Re: Bandwidth monitoring

Re: Bandwidth monitoring

[David H. Lynch Jr.]

>From: Christian Lamparter
>>># iw dev wlanX set channel 1 HT40+ (or HT40-/HT20)
>> 
>> This is setting up to send on channel 1 HT40+ correct ?
>yes, I hope so.

Thanks

>> Wireshark appears to handle RadioTap - I am seeing lots of other
>flags
>> etc. but not BW40.
>It depends on the version. Here's a screenshot
>from wireshark 1.8.2: <http://imageshack.us/f/703/mcsinfo.png/>
Thanks

>> Googling Radiotap produces lots of comments that suggest that
>>Radiotap
>> headers - send and receive are not necescarily complete or accurate
>>from
>> device to device - is that a reasonable conclusion ?
>Most mac80211 driver should report rx'ed MCS information.
>At least ath9k, ath9k_htc, brcmsmac, carl9170, iwlagn, iwllegacy,
>mwl8k,
>rt2800*, rtl8192* do
Using carl9170 so that should be OK.

>What might not work is: injecting frames with MCS rates [no code
>in ieee80211_parse_tx_radiotap for that?]... So maybe the issue
>is indeed at the other end?

Assuming Carl9170/AR9170's at both ends 
But if I am am using iw to set monitor mode mode, channel, and
bandwidth, 
And using Raw sockets injection with a radiotap header that has no
frequency/channel/bandwidth information, 
I should then be able to receive that packet on another system with an
AR9170 and 1.8.2 Wireshark and the BW40 flag should be true ?

I need to do something that involves sending HT40 packets in a
completely different context. But I do not have a spectrum analyzer to
confirm that i am actually sending what I want.
So I have been using airmon, wireshark, ....
But i need to be able to send and verify an HT40 packet by some somewhat
normal means, to assure myself that my receiving end wireshark
hardware/driver/software combination can tell me what i need to know. 




--
To unsubscribe from this list: send the line "unsubscribe
linux-wireless" in
the body of a message to majordomo@...
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bandwidth monitoring

[Christian Lamparter]

On Sunday, October 28, 2012 04:37:47 PM David H. Lynch Jr. wrote:
> > From: Christian Lamparter
> >What might not work is: injecting frames with MCS rates [no code
> >in ieee80211_parse_tx_radiotap for that?]... So maybe the issue
> >is indeed at the other end?
> 
> Assuming Carl9170/AR9170's at both ends
Ah, any mac80211 device should do.

> But if I am am using iw to set monitor mode mode, channel, and
> bandwidth, And using Raw sockets injection with a radiotap header
> that has no frequency/channel/bandwidth information, 
> I should then be able to receive that packet on another system
> with an AR9170 and 1.8.2 Wireshark and the BW40 flag should be true?
Ah now I see where the problem is.
You see, the "40MHz bit" is part of the MCS rate meta info (aka flags).
(See enum mac80211_rate_control_flags in include/net/mac80211.h)

This stuff is usually set by the rate control algorithm. But because
you are injecting frames there's not alot of rate control and the frame
is usually send at the lowest possible data rate for the channel (usually
these are the 1MBit/6Mbit legacy rates and not HT20 or HT40 rates).
This is true for almost all mac80211 devices which don't feature a rate
control offload option in firmware (i.e.: ath9k_htc does have a firmware
rc and might do things differently).

OffTopic:
There is also a legacy duplicate flag IEEE80211_TX_RC_DUP_DATA that
duplicates the 20MHz legacy packet in two 20MHz halves of a 40MHz
channel. (The downside is that there's no dedicated RX_FLAG for
that and this information is not available in the radiotap)
 
> I need to do something that involves sending HT40 packets in a
> completely different context.
The receiving part should be handled by all of the mac80211 devices
I listed in the previous post out-of-the-box.

The sending part is not. AFAICT you'll have to start by declaring
and defining a new radiotap rate info element (IEEE80211_RADIOTAP_RATE
can only handle the bit rate and that is not enough). Then you have
to add a parser which translate the rate info in the radiotap header
into mac80211 ieee80211_tx_rate and tell mac80211 to bypass rate_ctrl
tx handler in this case so the info won't be overwritten again...
And finally you'll have to add a header with this new rate info element
into the radiotap header of all the frames you send through the raw
monitor interface.

A proof-of-concept should be easily doable within a day. But getting this
new radiotap to be part of the spec will take longer ;).

> But I do not have a spectrum analyzer to
> confirm that i am actually sending what I want.
I don't think you need a spectrum analyzer... unless of course 
it can also HT40 generate frames.

> So I have been using airmon, wireshark, ....
> But i need to be able to send and verify an HT40 packet by some somewhat
> normal means, to assure myself that my receiving end wireshark
> hardware/driver/software combination can tell me what i need to know. 
Well, you should be able to verify if your device picks up HT40 frames
easily. All you need is any busy 11n network with a 11n AP and a 11n
client. Just setup the receiver device (correct channel and HT40+/-
setting) and start listening.

Regards,
	Chr 

Re: Bandwidth monitoring

[Christian Lamparter]

On Monday, October 29, 2012 01:44:35 AM David H. Lynch Jr. wrote:
> I would be happy with any other means of forcing the transmission of an
> HT40 packet. RADIOTAP injection is just the only means I am aware of to
> do so - and from what I am gathering not an effective one.
Depends, hostapd uses it a lot. But it doesn't need to do any HT40
transmissions. I know that other people had similar issues as well,
but with ath9k. AFAICT, someone posted a patch on ath9k-devel which
made it possible to force the rate of outgoing frames, but you'll
have to google that.  
 
