NeTraMet Version History ======================== v5.2 18 Jan 07 Config files reworked to build on Mac OS X (10.4). A few compile warnings cleared up. v5.1b20 4 Jul 06 Added compile-time option to dump DNS response records > -Z bytes long to file specified by -G option. Caution: sets SNAPSIZE to 65535, which will increase libpcap memory/processing load! v5.1b19 1 May 06 Added 'wildcard' pcap tracefile names to meter's -i option, e.g. NeTraMet -i 'c/20060110/*' -i 'c/20060111/*' Up to four directory or filenames can have one or more '*' characters; NeTraMet searches the directory tree, writing a file_list.dat - a file listing the actual filenames, one per line. NeTraMet then reads all the files in sequence. fd_extract used a Bit8 field for attribute numbers; changed to Bit16 to handle current (much bigger) list of attributes. v5.1b18 21 Apr 06 NeTraMet equality test for adjacent addresses wasn't working; fixed by changing MAC_address from union to struct in pktsnap.h v5.1b17 4 Apr 06 Meter changes: libpcap: test whether source is a file, only call pcap_open_live() if it's not. That way you don't need su privilege to read a pacp file. Implemented -E flag to say "don't require req/ response match" for DNS datagrams Implemented -Znnn flag to log DNS records > nnn bytes Set payload_len for UDP packets to wire length - encapsulation headers - IP header. UDPlen field in UDP header isn't always set correctly! v5.1b16 27 Mar 06 pkt_extract() now sets p_p->pktinfo_sz correctly for UDP packets, instead of always returning 0. Modified Makefiles so they don't try to build or use code in src/bgp (now badly out of date). Updated ./configure so it can handle amd64 machines properly. Fixed (Bit32)counts[] bug in bump_dist(). counts[] are 64-bit counters, so don't cast! v5.1b15 16 Feb 06 Added To/From DNSRecordSize attributes. Added 'G' NeTraMet option to specifiy name of file written by write_data(). Default is dns.log or stats.log, as before. v5.1b14 18 Jan 05 Wrote fix-c-date.rb; used it to update copyright dates in NeTraMet's files. Added simple.srl to the example rulesets. v5.1b13 19 Dec 05 New distribution: TurnaroundTime for DNS over TCP. Also rewrote / tidied up the code in actual_count() for packet-pair matching. v5.1b12 3 Nov 05 bug fixes for 5.1b11 v5.1b11 2 Nov 05 make_distrib_list() did not allow you to save OAMdata for an OAM trigger flow, i.e. one with OAMident != 0. That restriction has been lifted, allowing you to collect OAMdata sub-records for a trigger flow, even if there were no other flows in that OAM group. v5.1b10 22 Jul 05 Implemented reading from a libpcap (BPF format) trace file. That required a re-work of much of the libpcap code, since reading from a file via pcap has different behaviour to reading from a live interface. #Statistics data (aps and mps) were giving incorrect for libpcap interfaces. That has been fixed. Bug in setLastTime(): code assumed that InactivityTimeout (s) and ic_LastTime (cs) were both in seconds. Result was that the InactivityTime was mostly being ignored (default 1.2s) - instead the actual incative timeout was 2*meter reading interval. This has been fixed. v5.1b9 15 May 05 Changed locking scheme for dynamic distributions. We now lock them all with a single mutex, both when we update them in check_events() and when we read them in met_vars.c. That cures problems with rulesets having several *rate distributions getting different numbers of values in a single reading. Fixed code error in receive(), which decided whether an SNMP packet came from a -A address. v5.1b8 22 Mar 05 Added some options to limit SNMP access to NeTraMet meter. -B binds SNMP server to localhost, i.e. only SNMP clients on localhost can reach it -A hostname specifies a client that the meter will accept SNMP requests from. You may specify up to 10 such clients. One of them may be localhost. Default (neither -B or -A is used) leaves the ` meter open for SNMP from any client anywhere! Note: -B overrides -A; don't try to use both options on the same command line! v5.1b7 15 Mar 05 Fixed bug in dynanmic distributions. When converting list of actual values to histogram, set new bounds UpperLim by mistake for UpperLimit. That meant the fdf file has the upper limit specified in the ruleset, i.e. much too high. 12 Jan 05 Changes to make NeTraMet configure/make properly on Mac OSX. Two problems at this stage: - don't know how to find amount of phys memory or nbr of processors - include file conflicts prevent Make for libbgp v5.1b6 7 Jan 05 Improved the libpcap implementation of NaTraMet. It can now read libpcap trace files as well as dag trace files. Improved NeTraMet's program structure for libpcap. Each interface is handled by a searate thread, input_merge() is run is a seperate thread. The same structure is used for Dag interfaces in dd_ntm. v5.1b5 16 Dec 04 Implemented minstreampdus, (ltminstreampdus) and (ltminstreamoctets) attributes. v5.1b4 21 Sep 04 Changes to make NeTraMet configure/make properly on OpenBSD v5.1b3 11 Aug 04 Implemented 'min packets for stream' feature for NeTraMet. NeTraMet -K nn option tells meter it should not match a stream, i.e. find out which flow(s) it matches, until nn packets have been seen for that stream. This means that flows are only created for 'large' streams, which is useful when you're collecting flows for usage accounting. NOTE: I'll implement an attribute which lets you specify MinStreamPDUs within a rulset - that way you can have one ruleset which only counts big streams, and a second which just counts all packets. The difference in PDU/Octet counts will tell you how many PDUs/Octets were not matched into flows. 9 Aug 04 When using Dag cards (dd_ntm meter), the meter's -l option was set by default, i.e. IP packet length was used for packet length. Now -l is set only when -g0 is used, i.e. for old ATM Dag cards, which couldn't report a packet's on-the-wire length. 8 Aug 04 Change/bug fix for meter_ux.c: for Dag cards we used to set use_ip_length by default, now we don't (if you use Dag cards on an ATM link you need to set it using the -l option for dd_ntm). pkt_from_dag_record() was using ntohl() to get the wlen value for Ethernet Dag cards, corrected that, now it uses ntohs()! 6 Aug 04 Bug fix for NeMaC: "bad attrib (-1)" message for formats with a trailing separator, then a space before the ; - e.g. ... ToBitRate ")" ; nmc_pars.c wasn't checking for ; when looking for the next attribute. 3 Aug 04 Change to meter garbage collection: always run garbage_collect at 2s intervals, set flows-to-test so as to test every flow twices during each meter reading interval. That allows the garbage collector to track peaks in the flow table, without doing lots of unneccessary testing. 2 Aug 04 Implemented -Y meter option, specifies OAM timestamps will be in sysup time; default is Unix epoch timestamps. Did that my making microseconds() work in Unix time, provided routine to convert that to sysup TimeTicks for Stream/Flow FirstTime and LastTime. 