From netramet-owner Mon Aug 7 08:20:36 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id IAA23002 for netramet-outgoing; Mon, 7 Aug 2000 08:17:05 +1200 (NZST) Received: from compaq-nb (bluebottle.itss.auckland.ac.nz [130.216.4.28]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id IAA22971; Mon, 7 Aug 2000 08:16:49 +1200 (NZST) From: Nevil Brownlee To: jtoung@mail.arc.nasa.gov Cc: n.brownlee@auckland.ac.nz, netramet@auckland.ac.nz Subject: Re: inactive flows?? Message-ID: Date: Mon, 7 Aug 2000 09:21:00 +1300 (DST) Priority: NORMAL X-Mailer: Simeon for Win32 Version 4.1.5 Build (43) X-Authentication: none MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello Jerry: Back on 18 May you sent me the message below. I'm really sorry to have taken this long to answer, I've just come across it while tidying up a heap of 'mailer error' messages in my inbox .. > Me again. Since the 'flowDataStatus' object in the flow data table > has been deprecated, what object to query that'll let me know when a > flow has gone inactive and will avoid me of receving a 'noSuchName' > error message. I think that'll be my last question. That's a very good question. And one I simply hadn't thought about for rather a long time. nifty probably generates log files with lots of those messages in it! The reason flowDataStatus was deprecated was becuase we had introduced flowDataTimeMark as a better way to get the 'currently active' flows from a meter. The answer to your question is, I guess, to read values of p = flowReaderPreviousTime for your particular meter reader, and a = flowDataLastActiveTime for the flow The flow is inactive if a <= p. The meter actually reads the PreviousTimes for all current meter readers, but I think it would be enough to just use the value for the meter reader of most interest to you. BTW, I'm curious as to the application you're developing. I'm very keen to encourage people to develop new applications which use data from the RTFM meter, so any comments you'd care to share on this would be very welcome. Also, are you on the RTFM list? If so you'll have seen the minutes of our Pittsburgh meeting, at which we discussed the notion of making a standard API which would make it easier for people to build such applications. Cheers, Nevil +---------------------------------------------------------------------+ | Nevil Brownlee Director, Technology Development | | Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland | | FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand | +---------------------------------------------------------------------C From netramet-owner Mon Aug 14 15:13:32 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id PAA19253 for netramet-outgoing; Mon, 14 Aug 2000 15:07:32 +1200 (NZST) Received: from scutsv39.scut.edu.cn ([202.38.193.39]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id PAA19201 for ; Mon, 14 Aug 2000 15:07:20 +1200 (NZST) Received: from mail.scut.edu.cn (mail.scut.edu.cn [202.38.193.68]) by scutsv39.scut.edu.cn (8.9.3/8.9.3) with ESMTP id LAA10437 for ; Mon, 14 Aug 2000 11:04:16 +0800 (CST) Received: from zhongpc ([202.38.197.23]) by mail.scut.edu.cn (8.9.3/8.9.3) with SMTP id LAA03670 for ; Mon, 14 Aug 2000 11:04:35 +0800 (CST) Message-Id: <200008140304.LAA03670@mail.scut.edu.cn> Date: Mon, 14 Aug 2000 11:7:45 +0800 From: zhongxin To: NeTraMet mailing list X-mailer: FoxMail 3.1 beta [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 7bit Sender: netramet-owner@auckland.ac.nz Precedence: bulk hi, I am using NeTraMet4.3 plus NeMaC to collect IP flow data for our application. It's really wonderful that NeTraMet is a very flexible, reliable and effective utility. But There is a small problem puzzling me. According to the <>, Packet and Byte counters are 32-bit unsigned integers, but I saw numbers bigger than 0x100000000 in the flow data file. Are the counters 32-bit unsigned integers? If not, how many bits it used(I use SUN solaris system (sparc processor)? By the way, does the NetraMet