[+]
Skip Navigation
 
 

Real-Time Traffic Analyzer

From Fortian

Jump to: navigation, search

The Fortian Real-Time Traffic Analyzer

The real-time traffic analyzer is broken into three components. The first, pcapper, runs on all systems recording traffic. The other two, recollect and mwmg, run on monitoring station(s).

pcapper - the Monitoring Agent

Logs from pcapper are in text format, and are subject to change. Each line is currently of the format:

<time>:<source IP>:<source port>:<destination IP>:<destination port>:<length>:<protocol>:<source IP>:<source port>:<destination IP>:<destination port>:<length>:<protocol>

time The UNIX time, in floating point, with up to six digits after the decimal point
source IP The originator of the packet, which is usually this system.
  • Special value: 1.0.0.0 is used for CPU reports
  • Special value: 2.0.0.0 is used for memory reports
  • Special future value: time monitoring will have the value 3.0.0.0
source port The source port of this data.
  • Special value: 1 is used for CPU reports
  • Special value: 2 is used for memory reports
  • Special future value: time monitoring will have the value 3
destination IP The target of the packet. The same special values apply.
destination port The destination port of this data. The same special values apply.
length The length of the data being reported.
  • For normal traffic, this value is in bytes, not bits.
  • For CPU data, this value is the number of non-idle ticks since the last transmission. Generally, this means hundredths of a second. This data is normalized for multi-CPU systems.
  • For memory data, this value is the memory in use, in multiples of 256 kilobytes. Note that "in use" doesn't include buffers, cache, or other semi-allocated memory which can be trivially jettisoned by the kernel.
protocol The standard IANA protocol number for the traffic being reported.
  • This value is often 17 (UDP).
  • CPU and memory data is reported as protocol 61 [any host internal protocol] (as shall time).
Values below appear only in lines representing encapsulated traffic.
source IP The originator of the encapsulated packet, which is usually not this system.
source port The source port of the encapsulated packet.
destination IP The target of the packet, which is usually a multicast address.
destination port The destination port of the encapsulated packet.
length The length of the original encapsulated packet.
protocol The protocol of the original encapsulated packet. This value is almost always 17 (UDP).

All traffic volume is charged when the first packet is observed. This may result in undercounting when fragmentation occurs.

recollect - the Traffic Collector

recollect uses the following configuration syntax, which should be placed into a file named collector.conf (for compatibility reasons) in the working directory.

The configuration file starts with a series of keypairs. The LHS is a single digit, and the RHS is a port number. For example, the keypair:

1=9999
2=7636

states that traffic to port 9999 should be identified as type 1 and traffic to port 7636 should be identified as type 2. Traffic that goes to a port not identified anywhere in collector.conf will be marked as unknown.

Once all of the keypairs are provided, the rest of the file is a colon-delimited list of identifiers, IPs, and ports. These lines identify systems running pcapper, and direct recollect to connect to them on the given IP and port. For example, the line:

1:10.4.2.1:7073

indicates that system ID 1 has IP address 10.4.2.1 and is listening on port 7073.

A sample collector.conf is available.

mwmg - the Multi-Window Multi-Grapher

mwmg uses the following configuration syntax, which should be placed into a file named mwmg.conf in the working directory.

The configuration file is in "INI" file format. Each application is identified inside square braces, and subsequent keypairs apply to that application. The ordering matters - the first application listed will be treated as the application identified with ID 1 in collector.conf, the second with ID 2, and so on.

For example, if the first two entries in mwmg.conf read: 

[Chat]
Color=rgb:ffff/0000/0000
Relay=rgb:a000/0000/0000

[Situational Awareness]
Color=rgb:0000/c000/0000
Relay=rgb:0000/8000/0000

then Chat would be the application with application ID 1, and it would be drawn in red when graphing in real time. Situational Awareness would be the application identified by recollect as ID 2, and would be drawn in green. The Relay line is used for encapsulated traffic, and therefore ought to be somehow related chromatically to the Color tag.

As special cases, Memory, Processor, and Delay are all keypairs that stand outside application blocks (since they cannot be relayed). For post-processing purposes, it is sufficient to ignore any line with an equals sign, unless you are attempting to match colors with the real-time displays.

A sample mwmg.conf is available.

nightcap - the Simplified Packet Analyzer

This program is now documented indepentently, on the Nightcap documentation page.

How to get it

If you would like to download SSPG, please contact us.

Licensing

This software contains previously unreleased source code that is the property of Fortian Inc. Redistribution is prohibited without explicit permission.

Retrieved from "http://www.fortian-inc.com/wiki/Real-Time_Traffic_Analyzer"
 
 
 
 

Copyright © 2003-2010 Fortian. All rights reserved.
Use of this website is restricted by the Terms of Use.
The Fortian name is a registered trademark of Fortian Inc.
The Fortian logo and the phrase "Redefining Network Technology" are trademarks of Fortian Inc.

 
 
Personal tools