30 Jun 04 Rewrote command-line parsers for NeMaC and NeTraMet, using *ix getopt(), so as to provide better checking for missing parameters, etc. 27 May 04 Bug fix for NeMaC: -M option wasn't working, it was using ms->meter_minPDUs, should be ms->ci_minPDUs! (meter_minPDUs only means that the meter implements this feature, wheras ci_minPDUs is the value from the command line.) v5.1b2 26 Apr 04 released 2 Feb 04 Bug fix for dd_ntm: freebsd dag_offset was busy- waiting on reads, and next_dag_record() didn't check for 0 pkts read! It does now, and uses nanosleep(1.2ms) to wait before trying the read again. v5.1 31 Jan 04 released 5 Jan 04 NeMaC now has new options, as follows: -z Write gzipped flow data file -G FIS Set Gzip flush interval (seconds). Default is to flush every 30 minutes -T Write flow data to stdout (can't be a gzipped file) fd_filter now has new options, as follows: -z Read gzipped flow (and trailer) files -Z Write gzipped difference file -F DIF Write difference file to file DIF ./configure tests for zlib; if it's not installed NeMaC will build and run properly, but the gzip- related features won't work. Large files (LFS, i.e. > 2 GB): NeMaC and fd_filter will read and write these, provided the host OS supports it. To do this we set the O_LARGEFILE flag (from Linux fcntl.h) when we open() a flow data file. Bug fixes for 5.0: - NetFlowMet didn't work; thanks to Paul Rolland for his meticulous bug reports. - dd_ntm crashed after ~1.5 days; improved locking of flow table to prevent conflict between match() and garbage_collect(). v5.0 8 Dec 03 First release of NeTraMet++ v5.0b4 5 Dec 03 Implement TotalStreams, TCPStreams, UDPStreams and TwoWayStreams attributes. These are simple counters for a flow. Fix bug revealed by TwoWayStreams: lookup_stream_helper() didn't always set the direction value (ow) correctly. Allow 'public' to be used as an SNMP write community name. If you start a meter with -wpublic, the meter sets -rPUBLIC. v5.0b3 23 Nov 03 Users need to set a sensible -t value when starting a meter. Use 'S' at console to see how stream handling is going. Other small improvements: --help displays command-line options for NeTraMet, dd_ntm, NeMaC and nm_rc NeMaC and nm_rc use install default filename for the RTFM Meter MIB, i.e. /usr/local/share/NeTraMet/mibs v5.0b2 30 Oct 03 Fix bug in 'dynamic' distributions. In flowhash.c, failed to set pointer to distribution when copying first 100 data values back into bins. Result was to loose those values, or to write over memory causing meter to crash. Make NeMaC reset statistics for a meter only after reading the last of its rulesets to specify 'statistics;' Effect is that #Statistics records are consistent across rulesets. v5.0b1 2 Aug 03 Extended snmp handling in NeMaC et al to cope with SNMP PDUs greater than 1500 bytes. When nmc_snmp sees this, it splits the attribute list in two, and uses two SNMP reads to retrive the flow data. This allows you to retrieve more distributions with greater number of bins. However, it does this by doubling the number of SNMP reads - be careful when reading large numbers of flows! 28 Jul 03 Implelemented packet/byte density and stream count distributions in stream lifetime space. Added code to handle MPLS shim(s), these are simply skipped over. 22 Jul 03 Fixed bug in IPv6 packet decode. Wasn't handling next-headers properly, so didn't recognise packets with Destination Options headers. v5.0b0 9 May 03 Implemented stream-caching Implemented new interface attributes: - ObsInterface, to get one-way flows - PairInterface, synonym for SourceInterface, but allows stream caching. [Caution: use only when Interface is NOT used to define flows.] v4.5b10 9 Jun 03 v4.5b9 21 Oct 02 v4.5b8 21 Oct 02 fd_filter crashed when using a format with a \t separator following an address. get_value() in fd_parse.c now looks for space and \t as address delimiters. (Bug reported by Raymond Hughes) Implement -t option for fd_filter. Russell Fulton has re-written fd_filter, changing it's structure so that it can 'tail' a flow data file. For example fd_filter -t filter.flt flows.fdf > flows.dif will watch the input flow data file (flows.fdf). Whenever NeMaC writes more records to that file, fd_filter will compute differences and write their records to its output file (flows.dif). v4.5b7 13 Sep 02 Implement VLANid, Priority and ECNCodeBits attributes. These get the following data: VLANid 802.1q VLAN-id } Layer 2 802.1 Priority 802.1p Priority } tag (4 bytes) ECNCodeBits RFC 3168, Explicit Congestion Notification for IP In SRL you can test (e.g. if VLANid = 7 ..) and you can save VLANid, Priority and ECNCodeBits. This provides three attributes relating to QoS: DSCodePoint, ECNCodeBits and Priority. Note that since these three attributes appear only once in a packet, they can't be used to determine the direction of a flow! v4.5b6 26 Aug 02 Rework thread implementation, make sure linked structures are properly locked while being modified! Implement two-way input merge in separate thread for libpcap NeTraMet. This is needed for the Gigabit Ethernet meter so that it can observe both directions of a link via two (receive-only) interfaces. Implement ECNbits attribute. This holds the value of the ECN field (RFC 3148) from the first packet seen by the meter for a flow. Implement STREAM_TO_FLOW compile-time option in NeTraMet. One can now set Parameter1 for a FlowTime distrubution to a non-zero value, t. After one of the flow's streams has been active for t seconds, the meter will create a flow for it, and therafter update its counters. Implement TCPStreamData attribute. This provides information about the RTT (as observed by TCP) for a single stream. It can be read for flows created by STREAM_TO_FLOW (see above). Clarification for the To/From InterarrivalTime distributions. If the packet-pair matching parameter (Parameter1) is zero, i.e. no pair matching was specified, interarrival times are measured for all packets in the flow. If Parameter1 is 7 (PP_OTHER) interarrival times are measured for each stream within the flow, producing a distribution of interarrival times for all the streams within the flow. v4.5b5 13 Aug 02 NeMaC wasn't setting ciTimeMark, so OAM never read any OAMdata from the meter. Now, unless 'standard' MIB use is requested (NeMaC -S), TimeMark and MinPDUs (non-standard attributes, implemented for nifty) are always set. v4.5b4 3 Jul 02 Fix fd_data.h bug, conflict between oamdata and d_tooctets attribute numbers. Changed to use int for attribute numbers instead of unsigned char; reflected this change wherever attribute numbers were used. v4.5b3 2 Jul 02 Implement OAM attributes [Suggested by Thomas Lindh] 30 Jun 02 Improve NeTraMet garbage collector by walking along flow chains for each ruleset, rather than just doing linear passes through the flow table. v4.5b2 29 Jun 02 Make Source/Dest Interface 16-bit (it was 8), so that NetFlowMet works properly with interface numbers > 256. Interface numbers can be tested, saved, and can appear in format statements. [Patches provided by Hendrik Visage] 29 Jun 02 Patches to SRL compiler to - Allow defines to have > 10000 characters - Allow *Mask attributes to be used in format and save statements [Fix for problem reported by Riaz Nadeem] 28 Jun 02 Lots of miscellaneous fixes to correct glitches found by Compaq/Digital Unix cc compiler. 25 Jun 02 Write ##fd_filter: header record. Output file now records which filter and input file were used when fd_filter was run. 10 Jun 02 Change snmp apps snmptest, snmpbulkwalk, and snmpwalk to use -m to specify snmp port number (like NeTraMet and NeMaC) as a synonym for -p. 9 Jun 02 Fixed srl compiler bug; optimise 3 wasn't checking that all terms in an OR tested the same attribute. Result was a false 'duplicated in OR group' message, and bad code emitted (some terms were not being tested for!). 