> > The sending part is not. AFAICT you'll have to start by declaring
> > and defining a new radiotap rate info element (IEEE80211_RADIOTAP_RATE
> > can only handle the bit rate and that is not enough). Then you have
> > to add a parser which translate the rate info in the radiotap header
> > into mac80211 ieee80211_tx_rate and tell mac80211 to bypass rate_ctrl
> > tx handler in this case so the info won't be overwritten again...
> > And finally you'll have to add a header with this new rate info element
> > into the radiotap header of all the frames you send through the raw
> > monitor interface.
> 
> > A proof-of-concept should be easily doable within a day. But getting
> > this new radiotap to be part of the spec will take longer ;)
> with my level of Radiotap/mac80211/wifi knowledge this is much more
> than a days work.
How do you know? The parser code is in ieee80211_parse_tx_radiotap and
all you would have to do is to extend it with another case and tell
mac80211 not to overwrite the rate in ieee80211_tx_h_rate_ctrl when
it was set by ieee80211_parse_tx_radiotap.
 
> Any other ideas for forcing transmission of an HT40 packet?
> What If I omit radiotap and just send an ieee80211 raw packet?
Sure, you can that. Just get a skb. Fill it with the data you
want to send and initialize the ieee80211_tx_control and
ieee80211_tx_info (in skb's cb) and call carl9170_op_tx.

If you want it to be done by the fw: Just reserve some space in 
ar9170_dma_memory and fill out the tx header carl9170_tx_superdesc
(header declarations and definitions are in include/shared/wlan.h)
and call wlan_tx_fw.

> >> So I have been using airmon, wireshark, ....
> >> But i need to be able to send and verify an HT40 packet by some
> >>somewhat
> >> normal means, to assure myself that my receiving end wireshark
> >> hardware/driver/software combination can tell me what i need to
> >know. 
> >Well, you should be able to verify if your device picks up HT40 frames
> >easily. All you need is any busy 11n network with a 11n AP and a 11n
> >client. Just setup the receiver device (correct channel and HT40+/-
> >setting) and start listening.
> still not easy - no 80211n AP's just alot of AR9170's.
> I guess I am going to be looking for a cheap 80211n AP. 

if you have two devices to spare you can setup one as AP and the other
as a client [this can be done on the same machine if you have network
namespaces].

AP:
 # hostapd hostapd.conf 

--- hostapd.conf ---
interface=wlanX
driver=nl80211
ssid=TESTN
hw_mode=g
channel=1
wmm_enabled=1
ieee80211n=1
ht_capab=[HT40+]
--- hostapd.conf ---


client:
 # iw dev wlanY connect TESTN

---
Then assign both AP and client ip addresses in the same subnet and
ping each other.

Regards,
	Chr

Re: Bandwidth monitoring

[David H. Lynch Jr.]

>From: Christian Lamparter <chunkeey@...>
>> But if I am am using iw to set monitor mode mode, channel, and
>> bandwidth, And using Raw sockets injection with a radiotap header
>> that has no frequency/channel/bandwidth information, 
>> I should then be able to receive that packet on another system
>> with an AR9170 and 1.8.2 Wireshark and the BW40 flag should be true?
>Ah now I see where the problem is.
>You see, the "40MHz bit" is part of the MCS rate meta info (aka flags).
>(See enum mac80211_rate_control_flags in include/net/mac80211.h)
RADIOTAP packet injection is not a manditory facet of my problem. 
I am only using it to inject a packet with know parameters so that I can
trace what is happening for the purposes of duplicating the behavior
either in firmware or in userspace. But before I can do so I need to see
the construction and environment changes needed to transmit an HT40
packet.

I would be happy with any other means of forcing the transmission of an
HT40 packet. RADIOTAP injection is just the only means I am aware of to
do so - and from what I am gathering not an effective one. 




>OffTopic:
>There is also a legacy duplicate flag IEEE80211_TX_RC_DUP_DATA that
>duplicates the 20MHz legacy packet in two 20MHz halves of a 40MHz
>channel. (The downside is that there's no dedicated RX_FLAG for
>that and this information is not available in the radiotap)
This might be sufficient - for the purposes of testing I do nto care
about the data in the packet. 






>The sending part is not. AFAICT you'll have to start by declaring
>and defining a new radiotap rate info element (IEEE80211_RADIOTAP_RATE
>can only handle the bit rate and that is not enough). Then you have
>to add a parser which translate the rate info in the radiotap header
>into mac80211 ieee80211_tx_rate and tell mac80211 to bypass rate_ctrl
>tx handler in this case so the info won't be overwritten again...
>And finally you'll have to add a header with this new rate info element
>into the radiotap header of all the frames you send through the raw
>monitor interface.

>A proof-of-concept should be easily doable within a day. But getting
>this
>new radiotap to be part of the spec will take longer ;)
with my level of Radiotap/mac80211/wifi knowledge this is much more than
a days work.

Any other ideas for forcing transmission of an HT40 packet ?
What If I omit radiotap and just send an ieee80211 raw packet ?

>> So I have been using airmon, wireshark, ....
>> But i need to be able to send and verify an HT40 packet by some
>>somewhat
>> normal means, to assure myself that my receiving end wireshark
>> hardware/driver/software combination can tell me what i need to
>know. 
>Well, you should be able to verify if your device picks up HT40 frames
>easily. All you need is any busy 11n network with a 11n AP and a 11n
>client. Just setup the receiver device (correct channel and HT40+/-
>setting) and start listening.
still not easy - no 80211n AP's just alot of AR9170's.
I guess I am going to be looking for a cheap 80211n AP. 



