NeTraMet Version History ======================== v4.4 20 Feb 02 In examples/ directory, moved old rules.* examples to non_srl. The srl examples are now in the examples/ directory. SNMP security issues. I've tested NeTraMet's SNMP code using the PROTOS test suite. A test for negative lengths in the ASN.1 parsing code has been added - that was the only change needed. The SNMP routines (in snmplib/) perform a lot of parameter checks, and calls on an ERROR() define. By default ERROR does nothing. If you're tesing an SNMP manager against NeTraMet, you can turn those messages on by adding -DDEBUG to the CFLAGS= line in snmplib/Makefile and rebuilding the snmp library. Change 'interface number' attributes to use 16-bit integers instead of 8-bit. This can be useful when using NetFlowMet. v4.4b11 25 Nov 01 Implement -C option for nm_rc, exactly as in NeMaC. This allows you to use nm_rc to test rulesets against trace files being read by crl_ntm or dd_ntm. Sample commands to do this are: ./crl_ntm -T5 -m1234 -Strace_file -wW~com ./nm_rc -C -m1234 -rpeers.rules localhost W~com Note: you need CoralReef version 3.5 to build crl_ntm! Speed improvements in flowhash: - move code which doesn't need to be executed on every call outside blocks in match() - implement list of running rulesets, instead of doing serial searches of ri[] table - use 32-bit hash values for flow and stream hash tables, use table size specified by user (rather than trying to pick a prime above it - that doesn't help, since we use a set of distinct primes for hashing) Use long long integers (8 bytes) for counter64 if the host supports them. Newer Pentiums do, this provides a useful speedup. Change 'shutdown' request character. It was a single ESC, but it's too easy to hit a key which sends an escape sequence! Now you have to type ESC ESC Return to shut down the meter. Fix little problems which gave warning messages when building NeTraMet on an alpha running Digital Unix. The configure script wasn't recognising the OS correctly; this didn't cause problems because none of the programs have defines testing this any more. MinPDUs gave compilation errors on alpha, fixed by adding c64geint() define. Linux kernel reset promiscuous mode when forking a NeTraMet daemon. Changed meter_ux.c to fork first, then open the interfaces. NeTraMet, NetFlowMet, LfapMet, crl_ntm, dd_ntm (i.e. all the meters) write error messages and summary information to a log file using log_msg(), in the same way as NeMaC. The name of the log file is meter.log, it will be written in the directory where the meter starts running. v4.4b10 23 May 01 LfapMet: RTFM meter for LFAP, code contributed by Remco Poortinga, Added files in src/meter - README_LfapMet Notes about LfapMet - lfapmet.h LfapMet globals - lfapmet.c LfapMet support routines Added two new MIB variables to reader row, MinPDUs (default 0) and TimeMark. A flow must have at least MinPDUs either to or from before it will be read by a meter reader. TimeMark is needed to associate an SNMP getnext request with a particular reader. MinPDUs can be set using the -M option. nifty default is -M20, NeMaC default is -M0 Improved save.sav so that it only saves the files we really need in the NeTraMet distribution. v4.4b9 11 Apr 01 Fixed bug in NeMaC include statement. getarg() no longer allows semicolon in an argument. Fixed srl compiler bug; optimise 3 wasn't recognising the end of AND expressions properly. NeMaC could fail to open a flow data file (e.g. because it already existed with no write access); it now reports this and doesn't try to run that meter/ruleset. NeTraMet Coral interface improved to handle two Dag cards properly. Reads blocks of cells from each then merges them by timestamp. NeTraMet uses -Siii to specify a Coral source (instead of -C'source iii' *****). v4.4b8 8 Aug 00 Fixed bug in fd_extract.c; needed to use attr_ix[a] when listing column info. Modified nmc_snmp so as to report (via log file) size of "only one package" SNMP pDUs. This required adding pdu_len to both snmp_pdu and internal_snmp_pdu in snmplib. srl compiler was warning when user redfined a well-known port, but ignored the new definition. This has been fixed, the new definition is used instead of the default well-known port number. Corrected ntm_conf.hin file so that it has ALL the defines tested for by configure.in. It was missing several, including WORDS_BIGENDIAN, Changed configure.in to improve matching of operating system name when setting the OS define. Fixed bug which prevented rate distributions from being collected (this worked properly in 4.3). A test that an event (to which the distribution could be linked) existed was wrongly implemented. Fixed bug reported by Dylan Hall, 31 May 00 NeTraMet -l options wasn't working because pp.p_len was being overwritten. Deimplemented TCP_ATR define. TCP attributes are now implemented as part of the new attributes, controlled by #define NEW_ATR. v4.4b7 22 May 00 Increased size of symbol and label tables in srl compiler, to allow compiling of *much* bigger programs. [Bug report and patches supplied by Carsten Schmoll, 15 Mar 00] fd_filter now allows != as well as == operators in tag descriptions. This allows you to create a tag for bidirectional flows, e.g. tag 3 ToPDUS != 0, FromPDUs != 0; The srl compiler now allows Ruleset names to be identifiers, not just integers, e.g. set my_big_ruleset; Ruleset names must be <= 16 characters long. A CoralReef version of the meter, crl_ntm, has been implemented. You can use crl_ntm to analyse CoralReef or tcpdump trace files. crl_ntm has tree new command-line options: -C'source fn' Tells meter to read file fn -T sss Specifies the NeMaC sample interval (default 10 seconds) -N nnn Specifies the number of intervals (default 0, i.e. process whole file) NeMaC has a new command-line option too: -C Tells NeMaC that this meter is runing from a Coralreef trace file v4.4b6 22 Feb 00 Change to using autoconf Configuration Header File. The ntm_conf.h file (in the base directory) is now included by all the source programs. It contains all the options detetected by autoconfigure, together with some defines giving NeTraMet's version number. One advantage of this is that there is a lot less text displayind while Making Netramet. When NeMaC is shut down gracefully (by a SIGTERM or SIGINT) it will now collect the flow data gathered since the last collection for all the meters it is controlling. [This change was suggested by Robert Strycharczuk, 10 Feb 00] NeTraMet (on Unix and Cygwin32) has been extended so as to handle PPP interfaces. PPP flows are assumed to be IPv4 (the most likely possibility), they have AdjacentType AT_PPP (i.e. 23) and AdjacentAddresses 0. [This change was suggested by Gerald Richter, 10 Dec 99] When displaying domain names instead of IP addresses, nifty may have to wait a long time for the DNS response. It now displays a 'cross-hair' cursor while waiting on DNS. nifty.srl has been modified to plots diamonds instead of pluses for multicast flows. Port NeTraMet to MS Windows, using the Cygwin32 environment and WinDump's BPF drivers - ported libpcap to cygnus+windump - changes to meter_ux for CYGWIN32 (can't assume that pcap files work with select) - changes to snmpapi.c and snmpclnt.c (Cygwin32 doesn't have `timerset' defines) v4.4b5 12 Jan 00 Allow fd_filter to have character constants in tag specifications, e.g. DestKind = 'F'; Fix bugs relating to ASNs looked up using OCX_BGP (i.e. in a bgp.txt file). These were - Lookup wasn't being done if DestASN was saved but not SourceASN - S/D ASN attributes weren't being set to zero if the IP Address lookup failed (i.e. when we couldn't find its ASN). Correct Makefile.in files to set GF variable (it was $GF by mistake). v4.4b4 16 Nov 99 Update mib.txt to use RFC2720 version. Add support for NetBSD on Alpha: * Use XtPointer in nifty source, cast to IntFromPtr when values are used * Set __unix__ = !defined(DOS) in btypes/types.h * Use POINTER_DATATYPE instead of Bit32 for subnet pointer arithmetic in integrat/subnetd.h * Cast bytes to counter64 in getcounter64() in manager/nmc_snmp.c * Recognise NetBSD in configure.in * Change source to use !defined(DOS) instead of defined(__unix__) v4.3 30 Sep 99 Added a GFLAG variable to the configure.in script and the Makefiles. By default this is null. Set it to -g to build executeables which have symbolic information for debugging. Replaced mib/mib.txt with a new version, using the 'Proposed Standard' RTFM Meter MIB. Added config support for Alpha (Tru64 Unix) systems. This corrects several bugs introduced since 4.2; they only showed up on a 64-bit machine. * The Tru64 C compiler is much more 'picky' than gcc! Cleaned up the source so as to get rid of warning messages * Change snmp library so as to use Int32 for ASN.1 INTEGERs and Bit32 for TIMESTAMPs. The original CMU code used 'unsigned long' for both. Made corresponding changes to the meter and manager programs. NeTraMet and NeMaC as daemons: -D option * NeMaC ./NeMaC -D runs NeMaC in its own Unix session * NeTraMet ./NeTraMet -D and ./NetFlowMet -D runs the Unix and NetFlow meters in their own Unix session. Before doing so it disables the screen and keyboard, so -k -s are implied by -D. CAUTION: -d turns on diagnostic dumps of the SNMP packets. Don't set this by mistake for -D! Implemented command-line defines for srl. For example ./srl -DW=16 "-Dext = DestPeerAddress/24" xxx.srl defines w to be 16, and EXT to be DestPeerAddress/24. Note the quotes around the second define; they are required if the define text contains blanks. Modified NeMaC ruleset parser to skip dots and digits at the end of addresses. This allows it to download rulesets produced by an srl compiler compiled with the V6 option set even if NeMaC was compiled with the V6 option not set. v4.3b10 26 May 99 Support for IPv6 * Controlled