unispeed Netlogge        [Expand all]   [Collapse all]

Using the Netlogger for billing purposes.


Start by dropping a Collect Packets tool on the canvas, double-click on the tool and select the interface you want to use.

Lets say that you want to measure the amount of traffic to/from a number of machines within a certain IP scope on the network.

First you want to filter the traffic, so only traffic that runs to or from IP addresses within the scope you have chosen are accepted, and all other traffic is rejected. For this purpose drop a Filter Packets tool on the canvas. Connect Collect Packets tool with the Filter Packets tool and, double-click, on Filter Packet tool

Open/Close section Screenshots

Since you want to measure all traffic check all three check boxes in the Tool Properties window namely: TCP, UDP, ICMP. Now you want to define the scope. Place the cursor in the upper Add field. Defining the scope shouldn't be difficult, here are some examples:
xxx.xxx.0.0-xxx.xxx.255.255 can also be written like this: xxx.xxx.*.*
Once you have defined your scope, click "Add".
You can choose what ports you want. Since this is a billing example, you will want to measure all traffic on all ports within your scope. type "*" in the lower Add field and click "Add".

Now drop a Extract Packet Headers tool on the canvas and connect it with the Filter Packets tool, using the dark blue arrow, through which the accepted packets flow. Double-click on the Extract Packet Header tool. Since you only want to measure amount of traffic, all you have to do is check the "IP Specific fields" check box and click "OK".

Open/Close section Screenshots

Viewing the data samples. (right click on the Extract Packet Header tool choosing Data Samples). Starting from the top this window contains information about the :

Packet: Packet type
ip_proto: Shows weather the packet type is: TCP, UDP or ICMP.
dst_ip: The ip address of the individual packet.
src_ip: The Ip address, where the packet has its origin.
timestamp: The time the packet was captured by the Netlogger, in UNIX time stamp format
len: The length of the packet measured in bytes.

It also provides you with information about which way the traffic is running. src_ip tell you where the packet has its origin and dest_ip, where the packet is heading for. Timestamp provides information about when the packet was received, while len lets you know how many bytes the individual packet contains.

Now you want to filter the records. Notice that the Extract Header tool have extracted additional information about the packet. Thus providing you with several extra fields. (For further information please consult the tool description section of this manual). Drop a Filter Records tool on the canvas, and connect it with the Extract Header tool.

Double click on the Filter Records. A small window with only one field opens. In this field you type in your filter rule. The filter rule is used as a condition for distinguishing between accepted and rejected packets. There are several different operators that can be applied. For further description please consult the tool description section of this manual.

Open/Close section Screenshots

You want to distinguish between records which have src_ip within the earlier defined scope, and records which have dst_ip within this scope. To do this type: "src_ip like 'xxx.xxx.*.*'", click "OK".

Open/Close section Screenshots

Right click on the Filter Records tool and choose Data Samples. You will see that the accepted records, go through the dark blue arrow all have a src_ip within the scope while the rejected records that goes through the light blue arrow have dst_ip within the same scope.

In this example we are interested in determining the sum of the length of all the packets from all the IP addresses, in the scope we defined earlier. To do this we need to manipulate our data.

For this purpose drop two Change Fields tools on the canvas. Connect one of the Change Field tools with the Filter Records tool using the dark blue arrow and the other using the light blue arrow.

Open/Close section Screenshots

Double-click on the Change Field tool through which the accepted records are processed (dark blue arrow).

The Change Field tool allows manipulating the data type of the records. For further use you want the length of the record, the time by which the packet was captured and finally the IP address that handled the record. Thus the properties window should look like this:

Open/Close section Screenshots



Hence Properties for the Change Field processing the rejected records (where dst_ip were in the defined scope) should look like this:

Now you have limited the stream of data information to exactly what you need, however it is still a stream, so before you can log the data, you still have a few steps to go.

Open/Close section Screenshots

Drop two Aggregate tools on the canvas connect each of them with the Change Fields tools, open properties. Here we can aggregate over the accepted records.

First you choose the duration of the aggregation. In this example we have chosen 10 seconds, but you can choose any time frame up to 86400 seconds - 14 hours.

Then choose src_ip as key, and finally select an object for the aggregation, which in this case will be the length (len).

With regards to the rejected records, you do the same, however you need to choose dst_ip as the key.

Now you can merge the two streams of manipulated data, and put your result into a file.

To do this you need to drop a Merge tool and a Log to File tool on the canvas. Connect the Merge tool with both the Aggregate tools and choose properties.

Open/Close section Screenshots

By default the Merge tool ignores fields, that are only represented in one of the datasets coming to the Merge tool. But by choosing properties you can force the Merge tool to include data fields that are only represented in one of the data streams. To do this, check the check boxes.

Having included src_ip and dst_ip, we proceed to log our data into a file. Connect the Log to File tool with the Merge tool, choose properties and you'll see this:

Open/Close section Screenshots

Choose name and location for your log file. In the field "Switch interval", state how often the data should be stored in a new file.

In this case we have chosen 1 hour, however the drop down menu lets you choose between different intervals in the scope [1min - 1 week].

BLOB handling bares no relevance to this example, for information about BLOB's please refer to the appendix of this manual.

Field order determines in which order the data appears in the Log File. The Format field allows you to choose between the Netlogger default and the W3C standard format. In the Headers field you can choose between the Netlogger default, None and Spreadsheet friendly. The latter one being of special interest for those who would like to import their data into a spread sheet for further investigation.
The Separate Field tools allows you to determine how the data should be separated. In this case it is <TAB>, but you could also have chosen space <SPACE> or anything else.

If you decide that you want to use <SPACE> as separator, and a space appears in your dataset, it will be impossible to use this file, since data contains the field separator. The solution to this problem lies in the Replace occurrences with field. Choose for example %20. This means that every time there occur a <SPACE> within the dataset the Log File automatically changes this <SPACE> to a %20.

The principal for the Record Separator is the same as for the Field Separator.

Click "OK"

Now you have your own Log file for billing purposes. The entire configuration should look like this if you have followed the directions:

Open/Close section Screenshots


© 2007 Unispeed A/S. All rights reserved.