4 Jun 02 Fixed bug in asn_parse_int(). BER lengths between 128 and 255 gave an erroneous 'negative integer' error message, which appeared in NeMaC's log file as 'unparsable snmp PDU'. 3 Jun 02 active_flows() is called from one_second_process() It scanned the flow table counting active flows. Changed so that recoverable_flow counters are kept for each ruleset. They're counted during flow data collection, and decremented by garbage_collect(). This greatly reduced the percentage of processor time spent in active_flows(). v4.5b1 2 Jun 02 Multi-threaded meters. NeTraMet and dd_ntm can now be multithreaded. Both use separate threads for outer block (snmp request handling), packet matching and packet counting. dd_ntm runs a fourth thread to merge packets input from dag cards. I've used the Posix Threads semaphore library written by Tom Wagner (wagner@cs.umass.edu), see http://centaurus.cs.umass.edu/~wagner/ threads_html/tutorial.html To create threaded meters, specify -DMULTI in the meter Makefile. Note that a multi-threaded dd_ntm can't read a Dag trace file; you have to use a single-thread dd_ntm for that. 1 Jun 02 Changed log_msg() in nmc_pars.c to add trailing \n to message text (i.e. same as in met_vars.c). Changed log_msg() calls in libsnmp and manager programs to remove trailng \ns. 27 May 02 NeMaC wasn't recovering when a meter restarted. Changed nmc_snmp and nmc so that - failure to set reader LastTime doesn't clear write_OK for that meter - when NeMaC fails to set reader LastTime, it zeroes reader and ruleset indeces while calling meter_info(). These changes allow NeMaC to detect a restarted meter (download rulesets, start new readers), as distinct from an SNMP reachability failure (keep using current/standby readers/rulests). 7 Mar 02 Added LastActiveTime attribute to srl, NeMaC and fd_filter, as a synonym for LastTime. RFCs 2720, 2722 and 2723 all refer to this attribute as LastActiveTime! Add -M option to NeTraMet et al. -M /home/nevil/xxx.log specifies the filename for NeTraMet's log file (intriduced in 44b9). v4.4 20 Feb 02 SNMP security issues. I've tested NeTraMet's SNMP code using the PROTOS test suite. A test for negative lengths in the ASN.1 parsing code has been added - that was the only change needed. The SNMP routines (in snmplib/) perform a lot of parameter checks, and calls on an ERROR() define. By default ERROR does nothing. If you're tesing an SNMP manager against NeTraMet, you can turn those messages on by adding -DDEBUG to the CFLAGS= line in snmplib/Makefile and rebuilding the snmp library. Change 'interface number' attributes to use 16-bit integers instead of 8-bit. This can be useful when using NetFlowMet. v4.4b11 25 Nov 01 Implement -C option for nm_rc, exactly as in NeMaC. This allows you to use nm_rc to test rulesets against trace files being read by crl_ntm or dd_ntm. Sample commands to do this are: ./crl_ntm -T5 -m1234 -Strace_file -wW~com ./nm_rc -C -m1234 -rpeers.rules localhost W~com Note: you need CoralReef version 3.5 to build crl_ntm! Speed improvements in flowhash: - move code which doesn't need to be executed on every call outside blocks in match() - implement list of running rulesets, instead of doing serial searches of ri[] table - use 32-bit hash values for flow and stream hash tables, use table size specified by user (rather than trying to pick a prime above it - that doesn't help, since we use a set of distinct primes for hashing) Use long long integers (8 bytes) for counter64 if the host supports them. Newer Pentiums do, this provides a useful speedup. Change 'shutdown' request character. It was a single ESC, but it's too easy to hit a key which sends an escape sequence! Now you have to type ESC ESC Return to shut down the meter. Fix little problems which gave warning messages when building NeTraMet on an alpha running Digital Unix. The configure script wasn't recognising the OS correctly; this didn't cause problems because none of the programs have defines testing this any more. MinPDUs gave compilation errors on alpha, fixed by adding c64geint() define. Linux kernel reset promiscuous mode when forking a NeTraMet daemon. Changed meter_ux.c to fork first, then open the interfaces. NeTraMet, NetFlowMet, LfapMet, crl_ntm, dd_ntm (i.e. all the meters) write error messages and summary information to a log file using log_msg(), in the same way as NeMaC. The name of the log file is meter.log, it will be written in the directory where the meter starts running. v4.4b10 23 May 01 LfapMet: RTFM meter for LFAP, code contributed by Remco Poortinga, Added files in src/meter - README_LfapMet Notes about LfapMet - lfapmet.h LfapMet globals - lfapmet.c LfapMet support routines Added two new MIB variables to reader row, MinPDUs (default 0) and TimeMark. A flow must have at least MinPDUs either to or from before it will be read by a meter reader. TimeMark is needed to associate an SNMP getnext request with a particular reader. MinPDUs can be set using the -M option. nifty default is -M20, NeMaC default is -M0 Improved save.sav so that it only saves the files we really need in the NeTraMet distribution. v4.4b9 11 Apr 01 Fixed bug in NeMaC include statement. getarg() no longer allows semicolon in an argument. Fixed srl compiler bug; optimise 3 wasn't recognising the end of AND expressions properly. NeMaC could fail to open a flow data file (e.g. because it already existed with no write access); it now reports this and doesn't try to run that meter/ruleset. NeTraMet Coral interface improved to handle two Dag cards properly. Reads blocks of cells from each then merges them by timestamp. NeTraMet uses -Siii to specify a Coral source (instead of -C'source iii' *****). v4.4b8 8 Aug 00 Fixed bug in fd_extract.c; needed to use attr_ix[a] when listing column info. Modified nmc_snmp so as to report (via log file) size of "only one package" SNMP pDUs. This required adding pdu_len to both snmp_pdu and internal_snmp_pdu in snmplib. srl compiler was warning when user redfined a well-known port, but ignored the new definition. This has been fixed, the new definition is used instead of the default well-known port number. Corrected ntm_conf.hin file so that it has ALL the defines tested for by configure.in. It was missing several, including WORDS_BIGENDIAN, Changed configure.in to improve matching of operating system name when setting the OS define. Fixed bug which prevented rate distributions from being collected (this worked properly in 4.3). A test that an event (to which the distribution could be linked) existed was wrongly implemented. Fixed bug reported by Dylan Hall, 31 May 00 NeTraMet -l options wasn't working because pp.p_len was being overwritten. Deimplemented TCP_ATR define. TCP attributes are now implemented as part of the new attributes, controlled by #define NEW_ATR. v4.4b7 22 May 00 Increased size of symbol and label tables in srl compiler, to allow compiling of *much* bigger programs. [Bug report and patches supplied by Carsten Schmoll, 15 Mar 00] fd_filter now allows != as well as == operators in tag descriptions. This allows you to create a tag for bidirectional flows, e.g. tag 3 ToPDUS != 0, FromPDUs != 0; The srl compiler now allows Ruleset names to be identifiers, not just integers, e.g. set my_big_ruleset; Ruleset names must be <= 16 characters