by V6 option in the source files. To enable this: a) If you run autoconf to build the Makefiles change AC_DEFINE(V6, 0) to AC_DEFINE(V6, 1) before running autoconf b) Otherwise, in the configure script change #define V6 0 to #define V6 1 before running ./configure * The SRL compiler allows V6 addresses, as specified in RFC 2373. Although v6 addresses have a fairly simple form, it's easy to get it wrong. The compiler tries very hard to produce helpful error messages for them. * The NeTraMet meter handles v6 packets, returning them to the manager with SourcePeerType = IPv6 (IP and IPv4 are synonyms for IP version 4) * The managers (NeMaC, nm_rc and nifty) display IPv6 addresses as per RFC 2373. * fd_util and fd_extract handle IPv6 addresses properly. Other changes * SRL compiler will allow redefinition of 'built-ins,' i.e. well-known ports, address families and transport types. A warning is given telling the user what was declared. * Lots of bugs fixed in SRL compiler handling of syntax errors. These either crashed the compiler or sent it into infinite loops while reading the source program. v4.3b9 16 Feb 99 * The distribution file now has TCP_ATR set by default, so that the TCP-based attributes are available for use. So as to minimise the meter default memory requirements, several new memory-allocation command-line options have been implemented. The complete set of these is now: -f fff Max of fff flows -u rrr Max of rrr rules -b bbb Max of bbb TCP flows <<< NEW -t ttt Max of ttt TCP streams <<< NEW -v ddd Max of ddd distributions <<< NEW -e eee Max of eee distrib events <<< NEW * Implement ASN lookup in NeTraMet meter. This uses Joel Apisdorf's bgp code from OCxMON. The src/meter Makefile contains variable USE_OCX_BGP, which is commented out by default. Uncomment it, and make will include ASN lookup in the meter. To use it: a) Set the environment variable DEFAULT_AS (I set it to my own AS number) b) The meter starts up by reading a file, bgp.txt. You can create this file for your own network using SHOW IP BGP on a Cisco router. NOTE: a full bgp routing table will take 5 to 10 MB of memory space on the meter. c) By default the meter looks up 'next-hop' ASNs, i.e. the ASN the router would send packets to. The command-line option -o will look up 'owner' ASNs instead. v4.3b8 4 Feb 99 * Implement distribution-valued attributes in fd_filter * Fix memory management problems for TCP subflows in meter. Implement TCP-related distribution attributes in meter, NeMaC, fd_filter and srl. v4.3b7 8 Jan 99 * Implement TCPdata attribute in fd_filter * Fix NEW_ATR vs TCP_ATR bugs in meter_ux.c and nf_fwd.c v4.3b6 23 Dec 98 * Fix bugs concerned with intermixing of NEW_ATR and TCP_ATR v4.3b5 26 Nov 98 * Fix bug in SRL compiler, which wasn't distinguishing between save sourcetransaddress; and save sourcetransaddress = 0; v4.3b4 25 Nov 98 * Fix endian problems in netFlowMet, reported by Kevin Hoadley. v4.3b3 16 Nov 98 * Set up new CVS repository to make it easier for co-developers to submit code changes / suggestions. v4.3b2 12 Nov 98 * Aufoconfigure changed to test for Motif, since nifty requires Motif as well as X. * Support for FreeBSD: changed source files so as not to include malloc.h on systems which don't have it! * Documentation error for NeMaC. Command line option -P specifies open-append-close behaviour for the >>log<< files only. It was previously documented (see below) as doing this for flow data files only. v4.3b1 23 Oct 98 Changes contributed by Nicolai Guba (BT Labs) .. * Command-line help is dispayed if no options are specified for NeMaC, nm_rc NeTraMet (Unix meters, not PC meters) NetFlowMet * -b mmm command-line option Tells NeMaC and nm_rc to read the mib from file mmm. * The NeTraMet distribtion file, and the way you install NeTraMet on a host has been changed to make it more like the GNU programs. The executable files are no longer in separate directories. Instead (by default) they are built in the src/ directories. To install NeTraMet into directory xyz you can simply ./configure make install OCxMON meter improvements .. The NeTraMet meter now allocates as much of its memory as possible when it starts up, so as to minimise allocation overhead. Space for rulesets is allocated at startup, with a default maximum of 2000 rules total for all rulesets. * New meter command-line option: -u nnnn allocates space for a maximum of nnnn rules v4.2.2 16 Nov 98 * Correct bug in nmc.h (inconsistency introduced when de-implementing 'detail' as synonym for 'trans' in attribute names. This caused NeMaC and friends to crash v4.2.1 2 Oct 98 Patch release .. * NeMaC crashed with Owner names longer than six characters. This was because SET_STRING only ever allocated RULE_ADDR_LEN chars! * SRL programs which start with an imperative statement now start with a GotoAct, Next rule. Without this they don't work! * fd_extract and fd_util now handle 64-bit counter attributes (e.g. topdus) properly. 'Editorial' improvements have been made to the fd_util manual. * A memory leak has been fixed in the SNMP snmpapi.c. Error logging has been added for snmp error/info/debug messages; these now go through log_msg(), as used for other NeMaC errors. v4.2 5 Aug 98 * The distribution file has been changed so that it no longer has subdirectories for the various operating systems. The best way to install NeTraMet is to use autoconfig; see the INSTALL file in the autoconf/ directory. * The 'os-specific' directories are no longer included in the distribution file. Users must build the version they need using configure in the autoconfig directory. SRL Compiler * The program srl is an optimising compiler for SRL, the Simple Ruleset Language. SRL is documented in an Internet Draft, available from the NeTraMet and RTFM home page. srl [options] source compiles the file 'source', producing a rules file ready to be used by NeMaC. Source files will normally end with .srl and rules files with .rules. For example srl test-prog.srl produces test-prog.rules. Compiler options: -l List source program -s Syntax check only -ann 'Assembler output' level N nn=0, rules in numeric form only. nnn Requires NeMaC v4.2. nn=1, attributes and actions given as words. This is the default. nn=2, as for nn=1, but don't delete intermediate files. -Onn Optimisation level. nn=0, no optimisation at all. nn=1, peephole optimising to delete redundant rules from intermediate files. This is the default. nn=2, optimise tests by mask length within expressions (shortest masks first, after allowing for overlapping addresses/masks). nn=3, as for nn=2, but optimise expression between if clauses and between statements. * srl extends the language (as described in the Internet Draft by adding a number of extra statements: include fffff ; Will read all the text from file fffff. includes may be nested (i.e. an include file may include other files). srl looks for the file in the same directory as the source file. optimise nn ; optimise * ; optimise ; Allows you to change the optimisation level as required for different parts of your program. optimise ; resets the level to the value specified on the command line. optimise * ; is used to indicate breaks between optimised expression groups . set nn ; format aaa .. aaa ; statistics ; These three statements are passed on (via the output file) to NeMaC. String constants in a format (specifying separators in flow data files) may include C-style constants (introduced with a \). * A collection of SRL programs is provided in the examples/srl directory. v4.2b5 11 Jun 98 * Fix bug in getting reader_name. This prevented NeMaC et al from reading any flows from the meter! * Use riFlowRecords instead of msNbrFlows for ms->NbrFlows. This means that nifty will display only the total flow for its current ruleset; it used to display the total number of flows for all rulesets. v4.2b4 3 Jun 98 * Use LastTime instead of sysUptime to get meter time in NeMaC, nm_rc and nifty. * Fix bugs in SNMP library which caused early timeout of some SNMP packets. v4.2b3 22 May 98 * Implement better hashing algorithm for flow table and rulesets. Multiplies bytes of peer and trans addresses by small primes, and uses larger primes as the size of the various hash tables. * Fix sundry bugs revealed in beta testing. v4.2b2 11 May 98 NetFlowMet (NeTraMet + NetFlow = NetFlowMet): * A new version of the meter has been added to the distribution. This takes NetFlow data from a Cisco Router (I've tested it using a 7200) and uses this to build the flow table. To start NetFlow on a router (in brief): - start NetFlow on each interface [no] ip route-cache flow - start exporting the NetFlow data [no] ip flow-export is the address of your NetFLowMet meter, is the port NetFlowMet will use to recieve the data. You may specify the udp port number by using the -i pppp option on NetFlowMet's command line. If no -i option appears, port 9996 is used. You may specify up to four port numbers by giving a list of -i options, e.g. -i 12001 -i 12002 -i12003 would listen for NetFLow data on UDP ports 12001, 12002 and 12003. NetFlowMet provides five new attributes which can be used in rulesets: + MeterId (8 bits, mask 255) Index in -i option list, e.g. port 12002 above would produce flows with MeterID = 2. + SourceASN, DestASN (16 bits, mask 255.255) Autonomus System Numbers for source and destination networks. These may be "Origin" or "Peer" ASNs; you must specify which when you start flow export from the router. + SourcePrefix, DestPrefix (8 bits, mask 255) Mask length for source and destination IP addresses (i.e. SourcePeerAddress and DestPeerAddress). Changes in downloading rules: + A hashed search is used when translating rulesets. This should speed up the translation process by a factor of 10x to 20x (NeMaC). + Rules are now downloaded 10 at a time. This dramatically reduces the