netraf
A Network Analyzer and Traffic Logger.

netrafl Working Scheme


netrafl - network logging daemon.


    This tool is used to log data gathered by netrafd into files. It may be useful if we want to analyze traffic much older than from last server reboot, which allows to define traffic shapeing scripts more precisely. netrafl working scheme is quite simple. First, it reads his configuration file, where are specified writers to be logged. Then, creates one thread for every writer. Here begins main part: logging and it lasts until interruption. Before netrafl closes, it cleans all backup log files and leaves one log file per writer, which actually has been logged.
    Now the details. netrafl configuration file consist of "globals" section and sections named as writers we want to log. "globals" can have two entries. "files" indicating number of files created by one writer, and "default_period" logging time per file. This means, that writer will be logged every "default_period" / "files" seconds. We can insert entries: "files" and "period" into the writer sections. Their meaning is similar to those from "globals", but they are more important, and simply override them. Let's look at the example:


#globals section should always be the first one in the file
[[globals]]
files = "4";
default_period = "360";
[[]]

[[writer_1]]
[[]]

[[writer_2]]
files = "6";
[[]]

[[writer_3]]
period = "160";
[[]]

[[writer_4]]
files = "5";
period = "50";
[[]]

    As we can see, writer_1 will be logged in 4 files every 360 seconds, writer_2 in 6 every 360 seconds, writer_3 in 4 files every 160 seconds, and writer_4 in 5 files every 50 seconds.

    After reading configuration file, netrafl prepares log files and creates threads. Every thread waits until his time period elapsed and chooses the oldest backup file, then reads shared memory filled by netrafd, and dumps all data into that file.

When netrafl is interrupted, it names newest log as writer name with ".log" suffix, and the rest of files is removed. Before netrafd starts to capture the packets it can open any log file and fill shared memory with data form it. What happens if there was a blackout, and netrafl didn't manage to clean up logs? There is no problem, because netrafd uses special functions, which look for the newest backup.

    netrafd has also ability to memorize logs of writers which are deleted by netrafg. Suppose user has deleted writer 'if_stat'. It will be renamed to 'if_stat_currenttimestamp_.log', instead of 'if_stat.log'. This operation prevents loss of logged data, when user defines new writer named as the old one.

     Data in log files have the same syntax as configuration files, which allows to read logs using configuration files functions. There is one limitation to netrafl. It can log only ifstat and macstat types, because connstat and ipstat have too many data, so logging it could seriously slow down the machine.

T.J.

back to "Theory" section

Copyright © 2005, M.K., T.J., M.S.
netraf is Open Source software, distributed under the terms of the New BSD License.
waldson.com activity involved