long. A CoralReef version of the meter, crl_ntm, has been implemented. You can use crl_ntm to analyse CoralReef or tcpdump trace files. crl_ntm has tree new command-line options: -C'source fn' Tells meter to read file fn -T sss Specifies the NeMaC sample interval (default 10 seconds) -N nnn Specifies the number of intervals (default 0, i.e. process whole file) NeMaC has a new command-line option too: -C Tells NeMaC that this meter is runing from a Coralreef trace file v4.4b6 22 Feb 00 Change to using autoconf Configuration Header File. The ntm_conf.h file (in the base directory) is now included by all the source programs. It contains all the options detetected by autoconfigure, together with some defines giving NeTraMet's version number. One advantage of this is that there is a lot less text displayind while Making Netramet. When NeMaC is shut down gracefully (by a SIGTERM or SIGINT) it will now collect the flow data gathered since the last collection for all the meters it is controlling. [This change was suggested by Robert Strycharczuk, 10 Feb 00] NeTraMet (on Unix and Cygwin32) has been extended so as to handle PPP interfaces. PPP flows are assumed to be IPv4 (the most likely possibility), they have AdjacentType AT_PPP (i.e. 23) and AdjacentAddresses 0. [This change was suggested by Gerald Richter, 10 Dec 99] When displaying domain names instead of IP addresses, nifty may have to wait a long time for the DNS response. It now displays a 'cross-hair' cursor while waiting on DNS. nifty.srl has been modified to plots diamonds instead of pluses for multicast flows. Port NeTraMet to MS Windows, using the Cygwin32 environment and WinDump's BPF drivers - ported libpcap to cygnus+windump - changes to meter_ux for CYGWIN32 (can't assume that pcap files work with select) - changes to snmpapi.c and snmpclnt.c (Cygwin32 doesn't have `timerset' defines) v4.4b5 12 Jan 00 Allow fd_filter to have character constants in tag specifications, e.g. DestKind = 'F'; Fix bugs relating to ASNs looked up using OCX_BGP (i.e. in a bgp.txt file). These were - Lookup wasn't being done if DestASN was saved but not SourceASN - S/D ASN attributes weren't being set to zero if the IP Address lookup failed (i.e. when we couldn't find its ASN). Correct Makefile.in files to set GF variable (it was $GF by mistake). v4.4b4 16 Nov 99 Update mib.txt to use RFC2720 version. Add support for NetBSD on Alpha: * Use XtPointer in nifty source, cast to IntFromPtr when values are used * Set __unix__ = !defined(DOS) in btypes/types.h * Use POINTER_DATATYPE instead of Bit32 for subnet pointer arithmetic in integrat/subnetd.h * Cast bytes to counter64 in getcounter64() in manager/nmc_snmp.c * Recognise NetBSD in configure.in * Change source to use !defined(DOS) instead of defined(__unix__) v4.3 30 Sep 99 Added a GFLAG variable to the configure.in script and the Makefiles. By default this is null. Set it to -g to build executeables which have symbolic information for debugging. Replaced mib/mib.txt with a new version, using the 'Proposed Standard' RTFM Meter MIB. Added config support for Alpha (Tru64 Unix) systems. This corrects several bugs introduced since 4.2; they only showed up on a 64-bit machine. * The Tru64 C compiler is much more 'picky' than gcc! Cleaned up the source so as to get rid of warning messages * Change snmp library so as to use Int32 for ASN.1 INTEGERs and Bit32 for TIMESTAMPs. The original CMU code used 'unsigned long' for both. Made corresponding changes to the meter and manager programs. NeTraMet and NeMaC as daemons: -D option * NeMaC ./NeMaC -D runs NeMaC in its own Unix session * NeTraMet ./NeTraMet -D and ./NetFlowMet -D runs the Unix and NetFlow meters in their own Unix session. Before doing so it disables the screen and keyboard, so -k -s are implied by -D. CAUTION: -d turns on diagnostic dumps of the SNMP packets. Don't set this by mistake for -D! Implemented command-line defines for srl. For example ./srl -DW=16 "-Dext = DestPeerAddress/24" xxx.srl defines w to be 16, and EXT to be DestPeerAddress/24. Note the quotes around the second define; they are required if the define text contains blanks. Modified NeMaC ruleset parser to skip dots and digits at the end of addresses. This allows it to download rulesets produced by an srl compiler compiled with the V6 option set even if NeMaC was compiled with the V6 option not set. v4.3b10 26 May 99 Support for IPv6 * Controlled by V6 option in the source files. To enable this: a) If you run autoconf to build the Makefiles change AC_DEFINE(V6, 0) to AC_DEFINE(V6, 1) before running autoconf b) Otherwise, in the configure script change #define V6 0 to #define V6 1 before running ./configure * The SRL compiler allows V6 addresses, as specified in RFC 2373. Although v6 addresses have a fairly simple form, it's easy to get it wrong. The compiler tries very hard to produce helpful error messages for them. * The NeTraMet meter handles v6 packets, returning them to the manager with SourcePeerType = IPv6 (IP and IPv4 are synonyms for IP version 4) * The managers (NeMaC, nm_rc and nifty) display IPv6 addresses as per RFC 2373. * fd_util and fd_extract handle IPv6 addresses properly. Other changes * SRL compiler will allow redefinition of 'built-ins,' i.e. well-known ports, address families and transport types. A warning is given telling the user what was declared. * Lots of bugs fixed in SRL compiler handling of syntax errors. These either crashed the compiler or sent it into infinite loops while reading the source program. v4.3b9 16 Feb 99 * The distribution file now has TCP_ATR set by default, so that the TCP-based attributes are available for use. So as to minimise the meter default memory requirements, several new memory-allocation command-line options have been implemented. The complete set of these is now: -f fff Max of fff flows -u rrr Max of rrr rules -b bbb Max of bbb TCP flows <<< NEW -t ttt Max of ttt TCP streams <<< NEW -v ddd Max of ddd distributions <<< NEW -e eee Max of eee distrib events <<< NEW * Implement ASN lookup in NeTraMet meter. This uses Joel Apisdorf's bgp code from OCxMON. The src/meter Makefile contains variable USE_OCX_BGP, which is commented out by default. Uncomment it, and make will include ASN lookup in the meter. To use it: a) Set the environment variable DEFAULT_AS (I set it to my own AS number) b) The meter starts up by reading a file, bgp.txt. You can create this file for your own network using SHOW IP BGP on a Cisco router. NOTE: a full bgp routing table will take 5 to 10 MB of memory space on the meter. c) By default the meter looks up 'next-hop' ASNs, i.e. the ASN the router would send packets to. The command-line option -o will look up 'owner' ASNs instead. v4.3b8 4 Feb 99 * Implement distribution-valued attributes in fd_filter * Fix memory management problems for TCP subflows in meter. Implement TCP-related distribution attributes in meter, NeMaC, fd_filter and srl. v4.3b7 8 Jan 99 * Implement TCPdata attribute in fd_filter * Fix NEW_ATR vs TCP_ATR bugs in meter_ux.c and nf_fwd.c v4.3b6 23 Dec 98 * Fix bugs concerned with intermixing of NEW_ATR and TCP_ATR v4.3b5 26 Nov 98 * Fix bug in SRL compiler, which wasn't distinguishing between save sourcetransaddress; and save sourcetransaddress = 0; v4.3b4 25 Nov 98 * Fix endian problems in netFlowMet, reported by Kevin Hoadley. v4.3b3 16 Nov 98 * Set up new