time taken to download rulesets (NeMaC). + A meter bug which prevented downloading of rulesets with more than 32767 rules has been fixed (NeTraMet). Changes to NeTraMet: + When grabbing the value of an attribute from a packet header, NeTraMet didn't check that enough bytes were read. This could have caused problems with TCP packets with lots of IP options. NeTraMet now checks the data is there before grabbing values from it. If it's not, zero is used instead. Changes to NeMaC: + When NeMaC is shut down gracefully (by a SIGTERM or SIGINT signal) it now shuts down the tasks it is running on all its meters. It used to leave them running, which matched what happened with v3 meters and managers. + #EndData record added at end of every sample in flow data files. This allows real-time processing of flow data - without this one had to wait until the next sample started. + The Unix SIGUSR1 signal is used as to indicate that NeMaC should start a new flow data file. This provides an alternative to using a 'flag' file to do this. + The Unix SIGUSR2 signal is used to switch testing on and off. + New command line option: -Y logname tells NeMaC to send log messages messages to syslog. Specifying -L logname writes the log to the file 'logname'. Specifying -Y logname writes log messages to syslog, with 'logname' as the identifying program name within syslog. You may specify both -Y and -L; this writes the messages to both places. If no logging is specified, the log will be written to a NeMaC.log.nnn file, as usual. If you wish to use the -Y option, you must modify the Makefile (probably autoconf\manager\Makefile.in) to define the variable LOG_LOCAL. + Changed behaviour when a meter fails to respond to NeMaC's attempt to start it. NeMaC used to ignore such meters; now it polls them and will download rules when they restart. + Fewer messages for 'normal' running. Set the 'verbose' option (-v) if you still wish to see messages like 'xxx rules downloaded' + Fixed 'file handle leak' bug, which used to cause NeMaC to crash after many attempts to contact a non-responding meter. v4.1 24 Nov 97 Production release 4.1 * Documentation files are now in PDF format on the NeTraMet home page, i.e. http://www.auckland.ac.nz/net/Accounting * The PC executable files have been separated out from the 'distribution' file. They're in the file ntm41-pc.zip. v4.1b15 22 Sep 97 * Use WORDS_BIGENDIAN and SIZEOF_LONG defines to implement native Alpha code for get and put of 64bit counters. Use autoconfig to build this if you want to try it (see below). v4.1b14 9 Sep 97 * Fix 'endian' bug in nmc_c64.c (which produced impossibly big counts in flow data files when running NeMaC on linux). These changes were implemented using the WORDS_BIGENDIAN define in autoconfigure. The recommended method of building NeTraMet is to use autoconfig; see the INSTALL file in the autoconf/ directory. * Fix ASN1 OID encoding bug. Symptoms were that the NeTraMet meter would run normally for about 30 days, then start sending back flow data packages for flows which hadn't been active. * Change PC meter to initialise uptime counter before starting packet drivers. v4.1b13 17 Jul 97 * Owner names for NeMaC, nm_rc and nifty A new parameter, the 'owner name' has been added for these programs. It is an alphameric identifier, up to 16 chars long. The owner name is used to identify rulesets, manager tasks and meter readers in the meter control tables; this is neccessary when the meter is running more than one rule set. The owner name follows the write community name on the command line or config file line. * #Ruleset records in flow data files: RuleSet numbers in flow data file records no longer refer directly to the SET number as they did in v3. Instead they refer to a ruleset's row in the meter RuleInfo Table. The flow data file includes a new # record to indicate the SET number for RuleInfo rows. Their format is as follows: #Ruleset: x setname rfname owner x is the RuleSet number, as it appears in the flow data records setname is the name from the SET statement (for v3 AND V4.1 this is an integer) rfname is the name of the rule file owner is the owner name for this ruleset v4.1b10 30 Jun 97 * New manager option: -E nn Specifies the timeout (in seconds) for rEeader rows. If collections stop (e.g. because a manager has failed), the meter will delete the row after this time. The default is 0, i.e. the row will never time out. * Change to manager option: -h pp Specifies HighWaterMark for a manager task. In v3 the meter default was 65 (percent). In v4.1 the default is 0 (no test for high water). * MatchingStoD attribute: The attribute 'matchingStoD' is set by the Packet Matching Engine. Its value is 1 if the packet is being matched with its address attributes in 'StoD' order, (i.e. as they appear 'on the wire'), and 0 if the packet is being matched with its addresses swapped. See RFC 2063 for a detailed description of packet matching. * NeMaC keywords: 'nomatch' is now a synonym for 'retry.' This name was discussed at the Montreal RTFM WG session, and is used in the ruleset examples given in RFC 2123, "Experiences with NeTraMet." v4.1b4 22 May 97 SNMPv2, 32-bit PC meter * NeTraMet and its manager/readers (NeMaC, nm_rc, nm_st and nifty) all use SNMPv2 instead of SNMPv1. They now implement the Meter MIB of RFC2064 (and the newer RTFM Internet Draft which updates it). The most significant effects of this are: v4 meters can run multiple rulesets simultaneously, and 64-bit counters are used for packet and byte counters. * v4 managers will work properly with v3 meters. v3 managers, however, will NOT work with v4 meters. To change to using v4 you should change your managers first, then your meters. * There are two changes to the format of flow data file records: Dates now use four digits for the year (1997 instead of 97) The integer values used for PeerTypes have changed. You should not be affected by this unless you have analysis applications which use PeerTypes to distinguish flows. * The 32-bit version of the PC meter uses all available memory. 16 MB of memory should allow it to handle a table of 100,000 flows or more. The readme.txt file in the ntm41-b4.zip file gives detailed setup instructions. New options in Meters (PC and Unix): -m pp specifies the IP port number to use for SNMP. Default is 161 -l specifies that meter should use the length field from IP headers for the number of bytes in IP packets. Default is to use the MAC (hardware) packet size. v3.5 6 Sep 96 Multiple ethernets for the PC meter: * The PC meter (netramet.exe) can now handle up to four interfaces. New command line options allow you to specify the interfaces, as follows .. -i nn specifies that the packet driver using software interface nn (decimal) is to be metered. e.g. -i96 would meter interrupt 0x60 -h nn as above, except that if you have a packet driver which implements the 'high-performance' driver specification, NeTraMet will take advantage of it. -I nn as above, except that no metering will be performed on this interface, instead it will be used only for IP packets to or from the meter. If no interface is specified as 'IP only,' the first interface appearing as a -i or -h option will be used as the meter's IP interface. v3.4 8 Aug 96 nifty: an X/Motif 'flow analyser' program * Presented to RTFM WG at the Montreal IETF as 'NetFlow,' renamed to avoid confusion with Cisco's 'Net Flow Switching.' Changes to NeTraMet: * NeTraMet can monitor up to four interfaces instead of only one. Specify this with a -i option for each one, e.g. NeTraMet -inf0 -ile0 -wPASSWORD * Meter performance statistics have been implemented for the Unix meter. In particular, aps and mps give average and maximum packets per second, while api and mpi give average and minimum processor idle time percentage for one-second intervals. * NeTraMet has been restructured so as to simplify the code for packet matching. Make files for aix added. * libpcap (current version) isn't implemented for aix, so you can't (yet) build an aix meter. NeMac, nifty, etc work properly. Known problems: * If you start NeMaC with write access to a meter, and NeMaC is already running on the same host with write access to the same meter, the meter gets confused. In this situation neither copy of NeMaC manages to read sensible flow data from the meter. Detour: before you start NeMaC, make sure it isn't already running. Cure: this will be addressed in version 4.1. 