--
To unsubscribe from this list: send the line "unsubscribe
linux-wireless" in
the body of a message to majordomo@...
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bandwidth monitoring

[Christian Lamparter]

On Tuesday, October 23, 2012 08:58:39 PM David H. Lynch Jr. wrote:
>> On Sunday, October 21, 2012 09:58:18 PM David H. Lynch Jr. wrote:
>>> I am looking for an easy means to determine the characteristics of a
>>> transmitted packet. 
>>> Particularly whether it is HT20/HT40-/HT40+ I have used a variety of
>>> sniffers, airodump, wireshark, ... and I can not seem to find anything
>>> that will tell me what I am after - or I do not know how to use them.
>>differentiating between HT40+ and HT40- will be difficult to do with
>>just one standard wifi device (should be possible with two though).
>>
>>If you use mac80211, have you setup your monitor channel by adding
>>the HT20/HT40+/HT40- flag? 
>># iw dev wlanX set channel 1 HT40+ (or HT40-/HT20)
> 
> This is setting up to send on channel 1 HT40+ correct ?
yes, I hope so.

> >As for retrieving the information:
> >If a HT20/HT40  frame was received, it should have a radiotap
> >IEEE80211_RADIOTAP_MCS header element (on the monitor interface dump).
> >In this element should provide the MCS and flags for 
> > - BW40 (if false => HT20, if true => HT40+ or HT40- depending
> >   on the channel configuration)
> > - Short GI
> > - Greenfield flag
> > - (LDPC)
> 
> Wireshark appears to handle RadioTap - I am seeing lots of other flags
> etc. but not BW40.
It depends on the version. Here's a screenshot
from wireshark 1.8.2: <http://imageshack.us/f/703/mcsinfo.png/>

>> But I don't know if any of this information is parsed by any of the
>> current tools (depends on the version I guess). At least for wireshark
>> you can always look at the raw hex dump of the package, so it should
>> be there! The definitions of what RADIOTAP_MCS bit means what are in:
>> <include/net/ieee80211_radiotap.h>
> 
> Googling Radiotap produces lots of comments that suggest that Radiotap
> headers - send and receive are not necescarily complete or accurate from
> device to device - is that a reasonable conclusion ?
Most mac80211 driver should report rx'ed MCS information.
At least ath9k, ath9k_htc, brcmsmac, carl9170, iwlagn, iwllegacy, mwl8k,
rt2800*, rtl8192* do.

What might not work is: injecting frames with MCS rates [no code
in ieee80211_parse_tx_radiotap for that?]... So maybe the issue
is indeed at the other end?

Regards,
	Chr

Re: Bandwidth monitoring

[David H. Lynch Jr.]

>On Sunday, October 21, 2012 09:58:18 PM David H. Lynch Jr. wrote:
>> I am looking for an easy means to determine the characteristics of a
>> transmitted packet. 
>> Particularly whether it is HT20/HT40-/HT40+ I have used a variety of
>> sniffers, airodump, wireshark, ... and I can not seem to find
anything
>> that will tell me what I am after - or I do not know how to use them.
>differentiating between HT40+ and HT40- will be difficult to do with
>just one standard wifi device (should be possible with two though).

>If you use mac80211, have you setup your monitor channel by adding
>the HT20/HT40+/HT40- flag? 
># iw dev wlanX set channel 1 HT40+ (or HT40-/HT20)


This is setting up to send on channel 1 HT40+ correct ?
I am already doing that I need to know if it is succeeding 
I am using Packettspammer to send with all the channel/frequency
radiotap headers removed.  an setting up using iw for what I want as
above.



>This might help.

>As for retrieving the information:
>If a HT20/HT40  frame was received, it should have a radiotap
>IEEE80211_RADIOTAP_MCS header element (on the monitor interface dump).
>In this element should provide the MCS and flags for 
> - BW40 (if false => HT20, if true => HT40+ or HT40- depending
>   on the channel configuration)
> - Short GI
> - Greenfield flag
> - (LDPC)

Wireshark appears to handle RadioTap - I am seeing lots of other flags
etc. but not BW40.

>But I don't know if any of this information is parsed by any of the
>current tools (depends on the version I guess). At least for wireshark
>you can always look at the raw hex dump of the package, so it should
>be there! The definitions of what RADIOTAP_MCS bit means what are in:
><include/net/ieee80211_radiotap.h>


Googling Radiotap produces lots of comments that suggest that Radiotap
headers - send and receive are not necescarily complete or accurate from
device to device - is that a reasonable conclusion ?



>Regards,
>	Chr

Thanks
--
To unsubscribe from this list: send the line "unsubscribe
linux-wireless" in
the body of a message to majordomo@...
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bandwidth monitoring

[Christian Lamparter]

On Sunday, October 21, 2012 09:58:18 PM David H. Lynch Jr. wrote:
> I am looking for an easy means to determine the characteristics of a
> transmitted packet. 
> Particularly whether it is HT20/HT40-/HT40+ I have used a variety of
> sniffers, airodump, wireshark, ... and I can not seem to find anything
> that will tell me what I am after - or I do not know how to use them.
differentiating between HT40+ and HT40- will be difficult to do with
just one standard wifi device (should be possible with two though).

If you use mac80211, have you setup your monitor channel by adding
the HT20/HT40+/HT40- flag? 
# iw dev wlanX set channel 1 HT40+ (or HT40-/HT20)

This might help.

As for retrieving the information:
If a HT20/HT40  frame was received, it should have a radiotap
IEEE80211_RADIOTAP_MCS header element (on the monitor interface dump).
In this element should provide the MCS and flags for 
 - BW40 (if false => HT20, if true => HT40+ or HT40- depending
   on the channel configuration)
 - Short GI
 - Greenfield flag
 - (LDPC)

But I don't know if any of this information is parsed by any of the
current tools (depends on the version I guess). At least for wireshark
you can always look at the raw hex dump of the package, so it should
be there! The definitions of what RADIOTAP_MCS bit means what are in:
<include/net/ieee80211_radiotap.h>

Regards,
	Chr

Bandwidth monitoring

[David H. Lynch Jr.]

