NeTraMet++ pre-release version Now Available
NeTraMet++ is a new, high-performance version of NeTraMet.
It uses stream caching, i.e. each packet is matched with a stream
before being matched with a flow. The stream data structure
remembers the flows corresponding to each stream, so that flow
matches are cached in the streams. Rulesets that only test
or save `5-tuple' attributes (SourcePeerType, SourcePeerAddress,
SourceTransAddress, DestPeerAddress or DestTransAddress) can be
cached; production tests show a cache hit rate of 85% or more.
CAUTION: stream caching requires memory for all the streams.
- You can see how many streams are in use by typing 'S' on the
NeTraMet meter console
- You can specify the maximum number of
streams with the -t command-line option.
See the doc/NeTraMet/version.history for more details.
The NeTraMet++ distribution is beta-versions/NeTraMet50b3.tar.gz
NeTraMet Version 4
The current production version of NeTraMet (4.4), the first implementation
of the Internet Accounting Architecture (RFC 2720-2724), is
available from the NeTraMet distribution site, see below.
A short description of NeTraMet and NeMaC appears at the bottom of
this note.
Version 4.6 uses Posix threads to improve SNMP request processing.
It was only ever released in the beta-versions directory; that's
because it was overtaken by NeTraMet++
Version 4.5 (in the beta-versions directory) implements two 802.1p
VLAN attributes. VLANid tells you which VLAN a packet belongs to,
and Priority indicates that VLAN's priority. Also, the ECNCodeBits
attribute gives you a packet's Explicit Congestion Notfication bits,
as specified in RFC 3168.
Version 4.4 uses an autoconf Configuration Header File, ntm_conf.h.
Options such as V6 can now be set in this header file; do that before
you run ./configure. NeTraMet's SNMP implementation has been tested
for security loopholes using the PROTOS test suite; the only change
required was an extra test in the ASN.1 parsing routines.
The Version 4.3 distribution file was reorganised so as to
make it easier to use; it is now a 'normal' GNU distribution, i.e. you
can install it by running ./configure and ./make. In addition it
implements the following:
- DSCodePoint attribute is implemented. This provides the
6-bit value of the DiffServ (differentiated services) codepoint for a flow.
- IPv6 capabilities are implemented. They can be enabled by
setting the V6 compile-time option.
See the version.history file for more details on the changes.
This version was in beta test from September 98 to September 99, going
through 10 consecutive beta versions.
Version 4.2 introduced srl and NetFlowMet.
- srl is an optimising compiler for SRL, the Simple Ruleset
Language. The SRL syntax is explained in an Internet Draft (copy on
the NeTraMet distribution sites), and is a structured language with
compound statements and IF-THEN-ELSE statements. The distribution
includes a directory of sample srl programs. The language also allows
you to specify a list of IP networks as a sequence of address/width
pairs, and to test an attribute to determine whether its value matches
any of those in such an 'operand list.'
- NetFlowMet is a version of the Unix NeTraMet. It's an
RTFM meter which takes its data from a Cisco router using Cisco's
NetFlow data.
- The NeTraMet implementation has been improved by using better
hashing algorithms for its flow table, which allows it to handle
considerably higher traffic rates than earlier versions.
- Problems with very large rulesets (30,000 or more rules) have been
addressed. Rulesets with more than 32767 rules run properly, and the
time to download rules has been reduced by an order of magnitude.
The NeTraMet documentation is now available only in PDF format - It
is no longer part of the NeTraMet 'distribution' file.
The documentation files are:
Mailing Lists
There is a NeTraMet Users' mailing list (details below); any comments,
suggestions, enquiries, etc will be very welcome.
If you are interested in network traffic metering and management,
why not join the Realtime Traffic Flow Measurement (rtfm) mailing list?
it's URL is
http://list.auckland.ac.nz/mailman/listinfo/rtfm
NeTraMet Distribution
NeTraMet is free software, and can be obtained by anonymous FTP from
the sites listed below. Note that these sites make archived material
available as a convenience to users - no endorsement of NeTraMet is
implied.
The NeTraMet distribution files are as follows:
- Release.note
- This file
- *.pdf
- The documentation files, in PDF format
- NeTraMet45.tar.gz
- 'Distibution file. Source and Make files for Unix systems, example
rule files,
SNMP MIB, version history. Compressed with gzip
The NeTraMet System
NeTraMet is an accounting meter which runs on a PC under DOS or a Unix
system. It builds up packet and byte counts for traffic flows, which
are defined by their end-point addresses. Addresses can be ethernet
addresses, protocol addresses (IP, DECnet, EtherTalk, IPX or CLNS) or
'transport' addresses (IP port numbers, etc), or any combination of
these. The traffic flows to be observed are specified by a set of
rules, which are downloaded to NeTraMet by a 'manager' program.
Traffic flow data is collected via SNMP from NeTraMet by a 'collector'
program.
NeMaC, a combined manager and collector program, is supplied with
NeTraMet. It downloads rules to meters, and collects data from them.
Although a meter may only have one manager, its data can be collected
by several collectors, which do not have to be synchronised. NeMac
can manage and collect data from an arbitrary number of meters.
The format of NeMaC's collected flow data files is very general; the
contents of data lines in the file is completely specified by the
user. ASN.1 opaque objects are used to retrieve flow data so as to
minimise the overheads in using SNMP for this purpose.
NeTraMet provides a valuable tool for analysing network traffic flows,
and should prove to be of interest to anyone interested in network
monitoring, capacity planning, performance measurement, etc.
Nevil Brownlee
(n.brownlee@auckland.ac.nz)
Last updated: 23 Nov 03