4.1. will implement the updated meter MIB as set out in the current Internet Draft. Bug fixes: * Time for next collection have already passed, e.g. because of network transit delays in collecting flow data from many meters. NeMaC will not attempts to make such 'missed' collections. * NeMaC now displays (and logs) the meter name correctly when it fails to establish contact when starting a meter, and when it looses or regains contact with a running meter. * NeMaC could create invalid flow data files if it failed to start a meter properly, or if an active flow data file was deleted. This has been corrected. V3.3 8 Nov 95 nm_rc: a remote console for NeTraMet * nm_rc (in the /manager/ directory) combines NeMaC and fd_filter to provide a simple display of 'live' flow data from a single meter sorted into traffic order, busiest flows first. (Briefly described in doc/NeTraMet/rc-man.txt; a 'proper' manual will be ready real soon now). New example rule files (in examples/ directory) * rules.two-adj-routers: Meters traffic through and between two routers, specified by their adjacent (Ethernet) addresses. * rules.two-ip-groups: Meters traffic through and between two groups of IP networks, specified in a subroutine by their peer (IP) network numbers. * rules.rc.pr+bc: Classifies traffic by protocol, and looks at Ethernet broadcast packets in detail. * rules.rc.ports: Classifies IP, IPX and EtherTalk traffic by port. * rules.rc.ip: Classifies IP traffic by IP address and port. * rules.rc.ipx: Classifies IPX traffic by IPX address and port. New options for NeMaC: * -x Don't write anything to the meter. Use this if you use a second copy of NeMaC (or nm_rc) to collect from a single meter. Allowing two collectors to write allows meter to recover flows after they've been collected by only one of the two meters. * -P For each collection flow data files will be opened, flow data appended to them, then they will be closed. If you move or rename a closed data file a new one (with the old name) will be created by the next collection. This is an alternative to using the old 'flag file' method. * -p Open-append-close to NeMaC's log file as well as to flow data files. Superset of -P * -F name Specifies name of flow data file. * -L name Specifies name of NeMaC log file. * -c 0 Tells NeMaC to download rule file(s) to the meter, then exit without collecting and flow data. * default values in NeMaC configuration file. Since NeMaC command-line parameters can displayed by any user via the Unix ps command, you should specify write community names in a configuration file. Each record in a configuration file specifies meter parameters which override the default values or the ones specified on the NeMaC command line. NeMaC now uses the meter name 'default' to indicate that this record contains default values for following records. For example .. ./NeMaC -f nm-config tells NeMaC to read the file 'config,' which contains the following records .. -c900 -p -rrules.mynet default meter1 write-1 meter2 write-2 -c300 meter3 write-3 This starts three meters; all run rules.mynet, and append to their flow data files. meter3 is collected every 5 minutes, meter1 and meter2 are collected every 15 minutes. Changes to NeTraMet options: * PC & Unix meter: Option settings .. Options no longer need spaces to separate them from their arguments, e.g. -ile0 * PC & Unix meter: Read Communities .. Only one read community can be specified. Bug fixes: * PC meter: -r option (to specify read community) crashed meter. * Solaris meter: FDDI interface didn't work. pcap-dlpi.c didn't bind the dlpi stream correctly. Fixed by new version of pcap-dlpi.c from lbl (included in src/meter) * Unix meter: pcap socket open didn't specify a timeout; 250ms now specified. This prevents Solaris from busy-waiting; allowing NeTraMet to be run as a backround process. * Linux meter: alters the timeout value of a select() statement (this is a BSD feature). Timeout value now reset to 250ms after each select(); this prevents linux from busy-waiting, allowing NeTraMet to be run as a background process. 8 Sep 95 Bug fixes as follows: * snmplib/asn1.c changed to get integers correctly out of SNMP packets. Now works correctly for OSF/1. * PC meter: small memory model memcpy used to copy strings from far memory. Now uses qmove. This caused snmp network managers to get garbage when GETting addresses from the flow table. * Bug in meter/met_vars overwrote part of the SNMP object tables when responding to a request for a non-existent MIB object. This showed up as 'meter looses rule table when a network manager such as OpenView probed a meter's MIB. * Ultrix Makefiles corrected. These can now be used to build meter and manager for DEC OSF/1. 4 Jul 95 New options for NeMaC: * -a sss Collections will be made with a time lag of sss seconds. For example, 10-minute collections with 30-second time lag will occur at 1000'30, 1010'30, etc. * -w nnn Specifies doWnload level. nnn=0 (the default) downloads rules on collector startup and after a meter restart. nnn=1 downloads only after a meter restart, and nnn=2 never downloads. Bug Fixes: * PC NeTraMet returned bad string for interface name. NeTraMet fixed to return 'eth0,' NeMaC modified to check the string, and use 'eth0' instead of a bad string (from an old meter). V3.2 8 Jun 95 NeTraMet meter reworked to use libcap to get packet headers: * libpcap: - libpcap is a generalised packet interface written by Steve McCanne, Craig Leres and Van Jacobson as part of tcpdump. - libpcap is available from ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z - to make NeTraMet you must first install it on your Unix system so as to produce libpcap.a The make files in the NeTraMet distribution assume you have copied libpcap into the same subdirectory as the Makefile. - binary distribution files are provided for linux (version 1.2.1) and Irix (5.2), as well as Solaris (2.4) and SunOS (4.1.4). - libpcap supports FDDI interfaces as well as ethernet. This is still being tested (8 Jun 95). * -i option has been implemented in NeTraMet. This tells NeTraMet which interface to monitor. For example, -i le0 will monitor the le0 interace. The interface name is displayed on the NeTraMet console, and appears in the ## header line of the flow data file. If you don't specify an interface libpcap will use its default one. The PC version of NeTraMet doesn't allow you to specify the interface name. * 'other' packet handling has been extended. 'Other' packets set the SourcePeerAddress to the packet's ether_type and the DestPeerAddress to the packet's LSAP. This allows you to use NeTraMet to find out what packet types are active on your network. * All the source code (including the CMU SNMP library) has been tidied up so as to remove most of the compiler warning messages. This should make it easier to port to new systems. Bug fixes: * PC pointer problems cause PC Netramet to crash at random times (from seconds to days). Finding more places which should use 'huge' pointers instead of 'far' pointers seems to have cleared (or at least reduced) this problem. * PC string compare routine error. Waterloo TCP's qcmp routine compares two far pointers (same as Unix memcmp). Implementation bug meant that strings which were same length and differed only in the last byte were reported as being the same. The effect of this was masked because NeTraMet uses a hash search of the flow table. * NeTraMet crashed when it received an SNMP get request for a MIB-1 objects which it didn't know about. NeTraMet implements nearly all of the Accounting Meter MIB objects, but only a few MIB-1 objects. The SNMP routines in met_vars.c have been improved so as to give a 'no such OID' response (and keep running). * NeMaC didn't handle end-of-file properly for its configuration file. This has been corrected. V3.1 16 Feb 95 New version using IANA-allocated MIB OID (mib-2 40): * Rewritten and simplified MIB means that earlier meters won't run with 3.1 NeMaC, and 3.1 meters won't run with earlier NeMaCs. i.e. both meter and manager must move to 3.1 together. * Extended and simplified rule matching. Jumps can be to the test or action part of the target rule. Attribute values can be pushed from the packet (as well as from a rule), hence aggregate and tally flows are no longer needed. The action table was only needed to support aggregate and tally flows: it is no longer needed. * Six new uesr-settable attributes are implemented. SourceClass, DestClass, FlowClass and SourceKind, DestKind, FlowKind allow a meter to pass information gleaned during packet matching back to the flow data file. * NeMaC allows you to INCLUDE rule files into other rule files. * Emergency rule sets are implemented. The meter will switch to its emergency rule set if the % of active flows gets greater than HighWaterMark. * Collection times are synchronised by default, i.e. they happen at multiples of the collection interval. For example 15-min collections are made at 0, 15, 30 and 45 minutes past the hour. Bug fixes: * Rule tables with more than 1350 rules now work properly on the PC meter. This was a situation where 'huge' pointers were required to reliably access all of the rule table. * IP fragment packets other than the first fragment of a PDU produced garbage transport addresses (IP port numbers). They now produce 0. The Accounting Model defines attributes for each protocol, and doesn't allow one to distinguish a 'first fragment' from an unfragmented IP packet. * A mistake in the code for optimised testing of a group of rules could sometimes cause packet matches to succeed when they should not. This has been corrected. Notes: * Rule files will need to be converted from the old (version 2.x) form to the new one. The changes are straightforward, and are documented in the file Converting.rules.ps V2.3 25 Nov 94 Fourth full release, new features as follows: * NeMaC now uses the names of flow attributes as they appear in the meter MIB, i.e. TRANS is used instead of DETAIL. NeMaC does this by allowing DETAIL to be a synonym for TRANS. Old rule files will still work properly, but new rule files should use TRANS. * Gopher (port 70) and WWW (port 80, i.e. html) have been added to NeMaC's list of IP port numbers. * If NeMaC notices that a meter has been restarted, i.e. it's sysUptime has jumped backwards, NeMaC will automatically download its specified rule file. The check is made before each flow data collection (intervals set by the -c option), and at every 'keepalive' interval (set by the -k option. This feature can be used to minimise the amount of flow data lost by a meter after a power-fail restart. * NeMaC now allows different collection and keepalive intervals for each meter. This is implmented by allowing the -c and -k options to appear in NeMaC's configuration file, and using an event queue (instead of a simple idle loop) to order meter activities. * A mechanism for closing and reopening flow data files has been implemented. NeMaC tests for a file called NeMaC.flag. If it finds the flag file it will close and reopen all its current flow data files. A new section has been added to the manual explaining how to use this feature. Bug fixes: * Various bugs in NeMaC's parsing of rule files have been corrected. * Bugs in fd_filter and fd_extract have been corrected; they will now work as documented! Notes: * NeTraMet memory management has been improved. 