I am looking for an easy means to determine the characteristics of a
transmitted packet. 
Particularly whether it is HT20/HT40-/HT40+
I have used a variety of sniffers, airodump, wireshark, ...
and I can not seem to find anything that will tell me what I am after -
or I do not know how to use them.
I am transmitting packets in monitor mode with specified frequencies and
parameters and i am trying to verify that I have sent what I intended
without getting a spectrum analyser.  

thanks

Re: bandwidth monitoring

[Jose Maria Lopez]

El mié, 26 de 01 de 2005 a las 19:33, Ranjeet Shetye escribió:
> * patrick.leduc@novipro.com (patrick.leduc@novipro.com) wrote:
> > Hello
> > 
> > Does somebody know a program for monitoring bandwidth by ip? I have one 
> > internet interface and I must monitor many ips adresses on this interface. I 
> > tried Ipac-ng and, I worked a lot to do this config but it seems not working 
> > this way.
> > 
> > thanx
> > 
> 
> Long term bandwidth usage can be tracked using MRTG. (stored data +
> daemon + http server + web based gui)
> 
> Instantaneous bandwidth usage can be tracked using iftop. (ncurses)

You can try our bastion-firewall-stats-addon, it's GPL and it uses
rrdtool to do the graphical stats. It's very easy to use, but you
have to use bastion-firewall to use it.

Another good option it's using something like Cacti to have an
interface to Rrdtool. It has scripts to monitor interfaces and
can do all kind of graphs.

Regards.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: bandwidth monitoring

[Ranjeet Shetye]

* patrick.leduc@novipro.com (patrick.leduc@novipro.com) wrote:
> Hello
> 
> Does somebody know a program for monitoring bandwidth by ip? I have one 
> internet interface and I must monitor many ips adresses on this interface. I 
> tried Ipac-ng and, I worked a lot to do this config but it seems not working 
> this way.
> 
> thanx
> 

Long term bandwidth usage can be tracked using MRTG. (stored data +
daemon + http server + web based gui)

Instantaneous bandwidth usage can be tracked using iftop. (ncurses)

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.

RE: bandwidth monitoring

[Fabiano Reis]

I´m acctualy using hotsanic to make this. 

http://hotsanic.sourceforge.net/

it have features to monitore other things as well...



-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
patrick.leduc@novipro.com
Sent: Thursday, January 06, 2005 2:28 PM
To: netfilter@lists.netfilter.org
Subject: bandwidth monitoring

Hello

Does somebody know a program for monitoring bandwidth by ip? I have one 
internet interface and I must monitor many ips adresses on this interface. I

tried Ipac-ng and, I worked a lot to do this config but it seems not working

this way.

thanx

Re: bandwidth monitoring

[Patrich Björklund]

Hi, there. I dont really know if you just wanna know what ips gets
to/through your interfaces? I have a prog called tcpick. It show like
this:

root # tcpick -i eth0 -C
Starting tcpick 0.1.19
tcpick: listening on eth0
SYN-SENT       192.168.0.2:45190 > 217.215.148.17:pop3
SYN-RECEIVED   192.168.0.2:45190 > 217.215.148.17:pop3
ESTABLISHED    192.168.0.2:45190 > 217.215.148.17:pop3
FIN-WAIT-1     192.168.0.2:45190 > 217.215.148.17:pop3
FIN-WAIT-2     192.168.0.2:45190 > 217.215.148.17:pop3

>Hello
>
>Does somebody know a program for monitoring bandwidth by ip? I have
>one 
>internet interface and I must monitor many ips adresses on this
>interface. I 
>tried Ipac-ng and, I worked a lot to do this config but it seems not
>working 
>this way.
>
>thanx



------------------------------

RE: bandwidth monitoring

[Mark E. Donaldson]

 
http://bandwidthd.sourceforge.net/


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of
patrick.leduc@novipro.com
Sent: Thursday, January 06, 2005 8:28 AM
To: netfilter@lists.netfilter.org
Subject: bandwidth monitoring

Hello

Does somebody know a program for monitoring bandwidth by ip? I have one
internet interface and I must monitor many ips adresses on this interface. I
tried Ipac-ng and, I worked a lot to do this config but it seems not working
this way.

thanx


########################################################
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

postmaster@bandwidthco.com
MailScanner at bandwidthco.com is for your absolute protection.
########################################################




########################################################
This message has been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.

postmaster@bandwidthco.com
MailScanner at bandwidthco.com is for your absolute protection.
########################################################

Re: bandwidth monitoring

[Michael Gale]

Ahhh .. I see now. Our setup is rather small and we only have about 10 
megabits max at any given time -- usually much less.

Here is the command I use to start ntop:
ntop -4 -a /home/ntopwatch/webaccess --daemon -i eth1,eth2 -o -n -p 
userprolist -s -u ntopwatch -w 192.168.7.1:3000 -M -P /home/ntopwatch/

My userprolist:
FTP=ftp|ftp-data
HTTP=http|www|https|3128
DIFFHTTP=8080|8888
RDP=3389
DNS=name|domain
NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
DHCP-BOOTP=67-68
SNMP=snmp|snmp-trap
NNTP=nntp
SSH=22
Gnutella=6346|6347|6348
Kazaa=1214
WinMX=6699|7730
DirectConnect=0
eDonkey=4661-4665
Messenger=1863|5000|5001|5190-5193

But the box which is running ntop is:
Dual PIII 1.4Ghz with 1GB of RAM.

Michael.