version which fixes the -l option bug comes out? If anyone know the answer, his help will be appreciated. thanks xinzhong From netramet-owner Thu Aug 17 16:28:27 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id QAA10814 for netramet-outgoing; Thu, 17 Aug 2000 16:21:01 +1200 (NZST) Received: from scutsv39.scut.edu.cn ([202.38.193.39]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id QAA10708 for ; Thu, 17 Aug 2000 16:20:21 +1200 (NZST) Received: from mail.scut.edu.cn (mail.scut.edu.cn [202.38.193.68]) by scutsv39.scut.edu.cn (8.9.3/8.9.3) with ESMTP id MAA23718 for ; Thu, 17 Aug 2000 12:17:21 +0800 (CST) Received: from zhongpc ([202.38.197.23]) by mail.scut.edu.cn (8.9.3/8.9.3) with SMTP id MAA04891 for ; Thu, 17 Aug 2000 12:17:41 +0800 (CST) Message-Id: <200008170417.MAA04891@mail.scut.edu.cn> Date: Thu, 17 Aug 2000 12:20:54 +0800 From: zhongxin To: NeTraMet mailing list X-mailer: FoxMail 3.1 beta [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 7bit Sender: netramet-owner@auckland.ac.nz Precedence: bulk hi, every one. I have a strange question to ask: Why can't I assign value to package's address attribute? It seems absurd at first, but sometimes it has special use. Have a think, if someone wants to get two flows in one ruleset. Each flow has a set of diffrent key values, for example: SourcePeerType SourcePeerAddress Mask DestPeerAddress Mask Flow A: IP A1S1 A1S1M A1D1 A1D1M IP A1S2 A1S2M A1D2 A1D2M Flow B: IP A2S1 A2S1M A2D1 A2D1M IP A2S2 A2S2M A2D2 A2D2M now we have to creat four flows in the meter, and get the sum of flow A and B seperately.But if we can assign values to the address attribute, we can assign one value for flow A's sourcepeeraddress and destpeeraddress and another for flow B's sourcepeeraddress and destpeeraddress. The Data file will look like this: flowindex sourcepeeraddress destpeeraddress topkts tooctets frompkts fromoctets mm A A * * * * nn B B * * * * Of course the sourcepeeraddress and destpeeraddress lose their original meanings (I think this is why their values can't be changed). But we gain flexbility we haven't before. This is only a simlified example. If we have a lot of flow to count and very flow has a complex key attributes, we can reduce the data records to the number of flows or less very time NeMaC collect the data. OK, this is only my opinion. If you have any idea, for or against mine, you can tell me. Thanks. xinzhong From netramet-owner Fri Aug 18 16:46:03 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id QAA09234 for netramet-outgoing; Fri, 18 Aug 2000 16:40:41 +1200 (NZST) Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id QAA09068; Fri, 18 Aug 2000 16:40:03 +1200 (NZST) From: Nevil Brownlee To: zhongxin Cc: NeTraMet mailing list Subject: NeTraMet: Packet and Byte counter size In-Reply-To: <200008140304.LAA03670@mail.scut.edu.cn> Message-ID: Date: Fri, 18 Aug 2000 16:41:51 +1200 (New Zealand Standard Time) Priority: NORMAL X-Mailer: Simeon for Win32 Version 4.1.4 Build (40) X-Authentication: IMSP MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello xinzhong: > utility. But There is a small problem puzzling me. > According to the <>, > Packet and Byte counters are 32-bit unsigned integers, > but I saw numbers bigger than 0x100000000 in the flow > data file. Are the counters 32-bit unsigned integers? > If not, how many bits it used(I use SUN solaris system > (sparc processor)? You've spotted an error in the documentation - the packet and byte counters are all 64-bit counters, as set out in the Meter MIB (RFC 2720). I'll correct the manuals, thanks. > By the way, does the NetraMet version which fixes the > -l option bug comes out? This is fixed in the current beta version, i.e. beta-versions/NeTraMet44b8.tar.gz, which was released 8 Aug 00. Cheers, Nevil +---------------------------------------------------------------------+ | Nevil Brownlee Director, Technology Development | | Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland | | FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand | +---------------------------------------------------------------------P From netramet-owner Fri Aug 18 16:46:23 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id QAA10699 for netramet-outgoing; Fri, 18 Aug 2000 16:46:18 +1200 (NZST) Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id QAA10640; Fri, 18 Aug 2000 16:45:53 +1200 (NZST) From: Nevil Brownlee To: zhongxin Cc: NeTraMet mailing list Subject: SRL: overwriting an Address In-Reply-To: <200008170417.MAA04891@mail.scut.edu.cn> Message-ID: Date: Fri, 18 Aug 2000 16:47:42 +1200 (New Zealand Standard Time) Priority: NORMAL X-Mailer: Simeon for Win32 Version 4.1.4 Build (40) X-Authentication: IMSP MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello xinzhong: > Why can't I assign value to package's address attribute? You can. Here's an example ruleset to show you how .. define A1S1 = 123.234/20; define A1S2 = 123.235/20; if SourcePeerType == IPv4 || SourcePeerType == IPv6 save; # Fall through to IP handling below else ignore; if SourcePeerAddress == A1S2 save SourcePeerAddress = A1S1; else save SourcePeerAddress; # Default width is PEER_ADDR_LEN save DestPeerAddress; count; set demo; # NeMaC commands format FlowRuleSet FlowIndex FirstTime " " SourcePeerType " " SourcePeerAddress DestPeerAddress " " ToPDUs ToOctets " " FromPDUs FromOctets; As you said, this throws away information. But if it's useful in reducing the number of flows you need to collect, by all means use it. Another possiblity, where you have a list of address sets, is to use one one of the 'computed' attributes, e.g. SourceKind. This would probably make your ruleset easier to understand (overwriting Addresses feels a little bit strange really :-) Cheers, Nevil +---------------------------------------------------------------------+ | Nevil Brownlee Director, Technology Development | | Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland | | FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand | +---------------------------------------------------------------------P From netramet-owner Fri Aug 18 20:32:59 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id UAA25399 for netramet-outgoing; Fri, 18 Aug 2000 20:32:14 +1200 (NZST) Received: from scutsv39.scut.edu.cn ([202.38.193.39]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id UAA25389 for ; Fri, 18 Aug 2000 20:32:07 +1200 (NZST) Received: from mail.scut.edu.cn (mail.scut.edu.cn [202.38.193.68]) by scutsv39.scut.edu.cn (8.9.3/8.9.3) with ESMTP id QAA10374 for ; Fri, 18 Aug 2000 16:29:06 +0800 (CST) Received: from zhongpc ([202.38.197.23]) by mail.scut.edu.cn (8.9.3/8.9.3) with SMTP id QAA14476 for ; Fri, 18 Aug 2000 16:29:28 +0800 (CST) Message-Id: <200008180829.QAA14476@mail.scut.edu.cn> Date: Fri, 18 Aug 2000 16:32:40 +0800 From: zhongxin To: NeTraMet mailing list Subject: An question about the SourceKind attribute X-mailer: FoxMail 3.1 beta [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 7bit Sender: netramet-owner@auckland.ac.nz Precedence: bulk First, I thank Doctor Nevil Brownlee for his kind help at here. It is really important to me. Second, I think I get the point of how to "assign value" to address attribute. In fact, using PushRuleTo action in the rule file, the value set in the rule is pushed into the "pattern stack" instead of masked attribute value. In this way, we can achieved to "assign value" to the attribute. Am I right? It's really wonderful! Third, I am intersted in the method to group flow data by attribute such as SourceKind, DestKind and FlowKind. But when I attempt to set value to these attribute(as flows), the srl compiler give me a error message. It seems that I can't change the value of these "general attributes".But I don't know how meter counts these attributes(except for flowindex, flowRuleSet, ToOctets, ......). Do these attributes have any relationship with sepcified set of addresseses? It's just a guess because I don't see any example using these attribute up to now. By the way, how long is