'Active flows' is now used instead of 'flows in use' for controlling garbage collection. The garbage collector is called if a new flow is needed and the are no free flows. V2.2 19 Jul 94 Third full release, new features as follows: * fd_filter and fd_extract included in manager directories as utility programs for flow data files. Documented in fd_util.ps file. * Port of both NeTraMet and NeMaC for Solaris, using streams/dlpi instead of nit to watch ethernet interface. * Binaries for Solaris and Sunos available via anonymous ftp. * Make files for HPUX and linux added. NeMaC has been ported to HPUX and linux. * SamplingRate MIB variable implemented; allows only 1 of every n packets to be processed. * All four Novell IPX encapsulations now recognised. Bug fixes: * PC NeTraMet now counts packets sent as well as packets received. Notes: * NeMaC now gives sensible error messages if it can't write meter variables. If NeMaC only has read access (i.e. it was given the read snmp community name instead of the write one) it can still collect data, but such collections will not be recorded by the meter, and therefore be noticed by the meter's garbage collector. * Solaris 2.3 dlpi bug corrupts some packet headers. Only affects CLNS handling by Solaris version of NeTraMet. This is fixed in Solaris 2.4 - see the ether_pc.c file for details. V2.1 14 Jan 94 Second full release, new features as follows: * Subroutines in rule tables implemented, making it much easier to write rules to handle large numbers of networks. * Labels implemented for rules and actions, i.e. no need to keep track of rule and action numbers by hand. * CLNS protocol now understood by NeTraMet * Packets for protocols not understood by NeTraMet can be counted as PeerType 'Other'. * Ethernet II and SNAP encapsulations for IPX now recognised (as well as 'Raw 802.2'). * Full (10-byte) IPX addresses can be used instead of just (4-byte) net numbers. * Make files for Ultrix added. NeMaC has been ported to Ultrix. Bug fixes: * MIB environment variable changed to MIBTXT to match the documentation (was MIBFILE). Notes: * Make files changed to allow compilation with Gnu C compiler, either by specifying gcc in the make file, or by 'setenv CC gcc'. * Documentation points out that NeTraMet write community must have different name to read communities, and that NeMaC must specify the NeTraMet write community name. 28 Oct 93 New: NeMaC only displays 'Rule/Action added' message every tenth rule/action. 22 Oct 93 Bug: NeMaC couldn't handle rule table with >255 rules. V2.0 20 Oct 93 First full release of NeTraMet and NeMaC, with NeTraMet Manual and full source code. V1.0 Nov 92 Prototype meter using height-balanced trees instead of rule table. Presented at Washington IETF. ======= NeTraMet Version History ======================== v4.4b6 22 Feb 00 Change to using autoconf Configuration Header File. The ntm_conf.h file (in the base directory) is now included by all the source programs. It contains all the options detetected by autoconfigure, together with some defines giving NeTraMet's version number. One advantage of this is that there is a lot less text displayind while Making Netramet. When NeMaC is shut down gracefully (by a SIGTERM or SIGINT) it will now collect the flow data gathered since the last collection for all the meters it is controlling. [This change was suggested by Robert Strycharczuk, 10 Feb 00] NeTraMet (on Unix and Cygwin32) has been extended so as to handle PPP interfaces. PPP flows are assumed to be IPv4 (the most likely possibility), they have AdjacentType AT_PPP (i.e. 23) and AdjacentAddresses 0. [This change was suggested by Gerald Richter, 10 Dec 99] When displaying domain names instead of IP addresses, nifty may have to wait a long time for the DNS response. It now displays a 'cross-hair' cursor while waiting on DNS. nifty.srl has been modified to plots diamonds instead of pluses for multicast flows. Port NeTraMet to MS Windows, using the Cygwin32 environment and WinDump's BPF drivers - ported libpcap to cygnus+windump - changes to meter_ux for CYGWIN32 (can't assume that pcap files work with select) - changes to snmpapi.c and snmpclnt.c (Cygwin32 doesn't have `timerset' defines) >>>>>>> 1.1.1.2.2.4 v4.4b5 12 Jan 00 Allow fd_filter to have character constants in tag specifications, e.g. DestKind = 'F'; Fix bugs relating to ASNs looked up using OCX_BGP (i.e. in a bgp.txt file). These were - Lookup wasn't being done if DestASN was saved but not SourceASN - S/D ASN attributes weren't being set to zero if the IP Address lookup failed (i.e. when we couldn't find its ASN). Correct Makefile.in files to set GF variable (it was $GF by mistake). v4.4b4 16 Nov 99 Update mib.txt to use RFC2720 version. Add support for NetBSD on Alpha: * Use XtPointer in nifty source, cast to IntFromPtr when values are used * Set __unix__ = !defined(DOS) in btypes/types.h * Use POINTER_DATATYPE instead of Bit32 for subnet pointer arithmetic in integrat/subnetd.h * Cast bytes to counter64 in getcounter64() in manager/nmc_snmp.c * Recognise NetBSD in configure.in * Change source to use !defined(DOS) instead of defined(__unix__) v4.3 30 Sep 99 Added a GFLAG variable to the configure.in script and the Makefiles. By default this is null. Set it to -g to build executeables which have symbolic information for debugging. Replaced mib/mib.txt with a new version, using the 'Proposed Standard' RTFM Meter MIB. Added config support for Alpha (Tru64 Unix) systems. This corrects several bugs introduced since 4.2; they only showed up on a 64-bit machine. * The Tru64 C compiler is much more 'picky' than gcc! Cleaned up the source so as to get rid of warning messages * Change snmp library so as to use Int32 for ASN.1 INTEGERs and Bit32 for TIMESTAMPs. The original CMU code used 'unsigned long' for both. Made corresponding changes to the meter and manager programs. NeTraMet and NeMaC as daemons: -D option * NeMaC ./NeMaC -D runs NeMaC in its own Unix session * NeTraMet ./NeTraMet -D and ./NetFlowMet -D runs the Unix and NetFlow meters in their own Unix session. Before doing so it disables the screen and keyboard, so -k -s are implied by -D. CAUTION: -d turns on diagnostic dumps of the SNMP packets. Don't set this by mistake for -D! Implemented command-line defines for srl. For example ./srl -DW=16 "-Dext = DestPeerAddress/24" xxx.srl defines w to be 16, and EXT to be DestPeerAddress/24. Note the quotes around the second define; they are required if the define text contains blanks. Modified NeMaC ruleset parser to skip dots and digits at the end of addresses. This allows it to download rulesets produced by an srl compiler compiled with the V6 option set even if NeMaC was compiled with the V6 option not set. v4.3b10 26 May 99 Support for IPv6 * Controlled by V6 option in the source files. To enable this: a) If you run autoconf to build the Makefiles change AC_DEFINE(V6, 0) to AC_DEFINE(V6, 1) before running autoconf b) Otherwise, in the configure script change #define V6 0 to #define V6 1 before running ./configure * The SRL compiler allows V6 addresses, as specified in RFC 2373. Although v6 addresses have a fairly simple form, it's easy to get it wrong. The compiler tries very hard to produce helpful error messages for them. * The NeTraMet meter handles v6 packets, returning them to the manager with SourcePeerType = IPv6 (IP and IPv4 are synonyms for IP version 4) * The managers (NeMaC, nm_rc and nifty) display IPv6 addresses as per RFC 2373. * fd_util and fd_extract handle IPv6 addresses properly. Other changes * SRL compiler will allow redefinition of 'built-ins,' i.e. well-known ports, address families and transport types. A warning is given telling the user what was declared. * Lots of bugs fixed in SRL compiler handling of syntax errors. These either crashed the compiler or sent it into infinite loops while reading the source program. v4.3b9 16 Feb 99 * The distribution file now has TCP_ATR set by default, so that the TCP-based attributes are available for use. So as to minimise the meter default memory requirements, several new memory-allocation command-line options have been implemented. The complete set of these is now: -f fff Max of fff flows -u rrr Max of rrr rules -b bbb Max of bbb TCP flows <<< NEW -t ttt Max of ttt TCP streams <<< NEW -v ddd Max of ddd distributions <<< NEW -e eee Max of eee distrib events <<< NEW * Implement ASN lookup in NeTraMet meter. This uses Joel Apisdorf's bgp code from OCxMON. The src/meter Makefile contains variable USE_OCX_BGP, which is commented out by default. Uncomment it, and make will include ASN lookup in the meter. To use it: a) Set the environment variable DEFAULT_AS (I set it to my own AS number) b) The meter starts up by reading a file, bgp.txt. You can create this file for your own network using SHOW IP BGP on a Cisco router. NOTE: a full bgp routing table will take 5 to 10 MB of memory space on the meter. c) By default the meter looks up 'next-hop' ASNs, i.e. the ASN the router would send packets to. The command-line option -o will look up 'owner' ASNs instead. v4.3b8 4 Feb 99 * Implement distribution-valued attributes in fd_filter * Fix memory management problems for TCP subflows in meter. Implement TCP-related distribution attributes in meter, NeMaC, fd_filter and srl. v4.3b7 8 Jan 99 * Implement TCPdata attribute in fd_filter * Fix NEW_ATR vs TCP_ATR bugs in meter_ux.c and nf_fwd.c v4.3b6 23 Dec 98 * Fix bugs concerned with intermixing of NEW_ATR and TCP_ATR v4.3b5 26 Nov 98 * Fix bug in SRL compiler, which wasn't distinguishing between save sourcetransaddress; and save sourcetransaddress = 0; v4.3b4 25 Nov 98 * Fix endian problems in netFlowMet, reported