J. Nerius wrote:
> Hello, 
> 
> My concern was for the amount of resources NTOP would end up using with
> the currently volume of traffic we have going through any one link. 
> 
> Basically, there will be at least 3000 hosts totaling around 25 megabits
> of traffic at any given time. In my experience with ntop for short-term
> monitoring, I found that in these circumstances, the process size and
> cpu utilization were quite high.
> 
> I've been using bandwidthd to collect data and then just rsyncing that
> data to a different server that actually graphs the data. I'd like to
> use ntop for it's detailed tracking capabilities, but given the resource
> utilization issues I've seen in the past, am not sure how feasible this
> would be. 
> 
> How many hosts and how much traffic is currently going through your
> setup? It's very possible that I may just need to tweak settings
> somewhere to improve performance. 
> 
> J.N.
> 
> 
> On Thu, 2005-01-06 at 14:28 -0700, Michael Gale wrote:
> 
>>Hello,
>>
>>	I am not sure I follow ... NTOP takes care of providing the stats, so 
>>if you firewall box or ntop server can handle your network.
>>
>>The storage box can be what and where ever ... for example you could 
>>have a low end box somewhere on the network that makes the http 
>>connection, downloads the stats and stores them in a database.
>>
>>Then you only need a simple method to display them when needed. If you 
>>are a large company it might be easier to setup multiple ntop servers 
>>and have all the stats stored in a central location.
>>
>>Michael.
>>
>>
>>
>>J. Nerius wrote:
>>
>>>How many hosts and how much traffic are you running through it? I've
>>>wanted to come up with a solution similar to the one you've described to
>>>replace my current bandwidthd setup but I'm thinking that my network may
>>>be too large with too much traffic to support something like that
>>>without building a monster box just to capture the stats. 
>>>
>>>J.N.
>>>
>>>On Thu, 2005-01-06 at 13:09 -0700, Michael Gale wrote:
> 
> 
> 

-- 
Michael Gale
Lan Administrator
Utilitran Corp.

I make better friends with those who think for them selves

Re: bandwidth monitoring

[J. Nerius]

Hello, 

My concern was for the amount of resources NTOP would end up using with
the currently volume of traffic we have going through any one link. 

Basically, there will be at least 3000 hosts totaling around 25 megabits
of traffic at any given time. In my experience with ntop for short-term
monitoring, I found that in these circumstances, the process size and
cpu utilization were quite high.

I've been using bandwidthd to collect data and then just rsyncing that
data to a different server that actually graphs the data. I'd like to
use ntop for it's detailed tracking capabilities, but given the resource
utilization issues I've seen in the past, am not sure how feasible this
would be. 

How many hosts and how much traffic is currently going through your
setup? It's very possible that I may just need to tweak settings
somewhere to improve performance. 

J.N.


On Thu, 2005-01-06 at 14:28 -0700, Michael Gale wrote:
> Hello,
> 
> 	I am not sure I follow ... NTOP takes care of providing the stats, so 
> if you firewall box or ntop server can handle your network.
> 
> The storage box can be what and where ever ... for example you could 
> have a low end box somewhere on the network that makes the http 
> connection, downloads the stats and stores them in a database.
> 
> Then you only need a simple method to display them when needed. If you 
> are a large company it might be easier to setup multiple ntop servers 
> and have all the stats stored in a central location.
> 
> Michael.
> 
> 
> 
> J. Nerius wrote:
> > How many hosts and how much traffic are you running through it? I've
> > wanted to come up with a solution similar to the one you've described to
> > replace my current bandwidthd setup but I'm thinking that my network may
> > be too large with too much traffic to support something like that
> > without building a monster box just to capture the stats. 
> > 
> > J.N.
> > 
> > On Thu, 2005-01-06 at 13:09 -0700, Michael Gale wrote:

Re: bandwidth monitoring

[Michael Gale]

Hello,

	I am not sure I follow ... NTOP takes care of providing the stats, so 
if you firewall box or ntop server can handle your network.

The storage box can be what and where ever ... for example you could 
have a low end box somewhere on the network that makes the http 
connection, downloads the stats and stores them in a database.

Then you only need a simple method to display them when needed. If you 
are a large company it might be easier to setup multiple ntop servers 
and have all the stats stored in a central location.

Michael.



J. Nerius wrote:
> How many hosts and how much traffic are you running through it? I've
> wanted to come up with a solution similar to the one you've described to
> replace my current bandwidthd setup but I'm thinking that my network may
> be too large with too much traffic to support something like that
> without building a monster box just to capture the stats. 
> 
> J.N.
> 
> On Thu, 2005-01-06 at 13:09 -0700, Michael Gale wrote:
> 
>>Hello,
>>
>>	To run NTOP permanitly you just have to clear the stats nightly. I have 
>>a php script that makes a HTTP connection, downloads the stats from NTOP 
>>and saves them in a mysql database. It then makes another connection and 
>>tells NTOP to reset the stats.
>>
>>That keeps the memory and CPU usage low ... so you could run it 
>>continuously.
>>
>>Michael.
>>
>>
>>patrick.leduc@novipro.com wrote:
>>
>>>Hello
>>>
>>>Does somebody know a program for monitoring bandwidth by ip? I have one 
>>>internet interface and I must monitor many ips adresses on this interface. I 
>>>tried Ipac-ng and, I worked a lot to do this config but it seems not working 
>>>this way.
>>>
>>>thanx
>>>
>>
> 

-- 
Michael Gale
Lan Administrator
Utilitran Corp.

I make better friends with those who think for them selves

Re: bandwidth monitoring

[Michael Gale]

No problem ...

	I just checked and actually I am using two scripts.

