iatmon is a monitor that reads network trace data from a file, or a live interface, using the WAND group's libtrace library. It builds a hash table of source addresses for one-way traffic, i.e. traffic coming from source S that elicits no response from any host in site H (host address blocks h1, h2, .. hn), and writes summary files describing the one-way sources.
Given this basic structure, we have implemented two methods of classifying the sources of incoming one-way traffic. These are:
- Source types - Determined by the number of source addresses and ports it sends packets to
- Source groups - Determined by the statisctics of its packet inter-arrival time (IAT) distribution
Other iatmon pages
PAM 2012 paper
One-way traffic monitoring with iatmon. Provides background info, explains types and groups in more detail, and present some results from measurements in San Diego in the first half of 2011.
SAN 2011 types
Stacked-bar plots of source types for all of 2011 (sources and Bytes)
SAN 2011 groups
Stacked-bar plots of source groups for all of 2011 (sources and Bytes)
iatmon is - for now anyway - intended to install and run in a normal usercode environment. The installation steps are:
- download the latest distribution tarball.
- Unpack the tarball file and change into the unpacked directory.
tar zxf iatmon-x.y.z.tgz # Unpack the tarball into iatmon-x.y.z directory cd iatmon-x.y.z
- Read the README and INSTALL files carefully
- Run the configure script and the make script.
./configure # Build owt_conf.h, the 'features required' file make # build OWTmonitor.so
Now you can run iatmon.rb (in the iatmon-x.y.z directory)
iatmon consists of a Ruby outer block that uses OWTmonitor, a C extension module to read and process the trace packets. The C module passes information back to the Ruby outer block, which may - for example - write summary files at regular intervals.
C sources for the OWTmonitor module are in the owt-c directory; the owt-rb/owt-monitor.rb file provides a Ruby configuration interface for it. All the features of iatmon are configurable. Their values are set in the file owt-config.rb, which defines them as Ruby constants. Some example owt-config.rb files are provided in the owt-config directory; they have names of the form <hostname>.rb, i.e. <name of host running iatmon>.rb.
mk-owt-config.rb is called as the last processing step in ./configure;
- if there is an existing owt-config.rb file, use it
- otherwise, if owt-config/<hostname>.rb exists, use that
- otherwise create a new owt-config file
The owt-config.rb file is a Ruby source file, with comments explaining what each defined Constant is used for. You should examine it carefully, and edit it to suit your site requirements.
Feedback, bug reports, suggestions
Any user feedback - bug reports, suggestions for improvements, etc, is welcome. Please email firstname.lastname@example.org or email@example.com