by Kevin Hoadley. v4.3b3 16 Nov 98 * Set up new CVS repository to make it easier for co-developers to submit code changes / suggestions. v4.3b2 12 Nov 98 * Aufoconfigure changed to test for Motif, since nifty requires Motif as well as X. * Support for FreeBSD: changed source files so as not to include malloc.h on systems which don't have it! * Documentation error for NeMaC. Command line option -P specifies open-append-close behaviour for the >>log<< files only. It was previously documented (see below) as doing this for flow data files only. v4.3b1 23 Oct 98 Changes contributed by Nicolai Guba (BT Labs) .. * Command-line help is dispayed if no options are specified for NeMaC, nm_rc NeTraMet (Unix meters, not PC meters) NetFlowMet * -b mmm command-line option Tells NeMaC and nm_rc to read the mib from file mmm. * The NeTraMet distribtion file, and the way you install NeTraMet on a host has been changed to make it more like the GNU programs. The executable files are no longer in separate directories. Instead (by default) they are built in the src/ directories. To install NeTraMet into directory xyz you can simply ./configure make install OCxMON meter improvements .. The NeTraMet meter now allocates as much of its memory as possible when it starts up, so as to minimise allocation overhead. Space for rulesets is allocated at startup, with a default maximum of 2000 rules total for all rulesets. * New meter command-line option: -u nnnn allocates space for a maximum of nnnn rules v4.2.2 16 Nov 98 * Correct bug in nmc.h (inconsistency introduced when de-implementing 'detail' as synonym for 'trans' in attribute names. This caused NeMaC and friends to crash v4.2.1 2 Oct 98 Patch release .. * NeMaC crashed with Owner names longer than six characters. This was because SET_STRING only ever allocated RULE_ADDR_LEN chars! * SRL programs which start with an imperative statement now start with a GotoAct, Next rule. Without this they don't work! * fd_extract and fd_util now handle 64-bit counter attributes (e.g. topdus) properly. 'Editorial' improvements have been made to the fd_util manual. * A memory leak has been fixed in the SNMP snmpapi.c. Error logging has been added for snmp error/info/debug messages; these now go through log_msg(), as used for other NeMaC errors. v4.2 5 Aug 98 * The distribution file has been changed so that it no longer has subdirectories for the various operating systems. The best way to install NeTraMet is to use autoconfig; see the INSTALL file in the autoconf/ directory. * The 'os-specific' directories are no longer included in the distribution file. Users must build the version they need using configure in the autoconfig directory. SRL Compiler * The program srl is an optimising compiler for SRL, the Simple Ruleset Language. SRL is documented in an Internet Draft, available from the NeTraMet and RTFM home page. srl [options] source compiles the file 'source', producing a rules file ready to be used by NeMaC. Source files will normally end with .srl and rules files with .rules. For example srl test-prog.srl produces test-prog.rules. Compiler options: -l List source program -s Syntax check only -ann 'Assembler output' level N nn=0, rules in numeric form only. nnn Requires NeMaC v4.2. nn=1, attributes and actions given as words. This is the default. nn=2, as for nn=1, but don't delete intermediate files. -Onn Optimisation level. nn=0, no optimisation at all. nn=1, peephole optimising to delete redundant rules from intermediate files. This is the default. nn=2, optimise tests by mask length within expressions (shortest masks first, after allowing for overlapping addresses/masks). nn=3, as for nn=2, but optimise expression between if clauses and between statements. * srl extends the language (as described in the Internet Draft by adding a number of extra statements: include fffff ; Will read all the text from file fffff. includes may be nested (i.e. an include file may include other files). srl looks for the file in the same directory as the source file. optimise nn ; optimise * ; optimise ; Allows you to change the optimisation level as required for different parts of your program. optimise ; resets the level to the value specified on the command line. optimise * ; is used to indicate breaks between optimised expression groups . set nn ; format aaa .. aaa ; statistics ; These three statements are passed on (via the output file) to NeMaC. String constants in a format (specifying separators in flow data files) may include C-style constants (introduced with a \). * A collection of SRL programs is provided in the examples/srl directory. v4.2b5 11 Jun 98 * Fix bug in getting reader_name. This prevented NeMaC et al from reading any flows from the meter! * Use riFlowRecords instead of msNbrFlows for ms->NbrFlows. This means that nifty will display only the total flow for its current ruleset; it used to display the total number of flows for all rulesets. v4.2b4 3 Jun 98 * Use LastTime instead of sysUptime to get meter time in NeMaC, nm_rc and nifty. * Fix bugs in SNMP library which caused early timeout of some SNMP packets. v4.2b3 22 May 98 * Implement better hashing algorithm for flow table and rulesets. Multiplies bytes of peer and trans addresses by small primes, and uses larger primes as the size of the various hash tables. * Fix sundry bugs revealed in beta testing. v4.2b2 11 May 98 NetFlowMet (NeTraMet + NetFlow = NetFlowMet): * A new version of the meter has been added to the distribution. This takes NetFlow data from a Cisco Router (I've tested it using a 7200) and uses this to build the flow table. To start NetFlow on a router (in brief): - start NetFlow on each interface [no] ip route-cache flow - start exporting the NetFlow data [no] ip flow-export is the address of your NetFLowMet meter, is the port NetFlowMet will use to recieve the data. You may specify the udp port number by using the -i pppp option on NetFlowMet's command line. If no -i option appears, port 9996 is used. You may specify up to four port numbers by giving a list of -i options, e.g. -i 12001 -i 12002 -i12003 would listen for NetFLow data on UDP ports 12001, 12002 and 12003. NetFlowMet provides five new attributes which can be used in rulesets: + MeterId (8 bits, mask 255) Index in -i option list, e.g. port 12002 above would produce flows with MeterID = 2. + SourceASN, DestASN (16 bits, mask 255.255) Autonomus System Numbers for source and destination networks. These may be "Origin" or "Peer" ASNs; you must specify which when you start flow export from the router. + SourcePrefix, DestPrefix (8 bits, mask 255) Mask length for source and destination IP addresses (i.e. SourcePeerAddress and DestPeerAddress). Changes in downloading rules: + A hashed search is used when translating rulesets. This should speed up the translation process by a factor of 10x to 20x (NeMaC). + Rules are now downloaded 10 at a time. This dramatically reduces the time taken to download rulesets (NeMaC). + A meter bug which prevented downloading of rulesets with more than 32767 rules has been fixed (NeTraMet). Changes to NeTraMet: + When grabbing the value of an attribute from a packet header, NeTraMet didn't check that enough bytes were read. This could have caused problems with TCP packets with lots of IP options. NeTraMet now checks the data is there before grabbing values from it. If it's not, zero is used instead. Changes to NeMaC: + When NeMaC is shut down gracefully (by a SIGTERM or SIGINT signal) it now shuts down the tasks it is running on all its meters. It used to leave them running, which matched what happened with v3 meters and managers. + #EndData record added at end of every sample in flow data files. This allows real-time processing of flow data - without this one had to wait until the next sample started. + The Unix SIGUSR1 signal is used as to indicate that NeMaC should start a new flow data file. This provides an alternative to using a 'flag' file to do this. + The Unix SIGUSR2 signal is used to switch testing on and off. + New command line option: -Y logname tells NeMaC to send log messages messages to syslog. Specifying -L logname writes the log to the file 'logname'. Specifying -Y logname writes log messages to syslog, with 'logname' as the identifying program name within syslog. You may specify both -Y and -L; this writes the messages to both places. If no logging is specified, the log will be written to a NeMaC.log.nnn file, as usual. If you wish to use the -Y option, you must modify the Makefile (probably autoconf\manager\Makefile.in) to define the variable LOG_LOCAL. + Changed behaviour when a meter fails to respond to NeMaC's attempt to start it. NeMaC used to ignore such meters; now it polls them and will download rules when they restart. + Fewer messages for 'normal' running. Set the 'verbose' option (-v) if you still wish to see messages like 'xxx rules downloaded' + Fixed 'file handle leak' bug, which used to cause NeMaC to crash after many attempts to contact a non-responding meter. v4.1 24 Nov 97 Production release 4.1 * Documentation files are now in PDF format on the NeTraMet home page, i.e. http://www.auckland.ac.nz/net/Accounting * The PC executable files have been separated out from the 'distribution' file. They're in the file ntm41-pc.zip. v4.1b15 22 Sep 97 * Use WORDS_BIGENDIAN and SIZEOF_LONG defines to implement native Alpha code for get and put of 64bit counters. Use autoconfig to build this if you want to try it (see below). v4.1b14 9 Sep 97 * Fix 'endian' bug in nmc_c64.c (which produced impossibly big counts in flow data files when running NeMaC on linux). These changes were implemented using the WORDS_BIGENDIAN define in autoconfigure. The recommended method of building NeTraMet is to use autoconfig; see the INSTALL file in the autoconf/ directory. * Fix ASN1 OID encoding