Traffic Flow Measurement: Experiences with NeTraMet
RFC 2123

Document Type RFC - Informational (March 1997; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2123 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                       N. Brownlee
Request for Comments: 2123                   The University of Auckland
Category: Informational                                      March 1997

          Traffic Flow Measurement:  Experiences with NeTraMet

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   This memo records experiences in implementing and using the Traffic
   Flow Measurement Architecture and Meter MIB. It discusses the
   implementation of NeTraMet (a traffic meter) and NeMaC (a combined
   manager and meter reader), considers the writing of meter rule sets
   and gives some guidance on setting up a traffic flow measurement
   system using NeTraMet.

Table of Contents

 1 Introduction                                                        2
   1.1 NeTraMet structure and development . . . . . . . . . . . . . .  3
   1.2 Scope of this document . . . . . . . . . . . . . . . . . . . .  4
 2 Implementation                                                      4
   2.1 Choice of meter platform . . . . . . . . . . . . . . . . . . .  4
   2.2 Programming support requirements . . . . . . . . . . . . . . .  5
     2.2.1 DOS environment  . . . . . . . . . . . . . . . . . . . . .  6
     2.2.2 Unix environment . . . . . . . . . . . . . . . . . . . . .  7
   2.3 Implementing the meter . . . . . . . . . . . . . . . . . . . .  7
     2.3.1 Data structures  . . . . . . . . . . . . . . . . . . . . .  7
     2.3.2 Packet matching  . . . . . . . . . . . . . . . . . . . . .  8
     2.3.3 Testing groups of rule addresses . . . . . . . . . . . . .  8
     2.3.4 Compression of address masks . . . . . . . . . . . . . . .  9
     2.3.5 Ignoring unwanted flow data  . . . . . . . . . . . . . . . 10
     2.3.6 Observing meter reader activity  . . . . . . . . . . . . . 11
     2.3.7 Meter memory management  . . . . . . . . . . . . . . . . . 12
   2.4 Data collection  . . . . . . . . . . . . . . . . . . . . . . . 14
   2.5 Restarting a meter . . . . . . . . . . . . . . . . . . . . . . 15
   2.6 Performance  . . . . . . . . . . . . . . . . . . . . . . . . . 16
 3 Writing rule sets                                                  16
   3.1 Rule set to observe all flows  . . . . . . . . . . . . . . . . 17
   3.2 Specifying flow direction, using computed attributes . . . . . 18
   3.3 Subroutines  . . . . . . . . . . . . . . . . . . . . . . . . . 21
   3.4 More complicated rule sets . . . . . . . . . . . . . . . . . . 23

Brownlee                     Informational                      [Page 1]
RFC 2123                Traffic Flow Measurement              March 1997

 4 Flow data files                                                    26
   4.1 Sample flow data file  . . . . . . . . . . . . . . . . . . . . 27
   4.2 Flow data file features  . . . . . . . . . . . . . . . . . . . 28
   4.3 Terminating and restarting meter reading . . . . . . . . . . . 29
 5 Analysis applications                                              30
 6 Using NeTraMet in a measurement system                             31
   6.1 Examples of NeTraMet in production use . . . . . . . . . . . . 31
 7 Acknowledgments                                                    33
 8 References                                                         33
 9 Security Considerations                                            34
10 Author's Address                                                   34

1 Introduction

   Early in 1992 my University needed to develop a system for recovering
   the costs of its Internet traffic.  In March of that year I attended
   the Internet Accounting Working Group's session at the San Diego
   IETF, where I was delighted to find that the Group had produced a
   detailed architecture for measuring network traffic and were waiting
   for someone to try implementing it.

   During 1992 I produced a prototype measurement system, using balanced
   binary trees to store information about traffic flows.  This work was
   reported at the Washington IETF in November 1992.  The prototype
   performed well, but it made no attempt to recover memory from old
   flows, and the overheads in managing the balanced trees proved to be
   unacceptably high.  I moved on to develop a production-quality
   system, this time using hash tables to index the flow information.

   This version was called NeTraMet (the Network Traffic Meter), and was
   released as free software in October 1993.  Since then I have
   continued working on NeTraMet, producing new releases two or three
   times each year.  NeTraMet is now in production use at many sites
   around the world.  It is difficult to estimate the number of sites,
   but there is an active NeTraMet mailing list, which had about 130
   subscribers in March 1996.

   Early in 1996 the Realtime Traffic Flow Measurement Working Group
Show full document text