CVS repository to make it easier for co-developers to submit code changes / suggestions. v4.3b2 12 Nov 98 * Aufoconfigure changed to test for Motif, since nifty requires Motif as well as X. * Support for FreeBSD: changed source files so as not to include malloc.h on systems which don't have it! * Documentation error for NeMaC. Command line option -P specifies open-append-close behaviour for the >>log<< files only. It was previously documented (see below) as doing this for flow data files only. v4.3b1 23 Oct 98 Changes contributed by Nicolai Guba (BT Labs) .. * Command-line help is dispayed if no options are specified for NeMaC, nm_rc NeTraMet (Unix meters, not PC meters) NetFlowMet * -b mmm command-line option Tells NeMaC and nm_rc to read the mib from file mmm. * The NeTraMet distribtion file, and the way you install NeTraMet on a host has been changed to make it more like the GNU programs. The executable files are no longer in separate directories. Instead (by default) they are built in the src/ directories. To install NeTraMet into directory xyz you can simply ./configure make install OCxMON meter improvements .. The NeTraMet meter now allocates as much of its memory as possible when it starts up, so as to minimise allocation overhead. Space for rulesets is allocated at startup, with a default maximum of 2000 rules total for all rulesets. * New meter command-line option: -u nnnn allocates space for a maximum of nnnn rules v4.2.2 16 Nov 98 * Correct bug in nmc.h (inconsistency introduced when de-implementing 'detail' as synonym for 'trans' in attribute names. This caused NeMaC and friends to crash v4.2.1 2 Oct 98 Patch release .. * NeMaC crashed with Owner names longer than six characters. This was because SET_STRING only ever allocated RULE_ADDR_LEN chars! * SRL programs which start with an imperative statement now start with a GotoAct, Next rule. Without this they don't work! * fd_extract and fd_util now handle 64-bit counter attributes (e.g. topdus) properly. 'Editorial' improvements have been made to the fd_util manual. * A memory leak has been fixed in the SNMP snmpapi.c. Error logging has been added for snmp error/info/debug messages; these now go through log_msg(), as used for other NeMaC errors. v4.2 5 Aug 98 * The distribution file has been changed so that it no longer has subdirectories for the various operating systems. The best way to install NeTraMet is to use autoconfig; see the INSTALL file in the autoconf/ directory. * The 'os-specific' directories are no longer included in the distribution file. Users must build the version they need using configure in the autoconfig directory. SRL Compiler * The program srl is an optimising compiler for SRL, the Simple Ruleset Language. SRL is documented in an Internet Draft, available from the NeTraMet and RTFM home page. srl [options] source compiles the file 'source', producing a rules file ready to be used by NeMaC. Source files will normally end with .srl and rules files with .rules. For example srl test-prog.srl produces test-prog.rules. Compiler options: -l List source program -s Syntax check only -ann 'Assembler output' level N nn=0, rules in numeric form only. nnn Requires NeMaC v4.2. nn=1, attributes and actions given as words. This is the default. nn=2, as for nn=1, but don't delete intermediate files. -Onn Optimisation level. nn=0, no optimisation at all. nn=1, peephole optimising to delete redundant rules from intermediate files. This is the default. nn=2, optimise tests by mask length within expressions (shortest masks first, after allowing for overlapping addresses/masks). nn=3, as for nn=2, but optimise expression between if clauses and between statements. * srl extends the language (as described in the Internet Draft by adding a number of extra statements: include fffff ; Will read all the text from file fffff. includes may be nested (i.e. an include file may include other files). srl looks for the file in the same directory as the source file. optimise nn ; optimise * ; optimise ; Allows you to change the optimisation level as required for different parts of your program. optimise ; resets the level to the value specified on the command line. optimise * ; is used to indicate breaks between optimised expression groups . set nn ; format aaa .. aaa ; statistics ; These three statements are passed on (via the output file) to NeMaC. String constants in a format (specifying separators in flow data files) may include C-style constants (introduced with a \). * A collection of SRL programs is provided in the examples/srl directory. v4.2b5 11 Jun 98 * Fix bug in getting reader_name. This prevented NeMaC et al from reading any flows from the meter! * Use riFlowRecords instead of msNbrFlows for ms->NbrFlows. This means that nifty will display only the total flow for its current ruleset; it used to display the total number of flows for all rulesets. v4.2b4 3 Jun 98 * Use LastTime instead of sysUptime to get meter time in NeMaC, nm_rc and nifty. * Fix bugs in SNMP library which caused early timeout of some SNMP packets. v4.2b3 22 May 98 * Implement better hashing algorithm for flow table and rulesets. Multiplies bytes of peer and trans addresses by small primes, and uses larger primes as the size of the various hash tables. * Fix sundry bugs revealed in beta testing. v4.2b2 11 May 98 NetFlowMet (NeTraMet + NetFlow = NetFlowMet): * A new version of the meter has been added to the distribution. This takes NetFlow data from a Cisco Router (I've tested it using a 7200) and uses this to build the flow table. To start NetFlow on a router (in brief): - start NetFlow on each interface [no] ip route-cache flow - start exporting the NetFlow data [no] ip flow-export is the address of your NetFLowMet meter, is the port NetFlowMet will use to recieve the data. You may specify the udp port number by using the -i pppp option on NetFlowMet's command line. If no -i option appears, port 9996 is used. You may specify up to four port numbers by giving a list of -i options, e.g. -i 12001 -i 12002 -i12003 would listen for NetFLow data on UDP ports 12001, 12002 and 12003. NetFlowMet provides five new attributes which can be used in rulesets: + MeterId (8 bits, mask 255) Index in -i option list, e.g. port 12002 above would produce flows with MeterID = 2. + SourceASN, DestASN (16 bits, mask 255.255) Autonomus System Numbers for source and destination networks. These may be "Origin" or "Peer" ASNs; you must specify which when you start flow export from the router. + SourcePrefix, DestPrefix (8 bits, mask 255) Mask length for source and destination IP addresses (i.e. SourcePeerAddress and DestPeerAddress). Changes in downloading rules: + A hashed search is used when translating rulesets. This should speed up the translation process by a factor of 10x to 20x (NeMaC). + Rules are now downloaded 10 at a time. This dramatically reduces the time taken to download rulesets (NeMaC). + A meter bug which prevented downloading of rulesets with more than 32767 rules has been fixed (NeTraMet). Changes to NeTraMet: + When grabbing the value of an attribute from a packet header, NeTraMet didn't check that enough bytes were read. This could have caused problems with TCP packets with lots of IP options. NeTraMet now checks the data is there before grabbing values from it. If it's not, zero is used instead. Changes to NeMaC: + When NeMaC is shut