bug. Symptoms were that the NeTraMet meter would run normally for about 30 days, then start sending back flow data packages for flows which hadn't been active. * Change PC meter to initialise uptime counter before starting packet drivers. v4.1b13 17 Jul 97 * Owner names for NeMaC, nm_rc and nifty A new parameter, the 'owner name' has been added for these programs. It is an alphameric identifier, up to 16 chars long. The owner name is used to identify rulesets, manager tasks and meter readers in the meter control tables; this is neccessary when the meter is running more than one rule set. The owner name follows the write community name on the command line or config file line. * #Ruleset records in flow data files: RuleSet numbers in flow data file records no longer refer directly to the SET number as they did in v3. Instead they refer to a ruleset's row in the meter RuleInfo Table. The flow data file includes a new # record to indicate the SET number for RuleInfo rows. Their format is as follows: #Ruleset: x setname rfname owner x is the RuleSet number, as it appears in the flow data records setname is the name from the SET statement (for v3 AND V4.1 this is an integer) rfname is the name of the rule file owner is the owner name for this ruleset v4.1b10 30 Jun 97 * New manager option: -E nn Specifies the timeout (in seconds) for rEeader rows. If collections stop (e.g. because a manager has failed), the meter will delete the row after this time. The default is 0, i.e. the row will never time out. * Change to manager option: -h pp Specifies HighWaterMark for a manager task. In v3 the meter default was 65 (percent). In v4.1 the default is 0 (no test for high water). * MatchingStoD attribute: The attribute 'matchingStoD' is set by the Packet Matching Engine. Its value is 1 if the packet is being matched with its address attributes in 'StoD' order, (i.e. as they appear 'on the wire'), and 0 if the packet is being matched with its addresses swapped. See RFC 2063 for a detailed description of packet matching. * NeMaC keywords: 'nomatch' is now a synonym for 'retry.' This name was discussed at the Montreal RTFM WG session, and is used in the ruleset examples given in RFC 2123, "Experiences with NeTraMet." v4.1b4 22 May 97 SNMPv2, 32-bit PC meter * NeTraMet and its manager/readers (NeMaC, nm_rc, nm_st and nifty) all use SNMPv2 instead of SNMPv1. They now implement the Meter MIB of RFC2064 (and the newer RTFM Internet Draft which updates it). The most significant effects of this are: v4 meters can run multiple rulesets simultaneously, and 64-bit counters are used for packet and byte counters. * v4 managers will work properly with v3 meters. v3 managers, however, will NOT work with v4 meters. To change to using v4 you should change your managers first, then your meters. * There are two changes to the format of flow data file records: Dates now use four digits for the year (1997 instead of 97) The integer values used for PeerTypes have changed. You should not be affected by this unless you have analysis applications which use PeerTypes to distinguish flows. * The 32-bit version of the PC meter uses all available memory. 16 MB of memory should allow it to handle a table of 100,000 flows or more. The readme.txt file in the ntm41-b4.zip file gives detailed setup instructions. New options in Meters (PC and Unix): -m pp specifies the IP port number to use for SNMP. Default is 161 -l specifies that meter should use the length field from IP headers for the number of bytes in IP packets. Default is to use the MAC (hardware) packet size. v3.5 6 Sep 96 Multiple ethernets for the PC meter: * The PC meter (netramet.exe) can now handle up to four interfaces. New command line options allow you to specify the interfaces, as follows .. -i nn specifies that the packet driver using software interface nn (decimal) is to be metered. e.g. -i96 would meter interrupt 0x60 -h nn as above, except that if you have a packet driver which implements the 'high-performance' driver specification, NeTraMet will take advantage of it. -I nn as above, except that no metering will be performed on this interface, instead it will be used only for IP packets to or from the meter. If no interface is specified as 'IP only,' the first interface appearing as a -i or -h option will be used as the meter's IP interface. v3.4 8 Aug 96 nifty: an X/Motif 'flow analyser' program * Presented to RTFM WG at the Montreal IETF as 'NetFlow,' renamed to avoid confusion with Cisco's 'Net Flow Switching.' Changes to NeTraMet: * NeTraMet can monitor up to four interfaces instead of only one. Specify this with a -i option for each one, e.g. NeTraMet -inf0 -ile0 -wPASSWORD * Meter performance statistics have been implemented for the Unix meter. In particular, aps and mps give average and maximum packets per second, while api and mpi give average and minimum processor idle time percentage for one-second intervals. * NeTraMet has been restructured so as to simplify the code for packet matching. Make files for aix added. * libpcap (current version) isn't implemented for aix, so you can't (yet) build an aix meter. NeMac, nifty, etc work properly. Known problems: * If you start NeMaC with write access to a meter, and NeMaC is already running on the same host with write access to the same meter, the meter gets confused. In this situation neither copy of NeMaC manages to read sensible flow data from the meter. Detour: before you start NeMaC, make sure it isn't already running. Cure: this will be addressed in version 4.1. 4.1. will implement the updated meter MIB as set out in the current Internet Draft. Bug fixes: * Time for next collection have already passed, e.g. because of network transit delays in collecting flow data from many meters. NeMaC will not attempts to make such 'missed' collections. * NeMaC now displays (and logs) the meter name correctly when it fails to establish contact when starting a meter, and when it looses or regains contact with a running meter. * NeMaC could create invalid flow data files if it failed to start a meter properly, or if an active flow data file was deleted. This has been corrected. V3.3 8 Nov 95 nm_rc: a remote console for NeTraMet * nm_rc (in the /manager/ directory) combines NeMaC and fd_filter to provide a simple display of 'live' flow data from a single meter sorted into traffic order, busiest flows first. (Briefly described in doc/NeTraMet/rc-man.txt; a 'proper' manual will be ready real soon now). New example rule files (in examples/ directory) * rules.two-adj-routers: Meters traffic through and between two routers, specified by their adjacent (Ethernet) addresses. * rules.two-ip-groups: Meters traffic through and between two groups of IP networks, specified in a subroutine by their peer (IP) network numbers. * rules.rc.pr+bc: Classifies traffic by protocol, and looks at Ethernet broadcast packets in detail. * rules.rc.ports: Classifies IP, IPX and EtherTalk traffic by port. * rules.rc.ip: Classifies IP traffic by IP address and port. * rules.rc.ipx: Classifies IPX traffic by IPX address and port. New options for NeMaC: * -x Don't write anything to the meter. Use this if you use a second copy of NeMaC (or nm_rc) to collect from a single meter. Allowing two collectors to write allows meter to recover flows after they've been collected by only one of the two meters. * -P For each collection flow data files will be opened, flow data appended to them, then they will be closed. If you move or rename a closed data file a new one (with the old name) will be created by the next collection. This is an alternative to using the old 'flag file' method. * -p Open-append-close to NeMaC's log file as well as to flow data files. Superset of -P * -F name Specifies name of flow data file. * -L name Specifies name of NeMaC log file. * -c 0 Tells NeMaC to download rule file(s) to the meter, then exit without collecting and flow data. * default values in NeMaC configuration file. Since NeMaC command-line parameters can displayed by any user via the Unix ps command, you should specify write community names in a configuration file. Each record in a configuration file specifies meter parameters which override the default values or the ones specified on the NeMaC command line. NeMaC now uses the meter name 'default' to indicate that this record contains default values for following records. For example .. ./NeMaC -f nm-config tells NeMaC to read the file 'config,' which contains the following records .. -c900 -p -rrules.mynet default meter1 write-1 meter2 write-2 -c300 meter3 write-3 This starts three meters; all run rules.mynet, and append to their flow data files. meter3 is collected every 5 minutes, meter1 and meter2 are collected every 15 minutes. Changes to NeTraMet options: * PC & Unix meter: Option settings .. Options no longer need spaces to separate them from their arguments, e.g. -ile0 * PC & Unix meter: Read Communities .. Only one read community can be specified. Bug fixes: * PC meter: -r option (to specify read community) crashed meter. * Solaris meter: FDDI interface didn't work. pcap-dlpi.c didn't bind the dlpi stream correctly. Fixed by new version of pcap-dlpi.c from lbl (included in src/meter) * Unix meter: pcap socket open didn't specify a timeout; 250ms now specified. This prevents Solaris from busy-waiting; allowing NeTraMet to be run as a backround process. * Linux meter: alters the timeout value of a select() statement (this is a BSD feature). Timeout value now reset to 250ms after each select(); this prevents linux from busy-waiting, allowing NeTraMet to be run as a background process. 