Menu

#3 port aggregation

open
nobody
None
5
2003-03-11
2003-03-11
Anonymous
No

Hi!

I also have been trying to find a program like yours for
some time and I
feel lucky that you had written it ;-)

I really like the program, however I'd like to make you a
sugestion, maybe I
didn't understand aggregation well, but if I understood it
well, and after
trying it I think I did it... if you select for example remote
por
aggregation you ignore the remote port and you add all
the connections to
the very same machine together, and if you select host
you ignore the host
but also the port. I think It would be good to have a host
aggregate (just
host) so that you would ignore the host and take the
port into account, that
should give you the statistics on how each service is
being used.

As I told you maybe I understood it wrong and this can
already be done, but
if not, I think you should add host+port aggregation that
should be what
host aggregation is now and change the host
aggregation to just ignore the
host.

Sorry if I misunderstood all this, I just wanted to make a
sugestion.

Thanks for your program.

Regards!

Santiago Garcia Mantinan <manty@aytolacoruna.es>

Discussion

  • Nobody/Anonymous

    Nobody/Anonymous - 2004-05-20

    Logged In: NO

    I noticed the same thing. It is a trivial fix; there is
    'break' statement
    missing that causes requests for host aggregation not to stop
    at applying host aggregation, but also continue on to also
    applying port aggregation. Here is a patch against the 0.9
    sources.
    ----- start of patch ----
    *** jnettop-0.9.orig/jnettop.c Wed Jul 30 12:24:24 2003
    --- jnettop-0.9/jnettop.c Thu May 20 11:31:09 2004
    ***************
    *** 270,281 ****
    --- 270,283 ----
    switch (localAggregation) {
    case AGG_HOST:
    stream->src.s_addr = 0x01000000;
    + break;
    case AGG_PORT:
    stream->srcport = -1;
    }
    switch (remoteAggregation) {
    case AGG_HOST:
    stream->dst.s_addr = 0x01000000;
    + break;
    case AGG_PORT:
    stream->dstport = -1;
    }
    ---- end of patch ----

     

  • Ari Pollak

    Ari Pollak - 2004-06-03

    Logged In: YES
    user_id=41611

    Attached is a patch which corrects the original host
    behavior to just host-only, and adds a new host+port
    aggregation, so the original behavior is still available.

    --start of patch--
    --- jnettop-0.9.orig/README
    +++ jnettop-0.9/README
    @@ -17,10 +17,11 @@
    (What is it?)

    Aggregation is a way, how to modify packet classicication
    rules. There are
    -two types of aggregation in jnettop: host and port. If
    there is port
    -aggregation enabled, it means, that all packets seem to
    come(go to) same port
    -numbers. If there is host aggregation enabled, it means,
    that all packets
    -seem to come(go to) same host. Let's have an example:
    +two types of aggregation in jnettop: host, port, and
    host+port. If there
    +is port aggregation enabled, it means, that all packets
    seem to come(go
    +to) same port numbers. If there is host aggregation
    enabled, it means,
    +that all packets seem to come(go to) same host. If host+port
    +aggregation is enabled, it aggregates both. Let's have an
    example:
    Suppose we have following configuration:

    +--- host0
    @@ -30,14 +31,14 @@
    i.e. typical border router with eth0 interface looking into
    internet and
    eth1 interface looking to intranet. Suppose we're running
    jnettop on router
    sniffing on interface eth0. To see how many bytes every
    host consumes out
    -of the internet connection, we enable remote host
    aggregation and local port
    -aggregation. i.e. All internet will behave as one endpoint
    and all programs
    -on one host will, too, behave as one endpoint. This way,
    every stream we see
    -in jnettop will be from one of the hosts in intranet to a
    public internet.
    -Aggregation is very powerfull laser-knife in network
    traffic analysis.
    -I understand, that it is not very user friendly
    implementation in jnettop and
    -I will gratefully welcome every suggestion on how to make
    this topic clear and
    -more clear-to-use.
    +of the internet connection, we enable remote host+port
    aggregation and
    +local port aggregation. i.e. All internet will behave as
    one endpoint
    +and all programs on one host will, too, behave as one
    endpoint. This
    +way, every stream we see in jnettop will be from one of the
    hosts in
    +intranet to a public internet. Aggregation is very
    powerfull laser-knife
    +in network traffic analysis. I understand, that it is not
    very user
    +friendly implementation in jnettop and I will gratefully
    welcome every
    +suggestion on how to make this topic clear and more
    clear-to-use.

    -- .jnettop configuration file --

    @@ -84,14 +85,14 @@

    Since version 0.9, jnettop supports following new keywors:

    - local_aggregation [none|host|port]
    + local_aggregation [none|host|port|host+port]

    this keyword sets startup local aggregation value
    ex.

    local_aggregation port

    - remote_aggregation [none|host|port]
    + remote_aggregation [none|host|port|host+port]

    this keyword sets startup remote aggregation value
    ex.
    --- jnettop-0.9.orig/jnettop.c
    +++ jnettop-0.9/jnettop.c
    @@ -35,7 +35,7 @@
    #endif

    gchar *NTOP_PROTOCOLS[] = { "UNK.", "IP", "TCP", "UDP",
    "ARP", "ETHER", "SLL", "AGGR." };
    -gchar *NTOP_AGGREGATION[] = { "none", "port", "host" };
    +gchar *NTOP_AGGREGATION[] = { "none", "port", "host",
    "host+port" };

    char pcap_errbuf[PCAP_ERRBUF_SIZE];

