Home
TrafMeter Web Online Help
TrafMeter
What is TrafMeter?
License Agreement
TrafMeter Editions
Registration Info
How To Contact Us
Description
System requirements
Introduction
Installation Package
Installation Guide
Opening the configuration
Selecting NIC
Capturing the traffic
TrafMeter Service Monitor
User authentication
Sending SMS
NAT
Traffic Shaper
Viewing the Traffic Counters
Processing the captured packet
Logging the Application Events
Logging the denied packets
Firewall
Zeroing counters
Users
Filter Manager
Filter Editor
Rule Editor
IP Address Groups
Database Connection String
XML Traffic Reports
Using XSL formatting
The example of XSL formatting
The example of XSL formatting (2)
Traffic Logging into the Database
Database table
Packet Logging
Into the plaintext file
Filename template
Into the database
Database Table
Microsoft SQL Server Syntax
MySQL Server Syntax
Microsoft Access Syntax
Useful SQL scripts
Host Header Logging
Into the plaintext file
Into the database
Database Table
Microsoft SQL Server Syntax
MySQL Server Syntax
Microsoft Access Syntax
Result Codes
Counting VPN packests
Table for storing Filter Names
Registry Settings
FAQ
TrafMeter FAQ
Traffic counting with TrafMeter FAQ
Configuration examples
Example 1
Example 2
Example 3
Example 4
Example 5
Example 6
Example 7
Example 8
Knowledge base
IP protocol number
Type Of Service (ToS) field
MAC address
Promiscuous mode
Ethernet hub
Ethernet switch
Ethernet
NAT router
HOWTO: Creating an OLE DB Connection String for Microsoft SQL Server
HOWTO: Creating an OLE DB Connection String for an Access
HOWTO: Creating an OLE DB Connection String for MySQL
Manual editing of the XML files
Zeroing counters using TrafReset
How to enable
Reloading the Filterset
TrafMeter :: Packet Logging

Packet Logging (not available in Lite version)

TrafMeter can record the IP packet headers of captured traffic into a plaintext file or into a database. To implement this feature, every TrafMeter filter has a special engine named "Packet Collector". The main idea of the Packet Collector is grouping the IP packets with the identical parameters because the recording of every packet is too expensive. The Packet Collector is a storage for the counted packets and includes up to 2000 positions. The position of the Packet Collector consists of the following set of IP packet headers:

  • IP protocol type (1 - ICMP, 6 - TCP, 17 - UDP and etc.
    See c:\winnt\system32\drivers\etc\protocols.txt or RFC 1700 for details)
  • Source and destination IP addresses
  • Source and destination MAC addresses
  • Source and destination ports (for TCP and UDP only)
  • Sent bytes counter and received bytes counter
  • TOS (Type of Service) field

A process named "Flushing the Packet Collector" forces all the positions remaining in the Packet Collector to be written into the file or into the database. The Packet Collector is flushed after a fixed time period (by default, 20 seconds). Too frequent flushing may increase a system loading. Too infrequent flushing may lead to Packet Collector overflow. The Packet Collector overflow is marked in the logfiles as "Packet Collector is full" and you should consider decreasing the flushing time period.

Compressing the dynamic ports (for TCP and UDP only)

As it is well known, opening a webpage in an Internet browser may establish several TCP connections simultaneously since the webpage may have built-in graphic images. The packets of the websession have very similar characteristics that allow significantly reducing the logging amount. During the initialization of a new TCP/UDP connection, a port number is chosen at the client side from a range 1024-65535 randomly. The TCP/UDP client port number is also called "dynamic" or "client" and it is useless for the traffic accounting.

In the compressing of the dynamic ports mode (by default, it is enabled for every Packet Collector), TrafMeter will replace any dynamic port with a "magic number" 65535 before putting the captured packet in the Packet Collector.

How does TrafMeter make a decision: which port is dynamic and which port is non-dynamic?

There are two ways:

  • If one of the peers has the port from the dynamic range (1024-65535) and the other peer has the port from a non-dynamic range (1-1024), this will be the simplest case
  • For the new TCP connection, TrafMeter looks for the SYN flag. The peer sent SYN flag always initiates the new TCP connection; therefore, it will have the dynamic port number.

See also:

 
This HTML Help has been published using the chm2web software.