From netramet-owner Sat Apr 18 10:46:58 1998 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id KAA09749 for netramet-outgoing; Sat, 18 Apr 1998 10:41:39 +1200 (NZST) Received: from char.ntnet.nt.ca (whitefish.ntnet.nt.ca [199.247.2.8]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id KAA09739 for ; Sat, 18 Apr 1998 10:41:34 +1200 (NZST) Received: by whitefish.ntnet.nt.ca with Internet Mail Service (5.5.1960.3) id <2YAPNB5D>; Fri, 17 Apr 1998 16:46:44 -0600 Message-ID: <70DA10298BD1D1118C1D00A0C977EC5F25D5@whitefish.ntnet.nt.ca> From: Byron Hynes To: "'netramet@auckland.ac.nz'" Subject: Netramet Rule Help Date: Fri, 17 Apr 1998 16:46:36 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: netramet-owner@auckland.ac.nz Precedence: bulk I have a rule-set that I thought was working, but apparently is not. Want I wanted to capture was different levels of detail, depending on the address: if the address was within our LAN, save all four octets. If within the NTnet Blocks, save the "class C" address, with .0, and if it was from anywhere else, save only "0.0.0.0" The resulting flow files LOOK correct to me, but when I total up the results they are vastly inflated (when compared to either our suppliers counts [also from Netramet, but limited to class C level], or to RAS logs for dedicated RAS networks). So, obviously, something is wrong. I'll admit that I don't always understand the flow and logic of rules, so I might be missing something really obvious. Any help will be appreciated. Byron Hynes, MCSE Tamarack Computers Ltd. byron@tamarack.nt.ca # # TAMARACK RULES FILE - For V3.2 NeTraMet. # SET 2 RULES # Step 1: Consider IP packets only. # StartAllPacketsHere: SourcePeerType & 255 = IP : GotoAct, StartIPHere; Null & 0 = 0 : Ignore, 0; # Ignore all other types # Step 2: Examine and push the packet's source # StartIPHere: v1 & 0 = SourcePeerAddress : AssignAct, Next; Null & 0 = 0 : Gosub, Classify; SourcePeerAddress & 255.255.255.255 = 0 : PushPktToAct, LookAtDest; SourcePeerAddress & 255.255.255.0 = 0 : PushPktToAct, LookAtDest; # Return 2 - Free NTnet SourcePeerAddress & 255.255.255.0 = 0 : PushPktToAct, LookAtDest; # Return 3 - Billable NTnet SourcePeerAddress & 0.0.0.0 = 0 : PushPktToAct, LookAtDest; # Return 4 - South # Step 3: Examine and push the packet's destination # LookAtDest: v1 & 0 = DestPeerAddress : AssignAct, Next; Null & 0 = 0 : Gosub, Classify; DestPeerAddress & 255.255.255.255 = 0 : PushPktToAct, CountIt; DestPeerAddress & 255.255.255.0 = 0 : PushPktToAct, CountIt; # Return 2 - Free NTnet DestPeerAddress & 255.255.255.0 = 0 : PushPktToAct, CountIt; # Return 3 - Billable NTnet DestPeerAddress & 0.0.0.0 = 0 : PushPktToAct, CountIt; # Return 4 - South # Step 4: Count the Packet # CountIt: Null & 0 = 0 : Count, 0; # Classify looks at both source and dest (in turn) # Return 1 - Within Tamarack # Return 2 - Non-Billable NTnet # Return 3 - Billable NTnet # Return 4 - South # Classify: v1 & 255.255.255.0 = 199.247.52.0 : Return, 1; v1 & 255.255.255.0 = 199.247.53.0 : Return, 1; v1 & 255.255.255.0 = 199.247.54.0 : Return, 1; v1 & 255.255.255.0 = 199.247.55.0 : Return, 1; v1 & 255.255.255.0 = 199.247.76.0 : Return, 1; v1 & 255.255.255.0 = 199.247.89.0 : Return, 2; v1 & 255.255.248.0 = 207.148.48.0 : Return, 1; v1 & 255.255.255.0 = 199.247.2.0 : Return, 3; # NTnet Server Net v1 & 255.255.255.0 = 199.247.60.0 : Return, 4; # Auroranet via Istar/cancom v1 & 255.255.255.0 = 199.247.67.0 : Return, 4; # Auroranet via Istar/cancom v1 & 255.255.255.0 = 199.247.77.0 : Return, 4; # Yukon v1 & 255.255.255.0 = 199.247.125.0 : Return, 4; # Yukon v1 & 255.255.255.0 = 199.247.126.0 : Return, 4; # Yukon v1 & 255.255.252.0 = 198.161.24.0 : Return, 2; # 24 - 27 v1 & 255.255.255.0 = 198.161.126.0 : Return, 2; # 126 v1 & 255.255.128.0 = 199.247.0.0 : Return, 2; # 0 - 127 v1 & 255.255.255.0 = 206.172.213.0 : Return, 2; # 213 v1 & 255.255.128.0 = 207.148.0.0 : Return, 2; # 0 - 127 Null & 0 = 0 : Return, 4; # Network is not routed by NTnet, belongs down south Format FlowRuleSet FlowIndex FirstTime LastTime SourcePeerAddress DestPeerAddress ToPDUs FromPDUs ToOctets FromOctets; From netramet-owner Sat Apr 18 11:17:58 1998 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id LAA11045 for netramet-outgoing; Sat, 18 Apr 1998 11:16:22 +1200 (NZST) Received: from char.ntnet.nt.ca (whitefish.ntnet.nt.ca [199.247.2.8]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id LAA11035; Sat, 18 Apr 1998 11:16:12 +1200 (NZST) Received: by whitefish.ntnet.nt.ca with Internet Mail Service (5.5.1960.3) id <2YAPNB5K>; Fri, 17 Apr 1998 17:22:05 -0600 Message-ID: <70DA10298BD1D1118C1D00A0C977EC5F25D7@whitefish.ntnet.nt.ca> From: Byron Hynes To: "'netramet@auckland.ac.nz'" Cc: "'n.brownlee@auckland.ac.nz'" Subject: Netramet Rule Help Date: Fri, 17 Apr 1998 17:22:03 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: netramet-owner@auckland.ac.nz Precedence: bulk I have a rule-set that I thought was working, but apparently is not. Want I wanted to capture was different levels of detail, depending on the address: if the address was within our LAN, save all four octets. If within the NTnet Blocks, save the "class C" address, with .0, and if it was from anywhere else, save only "0.0.0.0" The resulting flow files LOOK correct to me, but when I total up the results they are vastly inflated (when compared to either our suppliers counts [also from Netramet, but limited to class C level], or to RAS logs for dedicated RAS networks). So, obviously, something is wrong. I'll admit that I don't always understand the flow and logic of rules, so I might be missing something really obvious. Any help will be appreciated. Byron Hynes, MCSE Tamarack Computers Ltd. byron@tamarack.nt.ca # # TAMARACK RULES FILE - For V3.2 NeTraMet. # SET 2 RULES # Step 1: Consider IP packets only. # StartAllPacketsHere: SourcePeerType & 255 = IP : GotoAct, StartIPHere; Null & 0 = 0 : Ignore, 0; # Ignore all other types # Step 2: Examine and push the packet's source # StartIPHere: v1 & 0 = SourcePeerAddress : AssignAct, Next; Null & 0 = 0 : Gosub, Classify; SourcePeerAddress & 255.255.255.255 = 0 : PushPktToAct, LookAtDest; SourcePeerAddress & 255.255.255.0 = 0 : PushPktToAct, LookAtDest; # Return 2 - Free NTnet SourcePeerAddress & 255.255.255.0 = 0 : PushPktToAct, LookAtDest; # Return 3 - Billable NTnet SourcePeerAddress & 0.0.0.0 = 0 : PushPktToAct, LookAtDest; # Return 4 - South # Step 3: Examine and push the packet's destination # LookAtDest: v1 & 0 = DestPeerAddress : AssignAct, Next; Null & 0 = 0 : Gosub, Classify; DestPeerAddress & 255.255.255.255 = 0 : PushPktToAct, CountIt; DestPeerAddress & 255.255.255.0 = 0 : PushPktToAct, CountIt; # Return 2 - Free NTnet DestPeerAddress & 255.255.255.0 = 0 : PushPktToAct, CountIt; # Return 3 - Billable NTnet DestPeerAddress & 0.0.0.0 = 0 : PushPktToAct, CountIt; # Return 4 - South # Step 4: Count the Packet # CountIt: Null & 0 = 0 : Count, 0; # Classify looks at both source and dest (in turn) # Return 1 - Within Tamarack # Return 2 - Non-Billable NTnet # Return 3 - Billable NTnet # Return 4 - South # Classify: v1 & 255.255.255.0 = 199.247.52.0 : Return, 1; v1 & 255.255.255.0 = 199.247.53.0 : Return, 1; v1 & 255.255.255.0 = 199.247.54.0 : Return, 1; v1 & 255.255.255.0 = 199.247.55.0 : Return, 1; v1 & 255.255.255.0 = 199.247.76.0 : Return, 1; v1 & 255.255.255.0 = 199.247.89.0 : Return, 2; v1 & 255.255.248.0 = 207.148.48.0 : Return, 1; v1 & 255.255.255.0 = 199.247.2.0 : Return, 3; # NTnet Server Net v1 & 255.255.255.0 = 199.247.60.0 : Return, 4; # Auroranet via Istar/cancom v1 & 255.255.255.0 = 199.247.67.0 : Return, 4; # Auroranet via Istar/cancom v1 & 255.255.255.0 = 199.247.77.0 : Return, 4; # Yukon v1 & 255.255.255.0 = 199.247.125.0 : Return, 4; # Yukon v1 & 255.255.255.0 = 199.247.126.0 : Return, 4; # Yukon v1 & 255.255.252.0 = 198.161.24.0 : Return, 2; # 24 - 27 v1 & 255.255.255.0 = 198.161.126.0 : Return, 2; # 126 v1 & 255.255.128.0 = 199.247.0.0 : Return, 2; # 0 - 127 v1 & 255.255.255.0 = 206.172.213.0 : Return, 2; # 213 v1 & 255.255.128.0 = 207.148.0.0 : Return, 2; # 0 - 127 Null & 0 = 0 : Return, 4; # Network is not routed by NTnet, belongs down south Format FlowRuleSet FlowIndex FirstTime LastTime SourcePeerAddress DestPeerAddress ToPDUs FromPDUs ToOctets FromOctets; From netramet-owner Tue Apr 21 02:44:36 1998 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id CAA12149 for netramet-outgoing; Tue, 21 Apr 1998 02:39:15 +1200 (NZST) Received: from hardy.bgc.ac.uk (root@hardy.bgc.ac.uk [194.81.86.1]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id CAA12144 for ; Tue, 21 Apr 1998 02:39:12 +1200 (NZST) Received: from bgc.ac.uk (hugh.bgc.ac.uk [194.81.86.2]) by hardy.bgc.ac.uk (8.8.6/8.8.6) with ESMTP id OAA24095 for ; Mon, 20 Apr 1998 14:37:14 GMT Received: from BISHOP_NET/SpoolDir by bgc.ac.uk (Mercury 1.31); 20 Apr 98 15:44:15 +0000 Received: from SpoolDir by BISHOP_NET (Mercury 1.40); 20 Apr 98 15:43:54 +0000 From: "Alan Benson" Organization: Bishop Grosseteste College To: netramet@auckland.ac.nz Date: Mon, 20 Apr 1998 15:43:52 +0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: User Charging in Real Time. Priority: normal Message-ID: <971193643C@bgc.ac.uk> Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hi, I'm looking into putting a system in place for real time charging to users for traffic they generate. I've read the archives and seen a few people who are doing this on a monthly basis but no-one has owned up to a real time implementation. I'd love to share experiences/ideas with anyone who has done this or looked into it. Thanks, Alan --------------------------------------------------- IT Support, Bishop Grosseteste University College, Lincoln. Email:alan@bgc.ac.uk Personal:alan@hactar.demon.co.uk co-owner CD-ROM-NETWORKING list. See www.mailbase.ac.uk for details. From netramet-owner Tue Apr 21 10:55:57 1998 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id KAA21081 for netramet-outgoing; Tue, 21 Apr 1998 10:53:49 +1200 (NZST) Received: from nosc.ja.net (nosc.ja.net [128.86.16.20]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with SMTP id KAA21040 for ; Tue, 21 Apr 1998 10:53:35 +1200 (NZST) Received: from nosc.ja.net by nosc.ja.net with Internet SMTP id ; Mon, 20 Apr 1998 23:53:17 +0100 To: Byron Hynes cc: "'netramet@auckland.ac.nz'" Subject: Re: Netramet Rule Help In-reply-to: Your message of "Fri, 17 Apr 1998 16:46:36 MDT." <70DA10298BD1D1118C1D00A0C977EC5F25D5@whitefish.ntnet.nt.ca> Date: Mon, 20 Apr 1998 23:53:15 +0100 Message-ID: <26736.893112795@nosc.ja.net> From: Kevin Hoadley Sender: netramet-owner@auckland.ac.nz Precedence: bulk > I have a rule-set that I thought was working, but apparently is not. > > Want I wanted to capture was different