# Ruleset to watch response for mice and elephants
#
# Nevil Brownlee, Tue 30 May 00

define PP_TCP           = 192;  # 0xC0 plus low-order bits as follows .. 
define PP_OK_SYNACK     =   1;  #   ->SYN,  <-SYN+ACK pairs
define PP_OK_SYNRST     =   2;  #   ->SYN,  <-SYN+RST pairs

define PP_OK_MULTI      =   8;  #   ->DATA, <-ACK for more than one packet
define PP_OK_SINGLE     =  16;  #   ->DATA, <-ACK 'lone' packet
define PP_OK_INGROUP    =  32;  #   ->DATA, <-ACK single packet in a group


define UCSD        = 128.54/16;
define UCSD_SUB    = 132.239/16;
define SDSC2       = 132.249/16;
define UCSD_EXTRN  = 137.110/16;
define MPL106      = 192.135.237/24;
define MPL4        = 192.135.238/24;
define CAIDA       = 192.172.226/24;
define UCSD_CERF   = 199.105.0/26;

define SDSC_NETS = 
   UCSD, UCSD_SUB, UCSD_EXTRN, MPL106, MPL4, UCSD_CERF, SDSC2, CAIDA;


   if SourcePeerType == IPv4 save;
   else ignore;
   if SourceTransType == TCP save;
   else ignore;

   if SourcePeerAddress == (SDSC_NETS) {  # To means 'away from SDSC'

      if DestTransAddress == WWW save, {  # Well-known port as dest

         if SourceTransAddress == WWW save;  # Ambiguous flow, keep separate
#         Save DestPeerAddress;
#         save TCPTime1 = 50.0.1!1000 & 1.3.1!500;  # 1..500 ms
#           # 75 buckets, PP_TCP_ALL, streams > 10 and <= 1k B, linear
#         save FromTCPRate1 = 50.3.1!0 & 1.3.1!100;  # 1..100 kB/s
#            # 75 buckets, PP_TCP_ALL, streams > 1 kB, linear
#         save FromTCPSize = 50.0.0!0 & 1.3.1!50;  # 1..50 kB
#            # 75 buckets, PP_TCP_ALL, linear

         save ToTCPSize = 50.0.0!0 & 2.2.1!500;  # 0.1..50 kB
         save FromTCPSize = 50.0.0!0 & 2.2.1!500;  # 0.1..50 kB
            # 50 buckets, log
         save ToTCPTime = 50.0.1!1000 & 2.3.1!100;  # 1..100 ms
         save FromTCPTime = 50.0.1!1000 & 2.3.1!100;  # 1..100 ms
            # 50 buckets, streams > 10 and <= 1k B, log
         save ToTCPRate1 = 50.3.1!0 & 2.3.100!2000;  # 100k..2M B/s
         save FromTCPRate1 = 50.3.1!0 & 2.3.100!2000;  # 100k..2M B/s
            # 50 buckets, streams > 1 kB, log
         count;
         }
      }

set web_mice;
format
  FlowRuleSet FlowIndex FirstTime SourcePeerType SourceTransType
  "  " FlowKind DestTransAddress
#       DestPeerAddress DestTransAddress
  "  " ToPDUs FromPDUs "  " ToOctets FromOctets
  "  " ToLostPDUs FromLostPdus
  "  [" TCPdata
  "] (" ToTCPSize   ") (" FromTCPSize
  ")  ("  ToTCPTime  ") (" FromTCPTime
  ")  (" ToTCPRate1 ") (" FromTCPRate1
#  "] (" TCPTime1 ") (" ToTCPRate1 ") (" ToTCPSize
#  ") (" FromTCPRate1 ") (" FromTCPSize
  ")";