# Ruleset to watch response for mice and elephants # # Nevil Brownlee, Tue 30 May 00 define PP_NO_TEST = 0; # Don't build streams define PP_ICMP_ECHO = 1; define PP_OTHER = 7; # Build streams, don't try to match packets define PP_UDP_DNS = 11; define PP_TCP = 192; # 0xC0 plus low-order bits as follows .. define PP_OK_SYNACK = 1; # ->SYN, <-SYN+ACK pairs define PP_OK_SYNRST = 2; # ->SYN, <-SYN+RST pairs define PP_OK_MULTI = 8; # ->DATA, <-ACK for more than one packet define PP_OK_SINGLE = 16; # ->DATA, <-ACK 'lone' packet define PP_OK_INGROUP = 32; # ->DATA, <-ACK single packet in a group define UCSD = 128.54/16; define UCSD_SUB = 132.239/16; define SDSC2 = 132.249/16; define UCSD_EXTRN = 137.110/16; define MPL106 = 192.135.237/24; define MPL4 = 192.135.238/24; define CAIDA = 192.172.226/24; define UCSD_CERF = 199.105.0/26; define SDSC_NETS = UCSD, UCSD_SUB, UCSD_EXTRN, MPL106, MPL4, UCSD_CERF, SDSC2, CAIDA; if SourcePeerType == IPv4 save; else ignore; if SourceTransType == TCP save; else if SourceTransType == UDP save; else ignore; if SourcePeerAddress == (SDSC_NETS) { # To means 'away from SDSC' save ToFlowOctets = 100.0.0!0 & 2.2.1!50000; # 100..5M B save FromFlowoctets = 100.0.0!0 & 2.2.1!50000; # 100..5M B # 100 buckets, PP_NO_TEST, log save ToFlowPDUs = 100.192.0!0 & 2.0.1!50000; # 1..50k packets save FromFlowPDUs = 100.192.0!0 & 2.0.1!50000; # 1..50k packets # 100 buckets, PP_NO_TEST, log save FlowTime = 100.0.0!0 & 2.4.1!60000; # 10 ms .. 600 s # 100 buckets, PP_OTHER, log count; } set flow_master; # Can't get more than 2x 100-bin distribs back in single ruleset <<< format FlowRuleSet FlowIndex FirstTime SourcePeerType SourceTransType # " " FlowKind DestTransAddress # DestPeerAddress DestTransAddress " " ToPDUs FromPDUs " " ToOctets FromOctets # " " ToLostPDUs FromLostPdus # " (" ToFlowOctets ") (" FromFlowOctets # ") (" ToFlowPDUs ") (" FromFlowPDUs " (" FlowTime ")";