down gracefully (by a SIGTERM or SIGINT signal) it now shuts down the tasks it is running on all its meters. It used to leave them running, which matched what happened with v3 meters and managers. + #EndData record added at end of every sample in flow data files. This allows real-time processing of flow data - without this one had to wait until the next sample started. + The Unix SIGUSR1 signal is used as to indicate that NeMaC should start a new flow data file. This provides an alternative to using a 'flag' file to do this. + The Unix SIGUSR2 signal is used to switch testing on and off. + New command line option: -Y logname tells NeMaC to send log messages messages to syslog. Specifying -L logname writes the log to the file 'logname'. Specifying -Y logname writes log messages to syslog, with 'logname' as the identifying program name within syslog. You may specify both -Y and -L; this writes the messages to both places. If no logging is specified, the log will be written to a NeMaC.log.nnn file, as usual. If you wish to use the -Y option, you must modify the Makefile (probably autoconf\manager\Makefile.in) to define the variable LOG_LOCAL. + Changed behaviour when a meter fails to respond to NeMaC's attempt to start it. NeMaC used to ignore such meters; now it polls them and will download rules when they restart. + Fewer messages for 'normal' running. Set the 'verbose' option (-v) if you still wish to see messages like 'xxx rules downloaded' + Fixed 'file handle leak' bug, which used to cause NeMaC to crash after many attempts to contact a non-responding meter. v4.1 24 Nov 97 Production release 4.1 * Documentation files are now in PDF format on the NeTraMet home page, i.e. http://www.auckland.ac.nz/net/Accounting * The PC executable files have been separated out from the 'distribution' file. They're in the file ntm41-pc.zip. v4.1b15 22 Sep 97 * Use WORDS_BIGENDIAN and SIZEOF_LONG defines to implement native Alpha code for get and put of 64bit counters. Use autoconfig to build this if you want to try it (see below). v4.1b14 9 Sep 97 * Fix 'endian' bug in nmc_c64.c (which produced impossibly big counts in flow data files when running NeMaC on linux). These changes were implemented using the WORDS_BIGENDIAN define in autoconfigure. The recommended method of building NeTraMet is to use autoconfig; see the INSTALL file in the autoconf/ directory. * Fix ASN1 OID encoding bug. Symptoms were that the NeTraMet meter would run normally for about 30 days, then start sending back flow data packages for flows which hadn't been active. * Change PC meter to initialise uptime counter before starting packet drivers. v4.1b13 17 Jul 97 * Owner names for NeMaC, nm_rc and nifty A new parameter, the 'owner name' has been added for these programs. It is an alphameric identifier, up to 16 chars long. The owner name is used to identify rulesets, manager tasks and meter readers in the meter control tables; this is neccessary when the meter is running more than one rule set. The owner name follows the write community name on the command line or config file line. * #Ruleset records in flow data files: RuleSet numbers in flow data file records no longer refer directly to the SET number as they did in v3. Instead they refer to a ruleset's row in the meter RuleInfo Table. The flow data file includes a new # record to indicate the SET number for RuleInfo rows. Their format is as follows: #Ruleset: x setname rfname owner x is the RuleSet number, as it appears in the flow data records setname is the name from the SET statement (for v3 AND V4.1 this is an integer) rfname is the name of the rule file owner is the owner name for this ruleset v4.1b10 30 Jun 97 * New manager option: -E nn Specifies the timeout (in seconds) for rEeader rows. If collections stop (e.g. because a manager has failed), the meter will delete the row after this time. The default is 0, i.e. the row will never time out. * Change to manager option: -h pp Specifies HighWaterMark for a manager task. In v3 the meter default was 65 (percent). In v4.1 the default is 0 (no test for high water). * MatchingStoD attribute: The attribute 'matchingStoD' is set by the Packet Matching Engine. Its value is 1 if the packet is being matched with its address attributes in 'StoD' order, (i.e. as they appear 'on the wire'), and 0 if the packet is being matched with its addresses swapped. See RFC 2063 for a detailed description of packet matching. * NeMaC keywords: 'nomatch' is now a synonym for 'retry.' This name was discussed at the Montreal RTFM WG session, and is used in the ruleset examples given in RFC 2123, "Experiences with NeTraMet." v4.1b4 22 May 97 SNMPv2, 32-bit PC meter * NeTraMet and its manager/readers (NeMaC, nm_rc, nm_st and nifty) all use SNMPv2 instead of SNMPv1. They now implement the Meter MIB of RFC2064 (and the newer RTFM Internet Draft which updates it). The most significant effects of this are: v4 meters can run multiple rulesets simultaneously, and 64-bit counters are used for packet and byte counters. * v4 managers will work properly with v3 meters. v3 managers, however, will NOT work with v4 meters. To change to using v4 you should change your managers first, then your meters. * There are two changes to the format of flow data file records: Dates now use four digits for the year (1997 instead of 97) The integer values used for PeerTypes have changed. You should not be affected by this unless you have analysis applications which use PeerTypes to distinguish flows. * The 32-bit version of the PC meter uses all available memory. 16 MB of memory should allow it to handle a table of 100,000 flows or more. The readme.txt file in the ntm41-b4.zip file gives detailed setup instructions. New options in Meters (PC and Unix): -m pp specifies the IP port number to use for SNMP. Default is 161 -l specifies that meter should use the length field from IP headers for the number of bytes in IP packets. Default is to use the MAC (hardware) packet size. v3.5 6 Sep 96 Multiple ethernets for the PC meter: * The PC meter (netramet.exe) can now handle up to four interfaces. New command line options allow you to specify the interfaces, as follows .. -i nn specifies that the packet driver using software interface nn (decimal) is to be metered. e.g. -i96 would meter interrupt 0x60 -h nn as above, except that if you have a packet driver which implements the 'high-performance' driver specification, NeTraMet will take advantage of it. -I nn as above, except that no metering will be performed on this interface, instead it will be used only for IP packets to or from the meter. If no interface is specified as 'IP only,' the first interface appearing as a -i or -h option will be used as the meter's IP interface. v3.4 8 Aug 96 nifty: an X/Motif 'flow analyser' program * Presented to RTFM WG at the Montreal IETF as 'NetFlow,' renamed to avoid confusion with Cisco's 'Net Flow Switching.' Changes to NeTraMet: * NeTraMet can monitor up to four interfaces instead of only one. Specify this with a -i option for each one, e.g. NeTraMet -inf0 -ile0 -wPASSWORD * Meter performance statistics have been implemented for the Unix meter. In particular, aps and mps give average and maximum packets per second, while api and mpi give average and minimum processor idle time percentage for one-second intervals. * NeTraMet has been restructured so as to simplify the code for packet matching. Make files for aix added. * libpcap (current version) isn't implemented for aix, so you can't (yet) build an aix meter. NeMac, nifty, etc work properly. Known problems: * If you start NeMaC with write access to a meter, and NeMaC is already running on the same host with write access to the same meter, the meter gets confused. In this situation neither copy of NeMaC manages to read sensible flow data from the meter. Detour: before you start NeMaC, make sure it isn't already running. Cure: this will be addressed in version 4.1. 