SourceKind/DestKind? thanks xinzhong From netramet-owner Fri Aug 18 21:56:14 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id VAA28342 for netramet-outgoing; Fri, 18 Aug 2000 21:55:45 +1200 (NZST) Received: from scutsv39.scut.edu.cn ([202.38.193.39]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id VAA28292 for ; Fri, 18 Aug 2000 21:55:32 +1200 (NZST) Received: from mail.scut.edu.cn (mail.scut.edu.cn [202.38.193.68]) by scutsv39.scut.edu.cn (8.9.3/8.9.3) with ESMTP id RAA11315 for ; Fri, 18 Aug 2000 17:52:33 +0800 (CST) Received: from zhongpc ([202.38.197.23]) by mail.scut.edu.cn (8.9.3/8.9.3) with SMTP id RAA14963 for ; Fri, 18 Aug 2000 17:52:55 +0800 (CST) Message-Id: <200008180952.RAA14963@mail.scut.edu.cn> Date: Fri, 18 Aug 2000 17:56:7 +0800 From: zhongxin To: NeTraMet mailing list X-mailer: FoxMail 3.1 beta [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 7bit Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hi, everyone. Has someone use the "INCLUDE ****;" action? When I attach the above line in a rule file, NeMaC tell me "couldn't open include file". In fact, the rule file with the specified name exists. Something goes wrong, but I can't figure out what's the problem. Are there someone seen this problem or know the reason? By the way, I use the included rule file to define a sub rule set. Does it need to write as follows: SET nn Rules sub_name: ..... ..... Null & 0 = 0 : return n; or it is enough to write: sub_name: ..... ..... Null & 0 = 0 : return n; Thanks xinzhong From netramet-owner Sat Aug 19 21:43:34 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id VAA11365 for netramet-outgoing; Sat, 19 Aug 2000 21:39:41 +1200 (NZST) Received: from lt.itss.auckland.ac.nz (bluebottle.itss.auckland.ac.nz [130.216.4.28]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id VAA11354; Sat, 19 Aug 2000 21:39:05 +1200 (NZST) From: Nevil Brownlee Date: Sat, 19 Aug 2000 21:40:57 +0000 To: zhongxin Subject: Re: An question about the SourceKind attribute Cc: netramet@auckland.ac.nz In-Reply-To: <200008180829.QAA14476@mail.scut.edu.cn> References: <200008180829.QAA14476@mail.scut.edu.cn> Message-ID: Priority: NORMAL X-Mailer: Execmail for Linux 5.1 Build (9) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello xinzhong > Second, I think I get the point of how to "assign value" to address > attribute. In fact, using PushRuleTo action in the rule file, the value > set in the rule is pushed into the "pattern stack" instead of masked > attribute value. In this way, we can achieved to "assign value" to > the attribute. Am I right? It's really wonderful! Yes, you're right. But note that it's much easier to create rulesets by writing SRL programs and using the SRL compiler to turn them into rulesets fror NeMaC than it is to create them directly yourself! > Third, I am intersted in the method to group flow data by attribute such > as SourceKind, DestKind and FlowKind. But when I attempt to set value to > these attribute(as flows), the srl compiler give me a error message. It > seems that I can't change the value of these "general attributes".But I > don't know how meter counts these attributes(except for flowindex, > flowRuleSet, ToOctets, ......). In SRL you have to use the store statement to set them, e.g. store FlowKind := 3; > Do these attributes have any relationship with sepcified set of addresseses? > It's just a guess because I don't see any example using these attribute up to > now. No, they're just variables you can store values into, then read them from the meter via NeMaC's format statement. > By the way, how long is SourceKind/DestKind? By default they're 8 bits. If you want them larger, you only have to change their declaration in meter/flowkind.h Cheers, nevil +---------------------------------------------------------------------+ | Nevil Brownlee Director, Technology Development | | Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland | | FAX: +64 9 373 7021 Private Bag 92019, Auckland, New Zealand | +---------------------------------------------------------------------L From netramet-owner Sun Aug 20 02:39:30 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id CAA16422 for netramet-outgoing; Sun, 20 Aug 2000 02:39:08 +1200 (NZST) Received: from scutsv39.scut.edu.cn ([202.38.193.39]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id CAA16417 for ; Sun, 20 Aug 2000 02:39:01 +1200 (NZST) Received: from mail.scut.edu.cn (mail.scut.edu.cn [202.38.193.68]) by scutsv39.scut.edu.cn (8.9.3/8.9.3) with ESMTP id WAA26229 for ; Sat, 19 Aug 2000 22:36:02 +0800 (CST) Received: from zhongpc ([202.38.197.23]) by mail.scut.edu.cn (8.9.3/8.9.3) with SMTP id WAA23788 for ; Sat, 19 Aug 2000 22:36:24 +0800 (CST) Message-Id: <200008191436.WAA23788@mail.scut.edu.cn> Date: Sat, 19 Aug 2000 22:39:38 +0800 From: zhongxin To: NeTraMet mailing list Subject: detail of "include" problem X-mailer: FoxMail 3.1 beta [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 7bit Sender: netramet-owner@auckland.ac.nz Precedence: bulk hello, Doctor Nevil Brownlee: My test rule files are as follows(two rule files): main.rule ------------------------------------------------- SET test SourcePeerType & 255 = IP : GoTo, CALL_SUB; Null & 0 = 0 : Ignore , 0; CALL_SUB: Null & 0 = 0 : GoSub, SUB1; Null & 0 = 0 : count, 0; format FlowRuleSet FlowIndex FirstTime " " SourcePeerType " " SourcePeerAddress DestPeerAddress " " ToPDUs ToOctets " " FromPDUs FromOctets; INCLUDE sub.rule; ------------------------------------------------- sub.rule ------------------------------------------------- SUB1: Null & 0 = 0 : Return, 1; ------------------------------------------------- When I use NeMaC -s -r main.rule to check the rule file, I get the report: main.rule 17: INCLUDE sub.rule; Couldn't open include file !!! >>> Symbol sub1 is undefined 2 errors in rule file(s) main.rule Maybe it's a simple problem, but I really don't know what's going wrong because I am not familiar with "INCLUDE". thanks. By the way, Is there more detailed NeTraMet specification than the <>?. By the way, I will explain why not use srl to create rule file. We are developing an aplication which use NeTraMet's data, just as you recommend in the NeTraMet's documentations. In our application we define flow attributes (such as source & mask, destination & mask) and use NeTraMet to get flow data then process the data. It's necessary to create rule files on demand in the program(this function is a bit like srl, but much simpler). Though it doesn't fit me now, SRL is a very powerful utility to create rule file fast and accurate, it's specially useful when someone want to manully set some flow. OK, thanks again. xinzhong From netramet-owner Mon Aug 21 01:16:44 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id BAA22138 for netramet-outgoing; Mon, 21 Aug 2000 01:12:41 +1200 (NZST) Received: from scutsv39.scut.edu.cn ([202.38.193.39]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id BAA22131 for ; Mon, 21 Aug 2000 01:12:33 +1200 (NZST) Received: from mail.scut.edu.cn (mail.scut.edu.cn [202.38.193.68]) by scutsv39.scut.edu.cn (8.9.3/8.9.3) with ESMTP id VAA06390 for ; Sun, 20 Aug 2000 21:09:33 +0800 (CST) Received: from zhongpc ([202.38.197.23]) by mail.scut.edu.cn (8.9.3/8.9.3) with SMTP id VAA00580 for ; Sun, 20 Aug 2000 21:09:55 +0800 (CST) Message-Id: <200008201309.VAA00580@mail.scut.edu.cn> Date: Sun, 20 Aug 2000 21:13:11 +0800 From: zhongxin To: NeTraMet mailing list Subject: Two questions about counting flow X-mailer: FoxMail 3.1 beta [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 7bit Sender: netramet-owner@auckland.ac.nz Precedence: bulk hi, First, I explain my test 1)Target: I want to collect two sets of flow data. One is IP packates between A1 and A2, the other is the rest of IP packates. 