The first script:
--snip-- runntop -- executed by cron.
#!/bin/bash

/usr/bin/curl -k -s -s --digest -u ntopUP:ntopUP 
https://mis.utilitran.com/uploadscripts/ntopget.php > /dev/null

if [ "$?" == "0" ]; then
echo "File loaded" >> /dev/null
else
~/email "Error with NTOP update" netops@utilitran.com < /dev/null
fi

sleep 5

/usr/bin/curl --basic -u admin:ntopadmin 
http://ntop.utilitran.com:3000/ntop/resetStats.html

if [ "$?" == "0" ]; then
echo "File loaded" >> /dev/null
else
~/email "Error with NTOP reset" netops@utilitran.com < /dev/null
fi
--snip--

The first script makes a http request to a php web page that display no 
data. Then once that is successful it makes a http connections to ntop 
and resets the stats.

The second script ... that the first script calls, uses curl to make a 
http connection to the ntop server, download the stats and store them in 
a database. The scripts are kind of messy ... really my first attempt. 
You may notice that data_total is not being used .. that is because I am 
working on storing the total amounts somewhere .. but that is not done.


The second script:
--snip-- ntopget.php -- executed by http request
<?php
//
// The PHP curl module supports the received page to be returned in a 
variable
// if told.
//

$dat=date('m:d:y-U');
$startphp="<?php\n";
$endphp="?>";

echo 'Preparing to download file<BR>';
$fp = fopen('/home/mis/htdocs/datafiles/ntop/data/' . $dat, 'w');
fwrite($fp,$startphp,strlen($startphp));
fclose($fp);

$fp = fopen('/home/mis/htdocs/datafiles/ntop/data/' . $dat, 'a');
$ch = 
curl_init("http://ntop.utilitran.com:3000/ntop/dumpData.html?language=php&view=long");

curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);

fclose($fp);

$fp = fopen('/home/mis/htdocs/datafiles/ntop/data/' . $dat, 'a');
fwrite($fp,$endphp,strlen($endphp));
fclose($fp);

echo 'Done downloading file<BR>';

include '/home/mis/htdocs/datafiles/ntop/data/' . $dat;

// Start of using array

               $db = mysql_connect("127.0.0.1", "ntop", "ntop") or 
die("Error ... check with network team");
               mysql_select_db("ntop",$db);

foreach ($ntopHash as $key => $value) {

         $addme = strpos($key,"192.168.7");
         $data = array();

         if ( $addme !== FALSE )
         {

array_push($data,$key);
array_push($data,$ntopHash[$key]['hostResolvedName']);
array_push($data,$dat);
array_push($data,$ntopHash[$key]['ethAddressString']);
array_push($data,$ntopHash[$key]['firstSeen']);
array_push($data,$ntopHash[$key]['lastSeen']);
array_push($data,$ntopHash[$key]['averageRcvdThpt']);
array_push($data,$ntopHash[$key]['averageSentThpt']);
array_push($data,$ntopHash[$key]['averageTThpt']);
array_push($data,$ntopHash[$key]['icmpSent']);
array_push($data,$ntopHash[$key]['icmpRcvd']);
array_push($data,$ntopHash[$key]['IP']['FTP']['sendLoc']);
array_push($data,$ntopHash[$key]['IP']['FTP']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['FTP']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['FTP']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['HTTP']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['HTTP']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['HTTP']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['HTTP']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['DIFFHTTP']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['DIFFHTTP']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['DIFFHTTP']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['DIFFHTTP']['rcvdFromRem']);

array_push($data,$ntopHash[$key]['IP']['RDP']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['RDP']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['RDP']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['RDP']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['DNS']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['DNS']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['DNS']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['DNS']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['Mail']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['Mail']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['Mail']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['Mail']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['DHCP-BOOTP']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['DHCP-BOOTP']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['DHCP-BOOTP']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['DHCP-BOOTP']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['SNMP']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['SNMP']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['SNMP']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['SNMP']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['NNTP']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['NNTP']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['NNTP']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['NNTP']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['SSH']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['SSH']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['SSH']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['SSH']['rcvdFromRem']);
array_push($data,$ntopHash[$key]['IP']['Messenger']['sentLoc']);
array_push($data,$ntopHash[$key]['IP']['Messenger']['rcvdLoc']);
array_push($data,$ntopHash[$key]['IP']['Messenger']['sentRem']);
array_push($data,$ntopHash[$key]['IP']['Messenger']['rcvdFromRem']);


         foreach ( $data as $key => $value ) {

         $data_table = $data_table . '\'' . $value . '\',';

         }

         for ($i=0;$i<6;$i++) {

         $data_total = $data_total . '\'' . $data_table[$i] . '\',';

         }


         $data_table = substr($data_table,0,(strlen($data_table)-1));
         $data_total = substr($data_total,0,(strlen($data_total)-1));

                 // Here we upload the data into the daily table

                 $sql = "INSERT INTO ntop_daily VALUES ($data_table)";

                 $result = mysql_query($sql) or die("Error ..... check 
with network team " . mysql_error());

                 if ( $result === FALSE )
                 {
                 exec('/home/mis/email "NTOP Nightly Update FAILED" "The 
NTOP nightly update failed" \&/> /dev/null');
                 }

         }
unset($data_table);
unset($data_total);
unset($data);
unset($result);

}

               mysql_close($db);

?>
--snip--




Marek Dohojda wrote:
> Can I see that script?
> 
> 
> 
> 
> 
> ---
> 01001101011000010111001001100101011010110010000001000100010011110110100001101111011010100110010001100001 
> 
> 
> Michael Gale wrote:
> 
>> Hello,
>>
>>     To run NTOP permanitly you just have to clear the stats nightly. I 
>> have a php script that makes a HTTP connection, downloads the stats 
>> from NTOP and saves them in a mysql database. It then makes another 
>> connection and tells NTOP to reset the stats.
>>
>> That keeps the memory and CPU usage low ... so you could run it 
>> continuously.
>>
>> Michael.
>>
>>
>> patrick.leduc@novipro.com wrote:
>>
>>> Hello
>>>
>>> Does somebody know a program for monitoring bandwidth by ip? I have 
>>> one internet interface and I must monitor many ips adresses on this 
>>> interface. I tried Ipac-ng and, I worked a lot to do this config but 
>>> it seems not working this way.
>>>
>>> thanx
>>>
>>

-- 
Michael Gale
Lan Administrator
Utilitran Corp.