levels of detail, depending on > the address: if the address was within our LAN, save all four octets. If > within the NTnet Blocks, save the "class C" address, with .0, and if it > was from anywhere else, save only "0.0.0.0" You can't actually do this - all rules that push a particular attribute must push that attribute with the same mask: ie if you are pushing DestPeerAddress then every PushPkt or PushRule that references DestPeerAddress must have the same mask. (This is assuming I've understood the docs) In some circumstances you can get round this by matching a list of addresses with different masks, then jumping to a PushRule that saves a code that refers to the address, with all the codes having the same mask. So if you know all the NTnet networks you could do something like: DestPeerAddress & 255.255.255.0 = {localnetwork} : GotoAct, localNet; DestPeerAddress & 255.255.255.0 = {NTnet #1} : GotoAct, NTnet1; DestPeerAddress & 255.255.255.0 = {NTnet #2} : GotoAct, NTnet2; ... {all the other NTnet addresses} # Now save 0.0.0.0 for unknown nets Null & 0 = 0 : GotoAct, Next; DestPeerAddress & 255.255.255.255 = 0.0.0.0 : PushRuleTo, remainingRules; # Save full address for local address localNet: DestPeerAddress & 255.255.255.255 = 0.0.0.0 : PushPktTo, remainingRules; # Save code for each NTnet class C NTnet1: DestPeerAddress & 255.255.255.255 = 0.0.0.1 : PushRuleTo, remainingRules; NTnet2: DestPeerAddress & 255.255.255.255 = 0.0.0.2 : PushRuleTo, remainingRules; ... (You could do the same with a gosub/return, but I think it's easier to illustrate with goto) Kevin Hoadley, JANET. From netramet-owner Tue Apr 28 19:23:38 1998 Received: (from majordom@localhost) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) id TAA24926 for netramet-outgoing; Tue, 28 Apr 1998 19:17:21 +1200 (NZST) Received: from Zeus.clearfield.co.nz (root@Zeus.clearfield.co.nz [202.49.62.232]) by mailhost.auckland.ac.nz (8.8.5/8.7.3-ua) with ESMTP id TAA24919 for ; Tue, 28 Apr 1998 19:17:17 +1200 (NZST) Received: from jove (wks06.clearfield.co.nz [202.49.62.198]) by Zeus.clearfield.co.nz (8.8.4/8.6.9) with SMTP id TAA07404 for ; Tue, 28 Apr 1998 19:17:10 +1200 Received: by localhost with Microsoft MAPI; Tue, 28 Apr 1998 19:29:57 +1200 Message-ID: <01BD72DC.07292330.jfp@clearfield.co.nz> From: Jean-Francois Pirus To: "'netramet@auckland.ac.nz'" Subject: Problems with NetTraMet v4.1.0 on Linux/Alpha with libpcap 0.4a6 Date: Tue, 28 Apr 1998 19:29:56 +1200 X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4211 Encoding: 29 TEXT Sender: netramet-owner@auckland.ac.nz Precedence: bulk Hello all, I just installed NetTraMet v4.1.0 on a RedHat 5.0 Linux using the Alpha CPU. I am getting the following in the flows. 2 17 13154 1 X.X.X.X Y.Y.Y.Y 6 0 80 7985 18446744073709544625 2 18 20446 1 X.X.X.X Y.Y.Y.Y 6 0 80 7762 22570 2 19 23366 1 X.X.X.X Y.Y.Y.Y 17 0 53 18446744073709551586 81 2 20 37862 1 X.X.X.X Y.Y.Y.Y 1 0 0 568 568 2 21 37863 1 X.X.X.X Y.Y.Y.Y 6 0 80 8166 18446744073709536197 2 22 40240 1 X.X.X.X Y.Y.Y.Y 6 0 80 8434 98246 Notice the large numbers (eg: 18446744073709551574) Obviously something is getting sign extended into an 8 byte long. I had a quick look but cannot find anything obvious to do with Counter64. Has anybody run into this problem before? jfp. ------------------------------------------------------------------------ Jean-Francois Pirus Clearfield Software Ltd Phone (+64-9) 358 2081 4th Floor 8-10 Whitaker Place Fax (+64-9) 358 2083 P O Box 2348 Auckland, New Zealand ------------------------------------------------------------------------