2)SRL rule file ---------------------------------------------------- define A1 = 202.38.197.68; define A2 = 202.38.197.23; if SourcePeerType == IPv4 save; else ignore; if SourcePeerAddress == A1 && DestPeerAddress == A2 { save SourcePeerAddress = 0; save DestPeerAddress = 1; } else { if SourcePeerAddress == A2 && DestPeerAddress == A1 { save SourcePeerAddress = 1; save DestPeerAddress = 0; } else { save SourcePeerAddress = 0; save DestPeerAddress = 0; } } count; set demo; # NeMaC commands ---------------------------------------------------- 3)Results(part): .. #Time: 19:35:00 Sun 20 Aug 2000 202.38.197.68 Flows from 52383 to 56988 9 5 52366 1 0.0.0.0 0.0.0.0 18 4807 0 0 9 6 52370 1 0.0.0.1 0.0.0.0 3 120 0 0 9 7 52370 1 0.0.0.0 0.0.0.1 2 187 0 0 #EndData: 202.38.197.68 .. #Time: 19:39:00 Sun 20 Aug 2000 202.38.197.68 Flows from 74905 to 80912 9 5 52366 1 0.0.0.0 0.0.0.0 76 25753 0 0 9 6 52370 1 0.0.0.1 0.0.0.0 66 11128 0 0 9 7 52370 1 0.0.0.0 0.0.0.1 75 62623 0 0 9 8 76045 1 0.0.0.0 0.0.0.0 1 234 0 0 #EndData: 202.38.197.68 Second, I give my questions. 1) According to meter's packet matching algorithm(as follow diagram) Ignore --- match(S->D) -------------------------------------------------+ | Suc | Fail | | | Ignore | | match(D->S) -----------------------------------------+ | | Suc | Fail | | | | | | | +-------------------------------------------+ | | | | | Suc | | current(D->S) ---------- count(D->S,r) --------------+ | | Fail | | | | | create(D->S) ----------- count(D->S,r) --------------+ | | | Suc | current(S->D) ------------------ count(S->D,f) --------------+ | Fail | | Suc | current(D->S) ------------------ count(D->S,r) --------------+ | Fail | | | create(S->D) ------------------- count(S->D,f) --------------+ | * there shouldn't exists two flows with the same keys. If I am right, I don't know why there are two flows with the same source and mask(flow_ index = 5 and flow_index = 8). 2)I think there should be only one flow between A1 and A2(its direction depends on the first ocurrence of the flow) recorded by the meter. But the result is not as I expected. Last, my guess. Maybe the problems have some relationship with the save attribute = nn; operation. I replace the SRL rule file by the following file: ------------------------------------------------------------- define A2 = 202.38.197.68; define A1 = 202.38.197.23; if SourcePeerType == IPv4 save; # Fall through to IP handling below else ignore; if ((SourcePeerAddress == A1 && DestPeerAddress == A2) || (SourcePeerAddress == A2 && DestPeerAddress == A1)) { save SourcePeerAddress; save DestPeerAddress; } else { save SourcePeerAddress/0; # Default width is PEER_ADDR_LEN save DestPeerAddress/0; } count; set demo; # NeMaC commands format FlowRuleSet FlowIndex FirstTime " " SourcePeerType " " SourcePeerAddress DestPeerAddress " " ToPDUs ToOctets " " FromPDUs FromOctets; ------------------------------------------------------------- The result seems all right. OK, thanks very much. xinzhong From netramet-owner Mon Aug 21 13:15:34 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id NAA08275 for netramet-outgoing; Mon, 21 Aug 2000 13:13:42 +1200 (NZST) Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id NAA08225; Mon, 21 Aug 2000 13:13:25 +1200 (NZST) From: Nevil Brownlee To: zhongxin Cc: NeTraMet mailing list Subject: Re: detail of "include" problem In-Reply-To: <200008191436.WAA23788@mail.scut.edu.cn> Message-ID: Date: Mon, 21 Aug 2000 13:14:57 +1200 (New Zealand Standard Time) Priority: NORMAL X-Mailer: Simeon for Win32 Version 4.1.4 Build (40) X-Authentication: IMSP MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello again xinzhong: Turns out that INCLUDE sub.rule; didn't work because NeMaC was trying to open "sub.rule;" I've fixed the bug in the next release. Meanwhile, you can work around it by putting a space before the trailing semicolon. Cheers, Nevil +---------------------------------------------------------------------+ | Nevil Brownlee Director, Technology Development | | Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland | | FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand | +---------------------------------------------------------------------P From netramet-owner Sun Aug 27 