79B8.5A17@mailer.cefriel.it> Date: Thu, 27 Mar 1997 14:44:25 +0100 From: Matteo Snidero X-Mailer: Mozilla 3.01Gold (X11; I; HP-UX B.10.20 9000/777) MIME-Version: 1.0 To: netramet@auckland.ac.nz Subject: NeTraMet dor HP-UX 10.20 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: netramet-owner@auckland.ac.nz Precedence: bulk Thanks to some patches I got from the libpcap team, I got a working version of libpcap for HP-UX 10.20. I hence could port NeTraMet for this OS. I could not get rid of these 2 warnings though: WARNING: DL_PROMISC_MULTI failed (recv_ack: promisc_multi: Invalid argument) WARNING: DL_PROMISC_SAP failed (recv_ack: promisc_sap: Invalid argument) They are both due to libpcap. Has anyone more successfully tackled this problem? Despite these warnings NeTraMet seems to work fine. Anyone interested can have these prototipal executables. Cheers Matteo