    @@ -270,14 +270,26 @@
    switch (localAggregation) {
    case AGG_HOST:
    stream->src.s_addr = 0x01000000;
    + break;
    case AGG_PORT:
    stream->srcport = -1;
    + break;
    + case AGG_BOTH:
    + stream->src.s_addr = 0x01000000;
    + stream->srcport = -1;
    + break;
    }
    switch (remoteAggregation) {
    case AGG_HOST:
    stream->dst.s_addr = 0x01000000;
    + break;
    case AGG_PORT:
    stream->dstport = -1;
    + break;
    + case AGG_BOTH:
    + stream->dst.s_addr = 0x01000000;
    + stream->dstport = -1;
    + break;
    }
    }

    @@ -448,7 +460,7 @@
    attrset(A_NORMAL);

    mvprintw(0, 0, "run XXX:XX:XX device
    XXXXXXXXXX pkt[f]ilter: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
    - mvprintw(1, 0, "[c]ntfilter: XXX
    [b]ps=XXXXXXX [l]ocal aggr.: XXXX [r]emote aggr.: XXXX ");
    + mvprintw(1, 0, "[c]ntfilter: XXX
    [b]ps=XXXXXXX [l]ocal aggr.: XXXXXXXXX [r]emote
    aggr.:XXXXXXXXX");
    #if HAVE_PCAP_FINDALLDEVS
    if (devices_count>1) {
    mvprintw(2, 10, "[0]-[9] switch
    device");
    @@ -505,8 +517,8 @@
    mvprintw(0, 45, "%-29.29s",
    activeBPFFilterName?activeBPFFilterName:"none");
    mvprintw(1, 13, "%s", onoffContentFiltering?"on
    ":"off");
    mvprintw(1, 23, "%s", onoffBitValues?"bits/s
    ":"bytes/s");
    - mvprintw(1, 46, "%s",
    NTOP_AGGREGATION[localAggregation]);
    - mvprintw(1, 67, "%s",
    NTOP_AGGREGATION[remoteAggregation]);
    + mvprintw(1, 46, "%-9s",
    NTOP_AGGREGATION[localAggregation]);
    + mvprintw(1, 71, "%-9s",
    NTOP_AGGREGATION[remoteAggregation]);

    attroff(A_BOLD);

    @@ -763,11 +775,11 @@
    break;
    case 'l':
    markAllAsDead();
    -
    localAggregation = (localAggregation + 1) % 3;
    +
    localAggregation = (localAggregation + 1) % 4;
    break;
    case 'r':
    markAllAsDead();
    -
    remoteAggregation = (remoteAggregation + 1) % 3;
    +
    remoteAggregation = (remoteAggregation + 1) % 4;
    break;
    case '0':
    case '1':
    @@ -998,15 +1010,16 @@
    }

    int parse_aggregation(const char *agg) {
    - if (strcmp(agg, "none") && strcmp(agg,"host") &&
    strcmp(agg,"port")) {
    + if (strcmp(agg, "none") == 0)
    + return AGG_NONE;
    + else if (strcmp(agg,"host") == 0)
    + return AGG_HOST;
    + else if (strcmp(agg,"port") == 0)
    + return AGG_PORT;
    + else if (strcmp(agg,"host+port") == 0)
    + return AGG_BOTH;
    + else
    return AGG_UNKNOWN;
    - }
    - switch (*agg) {
    - case 'n': return AGG_NONE;
    - case 'h': return AGG_HOST;
    - case 'p': return AGG_PORT;
    - }
    - return AGG_UNKNOWN;
    }

    int config_parse_aggregation(GScanner *s) {
    @@ -1212,14 +1225,14 @@
    " -d, --debug filename
    write debug information into file\n"
    " -f, --config-file name
    reads configuration from file. defaults to ~/.jnettop\n"
    " -i, --interface name
    capture packets on specified interface\n"
    - " --local-aggr arg
    set local aggregation to none/host/port\n"
    + " --local-aggr arg
    set local aggregation to none/host/port/host+port\n"
    " -p, --promiscuous
    enable promisc mode on the devices\n"
    - " --remote-aggr arg
    set remote aggregation to none/host/port\n"
    + " --remote-aggr arg
    set remote aggregation to none/host/port/host+port\n"
    " -s, --select-rule rule
    selects one of the rules defined in config file\n"
    "
    by it's name\n"
    " -x, --filter rule
    allows for specification of custom filtering rule\n"
    "
    this follows tcpdump(1) syntax. don't forget to\n"
    - "
    enclose the filter into quotes when running from shell\n"
    + "
    enclose the filter in quotes when running from shell\n"
    "\n"
    "Report bugs to <j@kubs.cz>\n");
    exit(0);
    --- jnettop-0.9.orig/jnettop.h
    +++ jnettop-0.9/jnettop.h
    @@ -160,4 +160,5 @@
    #define AGG_NONE 0
    #define AGG_PORT 1
    #define AGG_HOST 2
    +#define AGG_BOTH 3

    --end of patch--

     

Log in to post a comment.