13:16:31 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id NAA06682 for netramet-outgoing; Sun, 27 Aug 2000 13:09:52 +1200 (NZST) Received: from scutsv39.scut.edu.cn ([202.38.193.39]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with ESMTP id NAA06674 for ; Sun, 27 Aug 2000 13:09:37 +1200 (NZST) Received: from mail.scut.edu.cn (mail.scut.edu.cn [202.38.193.68]) by scutsv39.scut.edu.cn (8.9.3/8.9.3) with ESMTP id JAA11003 for ; Sun, 27 Aug 2000 09:06:37 +0800 (CST) Received: from zhongpc ([202.38.197.23]) by mail.scut.edu.cn (8.9.3/8.9.3) with SMTP id JAA28862 for ; Sun, 27 Aug 2000 09:06:58 +0800 (CST) Message-Id: <200008270106.JAA28862@mail.scut.edu.cn> Date: Sun, 27 Aug 2000 9:10:20 +0800 From: zhongxin To: NeTraMet mailing list X-mailer: FoxMail 3.1 beta [cn] Mime-Version: 1.0 Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: 7bit Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hi, everyone: Does anyone know how to get total bytes of network layer(or lower layer) accross the meter in a time interval? I use it to caculate the utility of the network bandth. I saw statistical attributes such as aps(average packets/second) and apb(average package backlog), but I didn't find anything related to the bytes counting. Thanks. zhongxin From netramet-owner Wed Aug 30 18:15:02 2000 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) id SAA10820 for netramet-outgoing; Wed, 30 Aug 2000 18:08:23 +1200 (NZST) Received: from n.browlee5.itss.auckland.ac.nz (n.brownlee5.itss.auckland.ac.nz [130.216.4.79]) by mailhost.auckland.ac.nz (8.9.2/8.9.2/8.9.2-ua) with SMTP id SAA10796 for ; Wed, 30 Aug 2000 18:08:18 +1200 (NZST) From: Nevil Brownlee To: netramet@auckland.ac.nz Subject: NeTraMet user survey Message-ID: Date: Wed, 30 Aug 2000 18:10:08 +1200 (New Zealand Standard Time) Priority: NORMAL X-Mailer: Simeon for Win32 Version 4.1.4 Build (40) X-Authentication: IMSP MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello all: I'm trying to do some planning for future NeTraMet developments, and I've reached the point where I really need some data on how many sites are using it, and what for. Appended below is a short User Survey; I'd very much appreciate your taking a few minutes to fill it in email it back to me (n.brownlee@auckland.ac.nz). Cheers, Nevil +---------------------------------------------------------------------+ | Nevil Brownlee Director, Technology Development | | Phone: +64 9 373 7599 x8941 ITSS, The University of Auckland | | FAX: +64 9 373 7425 Private Bag 92019, Auckland, New Zealand | +---------------------------------------------------------------------P NeTraMet User Survey, 30 August 2000 1) Have you considered using NeTraMet at your site? Yes/No ..... 2) Are you currently using NeTraMet at your site? Yes/No ..... If no, go to question (8) 3) In what way are you using NeTraMet? Research tool? Y/N ..... Production measurements? Y/N ..... 4) On what scale are you using NeTraMet? Approx number of meters (e.g. 1, 5, 10)? ..... Interface speeds (e.g. 10/100, OC3)? ..... Average traffic rates (Mbps)? ..... 5) Are you using NetFlowMet? Yes/No ..... If so, with (approx) how many routers? ..... 6) Creating rulesets: Have you created your own rulesets directly (e.g. by editing the example/rules.* files)? Y/N ..... Do you create rulets using SRL? Y/N ..... 7) How are you processing your flow data: Do you use fd_filter? Y/N ..... Do you use your own scripts/cron jobs to analyse flow data and produce reports? Y/N ..... Do you store flow data in a database? Y/N ..... Have you developing your own programs to control or collect data from your meters? Y/N ..... 8) Background information What kind of network do you use NeTraMet in, e.g. ISP/Enterprise/University/Other? ..... Have you asked your network equipment vendor "when do you plan to implement the Meter MIB (RFC 2720)?" Y/N ..... 9) Any other comments about NeTraMet (e.g. new features you'd like to see)? Please email your completed survey to: n.brownlee@auckland.ac.nz THANKYOU!