4.1. will implement the updated meter MIB as set out in the current Internet Draft. Bug fixes: * Time for next collection have already passed, e.g. because of network transit delays in collecting flow data from many meters. NeMaC will not attempts to make such 'missed' collections. * NeMaC now displays (and logs) the meter name correctly when it fails to establish contact when starting a meter, and when it looses or regains contact with a running meter. * NeMaC could create invalid flow data files if it failed to start a meter properly, or if an active flow data file was deleted. This has been corrected. V3.3 8 Nov 95 nm_rc: a remote console for NeTraMet * nm_rc (in the /manager/ directory) combines NeMaC and fd_filter to provide a simple display of 'live' flow data from a single meter sorted into traffic order, busiest flows first. (Briefly described in doc/NeTraMet/rc-man.txt; a 'proper' manual will be ready real soon now). New example rule files (in examples/ directory) * rules.two-adj-routers: Meters traffic through and between two routers, specified by their adjacent (Ethernet) addresses. * rules.two-ip-groups: Meters traffic through and between two groups of IP networks, specified in a subroutine by their peer (IP) network numbers. * rules.rc.pr+bc: Classifies traffic by protocol, and looks at Ethernet broadcast packets in detail. * rules.rc.ports: Classifies IP, IPX and EtherTalk traffic by port. * rules.rc.ip: Classifies IP traffic by IP address and port. * rules.rc.ipx: Classifies IPX traffic by IPX address and port. New options for NeMaC: * -x Don't write anything to the meter. Use this if you use a second copy of NeMaC (or nm_rc) to collect from a single meter. Allowing two collectors to write allows meter to recover flows after they've been collected by only one of the two meters. * -P For each collection flow data files will be opened, flow data appended to them, then they will be closed. If you move or rename a closed data file a new one (with the old name) will be created by the next collection. This is an alternative to using the old 'flag file' method. * -p Open-append-close to NeMaC's log file as well as to flow data files. Superset of -P * -F name Specifies name of flow data file. * -L name Specifies name of NeMaC log file. * -c 0 Tells NeMaC to download rule file(s) to the meter, then exit without collecting and flow data. * default values in NeMaC configuration file. Since NeMaC command-line parameters can displayed by any user via the Unix ps command, you should specify write community names in a configuration file. Each record in a configuration file specifies meter parameters which override the default values or the ones specified on the NeMaC command line. NeMaC now uses the meter name 'default' to indicate that this record contains default values for following records. For example .. ./NeMaC -f nm-config tells NeMaC to read the file 'config,' which contains the following records .. -c900 -p -rrules.mynet default meter1 write-1 meter2 write-2 -c300 meter3 write-3 This starts three meters; all run rules.mynet, and append to their flow data files. meter3 is collected every 5 minutes, meter1 and meter2 are collected every 15 minutes. Changes to NeTraMet options: * PC & Unix meter: Option settings .. Options no longer need spaces to separate them from their arguments, e.g. -ile0 * PC & Unix meter: Read Communities .. Only one read community can be specified. Bug fixes: * PC meter: -r option (to specify read community) crashed meter. * Solaris meter: FDDI interface didn't work. pcap-dlpi.c didn't bind the dlpi stream correctly. Fixed by new version of pcap-dlpi.c from lbl (included in src/meter) * Unix meter: pcap socket open didn't specify a timeout; 250ms now specified. This prevents Solaris from busy-waiting; allowing NeTraMet to be run as a backround process. * Linux meter: alters the timeout value of a select() statement (this is a BSD feature). Timeout value now reset to 250ms after each select(); this prevents linux from busy-waiting, allowing NeTraMet to be run as a background process. 8 Sep 95 Bug fixes as follows: * snmplib/asn1.c changed to get integers correctly out of SNMP packets. Now works correctly for OSF/1. * PC meter: small memory model memcpy used to copy strings from far memory. Now uses qmove. This caused snmp network managers to get garbage when GETting addresses from the flow table. * Bug in meter/met_vars overwrote part of the SNMP object tables when responding to a request for a non-existent MIB object. This showed up as 'meter looses rule table when a network manager such as OpenView probed a meter's MIB. * Ultrix Makefiles corrected. These can now be used to build meter and manager for DEC OSF/1. 4 Jul 95 New options for NeMaC: * -a sss Collections will be made with a time lag of sss seconds. For example, 10-minute collections with 30-second time lag will occur at 1000'30, 1010'30, etc. * -w nnn Specifies doWnload level. nnn=0 (the default) downloads rules on collector startup and after a meter restart. nnn=1 downloads only after a meter restart, and nnn=2 never downloads. Bug Fixes: * PC NeTraMet returned bad string for interface name. NeTraMet fixed to return 'eth0,' NeMaC modified to check the string, and use 'eth0' instead of a bad string (from an old meter). V3.2 8 Jun 95 NeTraMet meter reworked to use libcap to get packet headers: * libpcap: - libpcap is a generalised packet interface written by Steve McCanne, Craig Leres and Van Jacobson as part of tcpdump. - libpcap is available from ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z - to make NeTraMet you must first install it on your Unix system so as to produce libpcap.a The make files in the NeTraMet distribution assume you have copied libpcap into the same subdirectory as the Makefile. - binary distribution files are provided for linux (version 1.2.1) and Irix (5.2), as well as Solaris (2.4) and SunOS (4.1.4). - libpcap supports FDDI interfaces as well as ethernet. This is still being tested (8 Jun 95). * -i option has been implemented in NeTraMet. This tells NeTraMet which interface to monitor. For example, -i le0 will monitor the le0 interace. The interface name is displayed on the NeTraMet console, and appears in the ## header line of the flow data file. If you don't specify an interface libpcap will use its default one. The PC version of NeTraMet doesn't allow you to specify the interface name. * 'other' packet handling has been extended. 