Skip to content

IPRateMonitor

Jump to bottom Edit New page
Tom Barbette edited this page Oct 3, 2018 · 2 revisions

IPRateMonitor Element Documentation

NAME

IPRateMonitor — Click element; measures coming and going IP traffic rates

SYNOPSIS

IPRateMonitor(TYPE, RATIO, THRESH [, MEMORY, ANNO])

Ports: 1-2 inputs, 1-2 outputs
Processing: agnostic
Drivers: userlevel

DESCRIPTION

Monitors network traffic rates. Can monitor either packet or byte rate (per second) to and from an address. When forward or reverse rate for a particular address exceeds THRESH, rates will then be kept for host or subnet addresses within that address. May update each packet's dst_rate_anno and src_rate_anno with the rates for dst or src IP address.

Packets coming in one input 0 are inspected on src address. Packets coming in on input 1 are insepected on dst address. This enables IPRateMonitor to annotate packets with both the forward rate and reverse rate.

TYPE: PACKETS or BYTES. Count number of packets or bytes.

RATIO: chance that EWMA gets updated before packet is annotated with EWMA value.

THRESH: IPRateMonitor further splits a subnet if rate is over THRESH number packets or bytes per second. Always specify value as if RATIO were 1.

MEMORY: How much memory can IPRateMonitor use in kilobytes? Minimum of 100 is enforced. 0 is unlimited memory.

ANNO: if on (by default, it is), annotate packets with rates.

ELEMENT HANDLERS

  • look ((read)) — Returns the rate of counted to and from a cluster of IP addresses. The first printed line is the number of 'jiffies' that have past since the last reset. There are 100 jiffies in one second.
  • thresh ((read)) — Returns THRESH.
  • reset ((write)) — When written, resets all rates.
  • anno_level ((write)) — Expects "IPAddress level when". When written, makes IPRateMonitor stop expanding at "level" (0-3) for the IPAddress, until "when" (seconds). For example, if "18.26.4.0 2 100" is specified, IPRateMonitor will stop expanding when 18.26.4 is reached for the next 100 seconds. After 100 seconds, any level below 18.26.4 may be reached again.

EXAMPLES

 IPRateMonitor(PACKETS, 0.5, 256, 600);

Monitors packet rates. The memory usage is limited to 600K. When rate for a network address (e.g. 18.26.*.*) exceeds 256 packets per second, start monitor subnet or host addresses (e.g. 18.26.4.*).

SEE ALSO

IPFlexMonitor, CompareBlock

Generated by click-elem2man from ../elements/ip/ipratemon.hh:11 on 2018/10/03.

Add a custom footer
Clone this wiki locally