nifty is the X-Window Flow Analyser tool from the NeTraMet distribution. It is used to download a specified ruleset to a meter, collect flow data at regular intervals, and display plots. The ruleset used with nifty determines which flows will be counted by the meter. It also specifies the symbols used to plot those flows.
A very simple nifty ruleset (nifty-demo.srl) would look like this:
if SourcePeerType == IPv4 save; else ignore; if SourceTransType == TDP store FlowKind := 'T'; else if SourceTransType == UDP store FlowKind := 'U'; else if SourceTransType == ICMP store FlowKind := 'I'; else store FlowKind := 'O'; save SourcePeerAddress; save DestPeerAddress; save SourceTransType; save SourceTransAddress; save DestTransAddress; count;
This ruleset looks at IP packets, sets the FlowKind attribute (which nifty uses as the plot symbol), then save values for SourceTransType and Source/DestPeerAddress and Source/DestTransAddress. This produces a plot on which TCP flows are plotted with 'T', UDP with 'U', etc.
Running another ruleset (nifty.srl from the NeTraMet distribution) to test the NeTraMet meter, I observed between 32 Mbps and 38Mbps of traffic (total SDSC in+out) in the afternoon, and about 4Mbps at night, with peaks of around 45,000 active flows. These measurements consumed a surprisingly low 12 percent of processor time. The addition of more rulesets on the meter proved even more surprising: each ruleset added about another 2%, until with six rulesets running simultaneously, the processor load was still below 25%. Clearly the processor-time cost of reading packet headers from a live interface is high compared to the cost of passing them through a ruleset.
Satisfied that the meter was working well, I made a new nifty ruleset, nifty-full.srl. This in turn uses a second ruleset, ip-ports.srl, which contains port-number definitions for a long list of applications, along with plot symbols for each. The following nifty plots demonstrate how the load on the SDSC link varies, and which applications are high users of the available bandwidth. (In all cases, the top 20 flows are shown.)
|Packet Rate vs. Flow Duration on SDSC Link (Tuesday, 27 Jun 2000 time: 1714)
This graph shows the top flows collected using the ruleset nifty-demo.srl. There are 12,411 active flows, 5.38kpps traffic shown in this sample.
|Byte Rate vs. Flow Duration on SDSC Link (Saturday, 24 Jun 2000 time: 1732)
10,434 active flow, 18.11 Mbps of traffic. The 'leading diagonal' pattern of web flows occurs often. TCP flows which the ruleset doesn't recognize are plotted as diamonds.
|Byte Rate vs. Flow Duration on SDSC Link (Saturday, 24 Jun 2000 time: 1820)
7,443 active flows, 22.69 Mbps of traffic. Note that there are two Napster flows ('A'), and four Gnutella flows ('G').
|Packet Rate vs. Flow Duration on SDSC Link (Saturday, 24 Jun 2000 time: 2030)
Shows 7 Gnutella flows. Clicking on the right mouse button causes nifty to display the flow's Octet(byte) counts; the rightmost Gnutella flow had been active for 51.37 minutes, transferring about 113 Mbyte in that time.
|Packet Rate vs. Flow Duration on SDSC Link (Saturday, 24 Jun 2000 time: 2013)
nifty can also plot packet rates instead of byte rates. The Gnutella flows ('G') are fairly long-lived, transferring around 100 packets/sec for as long as an hour. Network backup flows are plotted as 'b'.
This project demonstrates the utility and features of using the nifty tool to interact with a NeTraMet meter.