'Other' packets set the SourcePeerAddress to the packet's ether_type and the DestPeerAddress to the packet's LSAP. This allows you to use NeTraMet to find out what packet types are active on your network. * All the source code (including the CMU SNMP library) has been tidied up so as to remove most of the compiler warning messages. This should make it easier to port to new systems. Bug fixes: * PC pointer problems cause PC Netramet to crash at random times (from seconds to days). Finding more places which should use 'huge' pointers instead of 'far' pointers seems to have cleared (or at least reduced) this problem. * PC string compare routine error. Waterloo TCP's qcmp routine compares two far pointers (same as Unix memcmp). Implementation bug meant that strings which were same length and differed only in the last byte were reported as being the same. The effect of this was masked because NeTraMet uses a hash search of the flow table. * NeTraMet crashed when it received an SNMP get request for a MIB-1 objects which it didn't know about. NeTraMet implements nearly all of the Accounting Meter MIB objects, but only a few MIB-1 objects. The SNMP routines in met_vars.c have been improved so as to give a 'no such OID' response (and keep running). * NeMaC didn't handle end-of-file properly for its configuration file. This has been corrected. V3.1 16 Feb 95 New version using IANA-allocated MIB OID (mib-2 40): * Rewritten and simplified MIB means that earlier meters won't run with 3.1 NeMaC, and 3.1 meters won't run with earlier NeMaCs. i.e. both meter and manager must move to 3.1 together. * Extended and simplified rule matching. Jumps can be to the test or action part of the target rule. Attribute values can be pushed from the packet (as well as from a rule), hence aggregate and tally flows are no longer needed. The action table was only needed to support aggregate and tally flows: it is no longer needed. * Six new uesr-settable attributes are implemented. SourceClass, DestClass, FlowClass and SourceKind, DestKind, FlowKind allow a meter to pass information gleaned during packet matching back to the flow data file. * NeMaC allows you to INCLUDE rule files into other rule files. * Emergency rule sets are implemented. The meter will switch to its emergency rule set if the % of active flows gets greater than HighWaterMark. * Collection times are synchronised by default, i.e. they happen at multiples of the collection interval. For example 15-min collections are made at 0, 15, 30 and 45 minutes past the hour. Bug fixes: * Rule tables with more than 1350 rules now work properly on the PC meter. This was a situation where 'huge' pointers were required to reliably access all of the rule table. * IP fragment packets other than the first fragment of a PDU produced garbage transport addresses (IP port numbers). They now produce 0. The Accounting Model defines attributes for each protocol, and doesn't allow one to distinguish a 'first fragment' from an unfragmented IP packet. * A mistake in the code for optimised testing of a group of rules could sometimes cause packet matches to succeed when they should not. This has been corrected. Notes: * Rule files will need to be converted from the old (version 2.x) form to the new one. The changes are straightforward, and are documented in the file Converting.rules.ps V2.3 25 Nov 94 Fourth full release, new features as follows: * NeMaC now uses the names of flow attributes as they appear in the meter MIB, i.e. TRANS is used instead of DETAIL. NeMaC does this by allowing DETAIL to be a synonym for TRANS. Old rule files will still work properly, but new rule files should use TRANS. * Gopher (port 70) and WWW (port 80, i.e. html) have been added to NeMaC's list of IP port numbers. * If NeMaC notices that a meter has been restarted, i.e. it's sysUptime has jumped backwards, NeMaC will automatically download its specified rule file. The check is made before each flow data collection (intervals set by the -c option), and at every 'keepalive' interval (set by the -k option. This feature can be used to minimise the amount of flow data lost by a meter after a power-fail restart. * NeMaC now allows different collection and keepalive intervals for each meter. This is implmented by allowing the -c and -k options to appear in NeMaC's configuration file, and using an event queue (instead of a simple idle loop) to order meter activities. * A mechanism for closing and reopening flow data files has been implemented. NeMaC tests for a file called NeMaC.flag. If it finds the flag file it will close and reopen all its current flow data files. A new section has been added to the manual explaining how to use this feature. Bug fixes: * Various bugs in NeMaC's parsing of rule files have been corrected. * Bugs in fd_filter and fd_extract have been corrected; they will now work as documented! Notes: * NeTraMet memory management has been improved. 'Active flows' is now used instead of 'flows in use' for controlling garbage collection. The garbage collector is called if a new flow is needed and the are no free flows. V2.2 19 Jul 94 Third full release, new features as follows: * fd_filter and fd_extract included in manager directories as utility programs for flow data files. Documented in fd_util.ps file. * Port of both NeTraMet and NeMaC for Solaris, using streams/dlpi instead of nit to watch ethernet interface. * Binaries for Solaris and Sunos available via anonymous ftp. * Make files for HPUX and linux added. NeMaC has been ported to HPUX and linux. * SamplingRate MIB variable implemented; allows only 1 of every n packets to be processed. * All four Novell IPX encapsulations now recognised. Bug fixes: * PC NeTraMet now counts packets sent as well as packets received. Notes: * NeMaC now gives sensible error messages if it can't write meter variables. If NeMaC only has read access (i.e. it was given the read snmp community name instead of the write one) it can still collect data, but such collections will not be recorded by the meter, and therefore be noticed by the meter's garbage collector. * Solaris 2.3 dlpi bug corrupts some packet headers. Only affects CLNS handling by Solaris version of NeTraMet. This is fixed in Solaris 2.4 - see the ether_pc.c file for details. V2.1 14 Jan 94 Second full release, new features as follows: * Subroutines in rule tables implemented, making it much easier to write rules to handle large numbers of networks. * Labels implemented for rules and actions, i.e. no need to keep track of rule and action numbers by hand. * CLNS protocol now understood by NeTraMet * Packets for protocols not understood by NeTraMet can be counted as PeerType 'Other'. * Ethernet II and SNAP encapsulations for IPX now recognised (as well as 'Raw 802.2'). * Full (10-byte) IPX addresses can be used instead of just (4-byte) net numbers. * Make files for Ultrix added. NeMaC has been ported to Ultrix. Bug fixes: * MIB environment variable changed to MIBTXT to match the documentation (was MIBFILE). Notes: * Make files changed to allow compilation with Gnu C compiler, either by specifying gcc in the make file, or by 'setenv CC gcc'. * Documentation points out that NeTraMet write community must have different name to read communities, and that NeMaC must specify the NeTraMet write community name. 28 Oct 93 New: NeMaC only displays 'Rule/Action added' message every tenth rule/action. 22 Oct 93 Bug: NeMaC couldn't handle rule table with >255 rules. V2.0 20 Oct 93 First full release of NeTraMet and NeMaC, with NeTraMet Manual and full source code. V1.0 Nov 92 Prototype meter using height-balanced trees instead of rule table. Presented at Washington IETF. --------------------------------------------------------------------