8 Sep 95 Bug fixes as follows: * snmplib/asn1.c changed to get integers correctly out of SNMP packets. Now works correctly for OSF/1. * PC meter: small memory model memcpy used to copy strings from far memory. Now uses qmove. This caused snmp network managers to get garbage when GETting addresses from the flow table. * Bug in meter/met_vars overwrote part of the SNMP object tables when responding to a request for a non-existent MIB object. This showed up as 'meter looses rule table when a network manager such as OpenView probed a meter's MIB. * Ultrix Makefiles corrected. These can now be used to build meter and manager for DEC OSF/1. 4 Jul 95 New options for NeMaC: * -a sss Collections will be made with a time lag of sss seconds. For example, 10-minute collections with 30-second time lag will occur at 1000'30, 1010'30, etc. * -w nnn Specifies doWnload level. nnn=0 (the default) downloads rules on collector startup and after a meter restart. nnn=1 downloads only after a meter restart, and nnn=2 never downloads. Bug Fixes: * PC NeTraMet returned bad string for interface name. NeTraMet fixed to return 'eth0,' NeMaC modified to check the string, and use 'eth0' instead of a bad string (from an old meter). V3.2 8 Jun 95 NeTraMet meter reworked to use libcap to get packet headers: * libpcap: - libpcap is a generalised packet interface written by Steve McCanne, Craig Leres and Van Jacobson as part of tcpdump. - libpcap is available from ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z - to make NeTraMet you must first install it on your Unix system so as to produce libpcap.a The make files in the NeTraMet distribution assume you have copied libpcap into the same subdirectory as the Makefile. - binary distribution files are provided for linux (version 1.2.1) and Irix (5.2), as well as Solaris (2.4) and SunOS (4.1.4). - libpcap supports FDDI interfaces as well as ethernet. This is still being tested (8 Jun 95). * -i option has been implemented in NeTraMet. This tells NeTraMet which interface to monitor. For example, -i le0 will monitor the le0 interace. The interface name is displayed on the NeTraMet console, and appears in the ## header line of the flow data file. If you don't specify an interface libpcap will use its default one. The PC version of NeTraMet doesn't allow you to specify the interface name. * 'other' packet handling has been extended. 'Other' packets set the SourcePeerAddress to the packet's ether_type and the DestPeerAddress to the packet's LSAP. This allows you to use NeTraMet to find out what packet types are active on your network. * All the source code (including the CMU SNMP library) has been tidied up so as to remove most of the compiler warning messages. This should make it easier to port to new systems. Bug fixes: * PC pointer problems cause PC Netramet to crash at random times (from seconds to days). Finding more places which should use 'huge' pointers instead of 'far' pointers seems to have cleared (or at least reduced) this problem. * PC string compare routine error. Waterloo TCP's qcmp routine compares two far pointers (same as Unix memcmp). Implementation bug meant that strings which were same length and differed only in the last byte were reported as being the same. The effect of this was masked because NeTraMet uses a hash search of the flow table. * NeTraMet crashed when it received an SNMP get request for a MIB-1 objects which it didn't know about. NeTraMet implements nearly all of the Accounting Meter MIB objects, but only a few MIB-1 objects. The SNMP routines in met_vars.c have been improved so as to give a 'no such OID' response (and keep running). * NeMaC didn't handle end-of-file properly for its configuration file. This has been corrected. V3.1 16 Feb 95 New version using IANA-allocated MIB OID (mib-2 40): * Rewritten and simplified MIB means that earlier meters won't run with 3.1 NeMaC, and 3.1 meters won't run with earlier NeMaCs. i.e. both meter and manager must move to 3.1 together. * Extended and simplified rule matching. Jumps can be to the test or action part of the target rule. Attribute values can be pushed from the packet (as well as from a rule), hence aggregate and tally flows are no longer needed. The action table was only needed to support aggregate and tally flows: it is no longer needed. * Six new uesr-settable attributes are implemented. SourceClass, DestClass, FlowClass and SourceKind, DestKind, FlowKind allow a meter to pass information gleaned during packet matching back to the flow data file. * NeMaC allows you to INCLUDE rule files into other rule files. * Emergency rule sets are implemented. The meter will switch to its emergency rule set if the % of active flows gets greater than HighWaterMark. * Collection times are synchronised by default, i.e. they happen at multiples of the collection interval. For example 15-min collections are made at 0, 15, 30 and 45 minutes past the hour. Bug fixes: * Rule tables with more than 1350 rules now work properly on the PC meter. This was a situation where 'huge' pointers were required to reliably access all of the rule table. * IP fragment packets other than the first fragment of a PDU produced garbage transport addresses (IP port numbers). They now produce 0. The Accounting Model defines attributes for each protocol, and doesn't allow one to distinguish a 'first fragment' from an unfragmented IP packet. * A mistake in the code for optimised testing of a group of rules could sometimes cause packet matches to succeed when they should not. This has been corrected. Notes: * Rule files will need to be converted from the old (version 2.x) form to the new one. The changes are straightforward, and are documented in the file Converting.rules.ps V2.3 25 Nov 94 Fourth full release, new features as follows: * NeMaC now uses the names of flow attributes as they appear in the meter MIB, i.e. TRANS is used instead of DETAIL. NeMaC does this by allowing DETAIL to be a synonym for TRANS. Old rule files will still work properly, but new rule files should use TRANS. * Gopher (port 70) and WWW (port 80, i.e. html) have been added to NeMaC's list of IP port numbers. * If NeMaC notices that a meter has been restarted, i.e. it's sysUptime has jumped backwards, NeMaC will automatically download its specified rule file. The check is made before each flow data collection (intervals set by the -c option), and at every 'keepalive' interval (set by the -k option. This feature can be used to minimise the amount of flow data lost by a meter after a power-fail restart. * NeMaC now allows different collection and keepalive intervals for each meter. This is implmented by allowing the -c and -k options to appear in NeMaC's configuration file, and using an event queue (instead of a simple idle loop) to order meter activities. * A mechanism for closing and reopening flow data files has been implemented. NeMaC tests for a file called NeMaC.flag. If it finds the flag file it will close and reopen all its current flow data files. A new section has been added to the manual explaining how to use this feature. Bug fixes: * Various bugs in NeMaC's parsing of rule files have been corrected. * Bugs in fd_filter and fd_extract have been corrected; they will now work as documented! Notes: * NeTraMet memory management has been improved. 'Active flows' is now used instead of 'flows in use' for controlling garbage collection. The garbage collector is called if a new flow is needed and the are no free flows. V2.2 19 Jul 94 Third full release, new features as follows: * fd_filter and fd_extract included in manager directories as utility programs for flow data files. Documented in fd_util.ps file. * Port of both NeTraMet and NeMaC for Solaris, using streams/dlpi instead of nit to watch ethernet interface. * Binaries for Solaris and Sunos available via anonymous ftp. * Make files for HPUX and linux added. NeMaC has been ported to HPUX and linux. * SamplingRate MIB variable implemented; allows only 1 of every n packets to be processed. * All four Novell IPX encapsulations now recognised. Bug fixes: * PC NeTraMet now counts packets sent as well as packets received. Notes: * NeMaC now gives sensible error messages if it can't write meter variables. If NeMaC only has read access (i.e. it was given the read snmp community name instead of the write one) it can still collect data, but such collections will not be recorded by the meter, and therefore be noticed by the meter's garbage collector. * Solaris 2.3 dlpi bug corrupts some packet headers. Only affects CLNS handling by Solaris version of NeTraMet. This is fixed in Solaris 2.4 - see the ether_pc.c file for details. V2.1 14 Jan 94 Second full release, new features as follows: * Subroutines in rule tables implemented, making it much easier to write rules to handle large numbers of networks. * Labels implemented for rules and actions, i.e. no need to keep track of rule and action numbers by hand. * CLNS protocol now understood by NeTraMet * Packets for protocols not understood by NeTraMet can be counted as PeerType 'Other'. * Ethernet II and SNAP encapsulations for IPX now recognised (as well as 'Raw 802.2'). * Full (10-byte) IPX addresses can be used instead of just (4-byte) net numbers. * Make files for Ultrix added. NeMaC has been ported to Ultrix. Bug fixes: * MIB environment variable changed to MIBTXT to match the documentation (was MIBFILE). Notes: * Make files changed to allow compilation with Gnu C compiler, either by specifying gcc in the make file, or by 'setenv CC gcc'. * Documentation points out that NeTraMet write community must have different name to read communities, and that NeMaC must specify the NeTraMet write community name. 28 Oct 93 New: NeMaC only displays 'Rule/Action added' message every tenth rule/action. 22 Oct 93 Bug: NeMaC couldn't handle rule table with >255 rules. V2.0 20 Oct 93 First full release of NeTraMet and NeMaC, with NeTraMet Manual and full source code. V1.0 Nov 92 Prototype meter using height-balanced trees instead of rule table. Presented at Washington IETF. .