I make better friends with those who think for them selves

RE: bandwidth monitoring

[Daniel Chemko]

J. Nerius wrote:
> How many hosts and how much traffic are you running through it? I've
> wanted to come up with a solution similar to the one you've described
> to replace my current bandwidthd setup but I'm thinking that my
> network may be too large with too much traffic to support something
> like that without building a monster box just to capture the stats.
> 

If you have a small static number of hosts in/out of your system, you
may want to use netfilter blank rule counters since the penalty of
passing each counter is very very low (entirely kernel side).

To put this in perspective, there've been a lot of performance issues
with people running 10000+ rule sites with adverse effects on their
network setup. Lower than that, and the impact is pretty low. Plus,
blank rules don't do anything but increment the counter, so the actual
CPU utilization of these rules are even lower. This is to give maxumum
accounting of an existing kernel. I'm sure there have been a few
in-kernel accounting packages made, but I can't recall any at the
moment. Maybe someone here can refresh our memory.

Of course the problem with this approach is that you have to know what
IP's that are generating traffic before setting this thing up since the
iptables rules are static. Its good if you want to monitor internal
user's traffic to the net and the amount of traffic a server is getting,
but to actually track the internet endpoints, you're better off using a
dynamic traffic tracking tools like ntop or bandwidthd.

Re: bandwidth monitoring

[J. Nerius]

How many hosts and how much traffic are you running through it? I've
wanted to come up with a solution similar to the one you've described to
replace my current bandwidthd setup but I'm thinking that my network may
be too large with too much traffic to support something like that
without building a monster box just to capture the stats. 

J.N.

On Thu, 2005-01-06 at 13:09 -0700, Michael Gale wrote:
> Hello,
> 
> 	To run NTOP permanitly you just have to clear the stats nightly. I have 
> a php script that makes a HTTP connection, downloads the stats from NTOP 
> and saves them in a mysql database. It then makes another connection and 
> tells NTOP to reset the stats.
> 
> That keeps the memory and CPU usage low ... so you could run it 
> continuously.
> 
> Michael.
> 
> 
> patrick.leduc@novipro.com wrote:
> > Hello
> > 
> > Does somebody know a program for monitoring bandwidth by ip? I have one 
> > internet interface and I must monitor many ips adresses on this interface. I 
> > tried Ipac-ng and, I worked a lot to do this config but it seems not working 
> > this way.
> > 
> > thanx
> > 
> 

Re: bandwidth monitoring

[Michael Gale]

Hello,

	To run NTOP permanitly you just have to clear the stats nightly. I have 
a php script that makes a HTTP connection, downloads the stats from NTOP 
and saves them in a mysql database. It then makes another connection and 
tells NTOP to reset the stats.

That keeps the memory and CPU usage low ... so you could run it 
continuously.

Michael.


patrick.leduc@novipro.com wrote:
> Hello
> 
> Does somebody know a program for monitoring bandwidth by ip? I have one 
> internet interface and I must monitor many ips adresses on this interface. I 
> tried Ipac-ng and, I worked a lot to do this config but it seems not working 
> this way.
> 
> thanx
> 

-- 
Michael Gale
Lan Administrator
Utilitran Corp.

I make better friends with those who think for them selves

RE: bandwidth monitoring

[Les Mikesell]

On Thu, 2005-01-06 at 13:04, Daniel Chemko wrote:

> I'll address this as well. Ntop is fantastic at giving you snapshot data
> of a network, but it is inanely heavy at long term monitoring of
> services. It got to the point that monitoring traffic from the firewall
> filled memory and CPU usage if run long enough. It doesn't work for
> continuous operations.

The thing to keep in mind is that it is keeping a database that
includes all of the remote IP addresses and ports as well as the
local ones, so of course this will grow quickly.  I haven't needed
to deal with long-term histories so I haven't investigated the
possibilities but I do recall something about ntop being able
to start new logs and archive the old ones as needed to limit
the active size.  There are tools to monitor and summarize
netflows between each pair of addresses, but again I haven't
used that part of the package.  There is also some support for
RRD databases which would probably be the way to go for longer
histories.

-- 
  Les Mikesell
   les@futuresource.com

RE: bandwidth monitoring

[Daniel Chemko]

J. Nerius wrote:
> ntop is great for *short term* monitoring. Generally it will become
> unmanageable if run for too long. If you want to monitor and keep
> stats over a longer period of time, bandwidthd will probably work
> better for you.
> 
> J.N.
> 
> On Thu, 2005-01-06 at 11:42 -0600, Les Mikesell wrote:
>> On Thu, 2005-01-06 at 10:28, patrick.leduc@novipro.com wrote:
>> 
>>> Does somebody know a program for monitoring bandwidth by ip? I have
>>> one internet interface and I must monitor many ips adresses on this
>>> interface. I tried Ipac-ng and, I worked a lot to do this config
>>> but it seems not working this way.
>> 
>> Ntop might do what you need.  http://www.ntop.org.  It can summarize
>> and sort traffic by address/port/protocol, etc.  I don't use it
>> continuously but fire it up for a while if I think something is
>> hogging the network. 

I'll address this as well. Ntop is fantastic at giving you snapshot data
of a network, but it is inanely heavy at long term monitoring of
services. It got to the point that monitoring traffic from the firewall
filled memory and CPU usage if run long enough. It doesn't work for
continuous operations.

The one really good thing about iptables is that every rule has a
counter fo the number of hits that you run through it, so it  is
possible to create custom counters for your software. This is not a
'simple' process, but it'll give you accurate traffic flows with
filtering, etc. that a normal libcap based tool can't give you. PS:
/proc/net/dev data is incorrect when netfilter & NAT are enabled. I
believe its because NAT (return?) traffic bypass this counter, so any
management tool that uses this technique for monitoring bandwith will
also be flawed on a netfilter router.

Re: bandwidth monitoring

[J. Nerius]

ntop is great for *short term* monitoring. Generally it will become
unmanageable if run for too long. If you want to monitor and keep stats
over a longer period of time, bandwidthd will probably work better for
you.

J.N.

On Thu, 2005-01-06 at 11:42 -0600, Les Mikesell wrote:
> On Thu, 2005-01-06 at 10:28, patrick.leduc@novipro.com wrote:
> 
> > Does somebody know a program for monitoring bandwidth by ip? I have one 
> > internet interface and I must monitor many ips adresses on this interface. I 
> > tried Ipac-ng and, I worked a lot to do this config but it seems not working 
> > this way.
> 
> Ntop might do what you need.  http://www.ntop.org.  It can summarize and
> sort traffic by address/port/protocol, etc.  I don't use it continuously
> but fire it up for a while if I think something is hogging the network.
> 

Re: bandwidth monitoring

[Les Mikesell]

On Thu, 2005-01-06 at 10:28, patrick.leduc@novipro.com wrote:

> Does somebody know a program for monitoring bandwidth by ip? I have one 
> internet interface and I must monitor many ips adresses on this interface. I 
> tried Ipac-ng and, I worked a lot to do this config but it seems not working 
> this way.

Ntop might do what you need.  http://www.ntop.org.  It can summarize and
sort traffic by address/port/protocol, etc.  I don't use it continuously
but fire it up for a while if I think something is hogging the network.

-- 
  Les Mikesell
   les@futuresource.com

Re: bandwidth monitoring

[J. Nerius]

Hello,

I have had good luck with a program called bandwidthd, available at
http://bandwidthd.sourceforge.net/

I know it's not netfilter related specifically but I found it met my
needs where others failed. 

J.N.

On Thu, 2005-01-06 at 11:28 -0500, patrick.leduc@novipro.com wrote:
> Hello
> 
> Does somebody know a program for monitoring bandwidth by ip? I have one 
> internet interface and I must monitor many ips adresses on this interface. I 
> tried Ipac-ng and, I worked a lot to do this config but it seems not working 
> this way.
> 
> thanx
> 

bandwidth monitoring

[patrick.leduc]

Hello

Does somebody know a program for monitoring bandwidth by ip? I have one 
internet interface and I must monitor many ips adresses on this interface. I 
tried Ipac-ng and, I worked a lot to do this config but it seems not working 
this way.

thanx

Re: Bandwidth Monitoring

[Dharmendra.T]

[-- Attachment #1: Type: text/plain, Size: 1361 bytes --]

Hi,

But to use this we have to install other packages like apache, mysql
etc. Which will not be recommended to do on a firewall machine. If
bwacct can sniff the data from any other machine and give me the
statistics then that works out great for me.


Regards
Dharmendra.T
dharmu@nsecure.net




On Mon, 2003-09-01 at 13:03, Ray Leach wrote:

    On Fri, 2003-08-29 at 12:31, Sathi wrote:
    > Hello All,
    > 
    > Is there any way to findout the bandwidth used by a client(LAN user), from
    > Linux gateway server.
    > 
    Have a look at bwacct. It's real easy to setup and works well.
    www.bwacct.org
    
    > I have to take monthly statistics of bandwidth used by a client (LAN user).
    > 
    > FYI i am using CBQ for bandwidth control
    > 
    > Regards
    > Sathi
    -- 
    --
    Raymond Leach <raymondl@knowledgefactory.co.za>
    Network Support Specialist
    http://www.knowledgefactory.co.za
    "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
    Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
    --

-- 
This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.

[-- Attachment #2: Type: text/html, Size: 3054 bytes --]

Re: Bandwidth Monitoring

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 662 bytes --]

On Fri, 2003-08-29 at 12:31, Sathi wrote:
> Hello All,
> 
> Is there any way to findout the bandwidth used by a client(LAN user), from
> Linux gateway server.
> 
Have a look at bwacct. It's real easy to setup and works well.
www.bwacct.org

> I have to take monthly statistics of bandwidth used by a client (LAN user).
> 
> FYI i am using CBQ for bandwidth control
> 
> Regards
> Sathi
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Bandwidth Monitoring

[Arnt Karlsen]

On Fri, 29 Aug 2003 16:01:11 +0530, 
"Sathi" <sathiyan@gmx.net> wrote in message 
<04a901c36e18$ad2d6650$2a0110ac@SAMHP>:

> Hello All,
> 
> Is there any way to findout the bandwidth used by a client(LAN user),
> from Linux gateway server.
> 
> I have to take monthly statistics of bandwidth used by a client (LAN
> user).

..several, 'iptables -vnL' shows how much traffic etc per rule, 
setting up rules per user and 'iptables -vnL' every month etc 
is one way, there is MRTG, ntop, RRD etc.
 
> FYI i am using CBQ for bandwidth control

...for each user?  Try 'http://fmb.no/ipcop/setup-cbq-0.0.4.tar.bz2', 
I'm open for ideas etc on -0.0.5.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.