arts++
There are many types of data stored in ARTS files. arts++
handles a subset of ARTS data types.
The AS matrix contains counters for traffic (packets and bytes) from
source ASes to destination ASes. It is a sparse matrix, having only
entries for which traffic information is stored. Since this data is
typically collected by cflowd, an AS matrix normally contains
counters for sourceAS:destinationAS pairs for which a particular Cisco
forwarded traffic.
When AS matrix data is stored in a file, it is stored with a period
attribute (an ArtsAttribute with an Identifier() equal
to artsC_ATTR_PERIOD) which represents the time interval in
which the traffic was seen. It is also stored with a host attribute (an
ArtsAttribute with an Identifier() equal to
artsC_ATTR_HOST) indicating the router from which the data was
collected. Finally, it may also have in interface index attribute
(an ArtsAttribute with an Identifier() equal to
artsC_ATTR_IFINDEX) indicating the input interface on which the
data was seen.
The net matrix contains counters for traffic (packets and bytes) from
source networks to destination networks. Networks are identified by
network number and netmask length. It is a sparse matrix, having only
entries for which traffic information is stored. Since this data is
typically collected by cflowd, a net matrix normally contains
counters for sourceNetwork:destinationNetwork pairs for which a
particular Cisco forwarded traffic.
When net matrix data is stored in a file, it is stored with a period
attribute (an ArtsAttribute with an Identifier() equal
to artsC_ATTR_PERIOD) which represents the time interval in
which the traffic was seen. It is also stored with a host attribute (an
ArtsAttribute with an Identifier() equal to
artsC_ATTR_HOST) indicating the router from which the data was
collected. Finally, it may also have in interface index attribute
(an ArtsAttribute with an Identifier() equal to
artsC_ATTR_IFINDEX) indicating the input interface on which the
data was seen.
The port table contains counters for input and output traffic (packets and bytes) versus transport layer port number. Input counters represent traffic destined for the port while output counters represent traffic sourced from the port. For example, the input counters for port 80 would normally indicate the amount of traffic sent from Web browsers to Web servers, while the output counters for port 80 would normally indicate the amount of traffic sent from Web servers to Web browsers.
The table is sparse; there are no entries for ports on which no traffic
was seen. Since this data is typically collected by cflowd,
a port table normally contains counters for traffic forwarded by a
particular Cisco.
When port table data is stored in a file, it is stored with a period
attribute (an ArtsAttribute with an Identifier() equal
to artsC_ATTR_PERIOD) which represents the time interval in
which the traffic was seen. It is also stored with a host attribute (an
ArtsAttribute with an Identifier() equal to
artsC_ATTR_HOST) indicating the router from which the data was
collected. Finally, it may also have in interface index attribute
(an ArtsAttribute with an Identifier() equal to
artsC_ATTR_IFINDEX) indicating the input interface on which the
data was seen.
The port matrix contains counters for traffic from source ports to destination ports. Unlike the port table, this object retains the source to destination port relationship.
When port matrix data is stored in a file, it is stored with a period
attribute (an ArtsAttribute with an Identifier() equal
to artsC_ATTR_PERIOD) which represents the time interval in
which the traffic was seen. It is also stored with a host attribute (an
ArtsAttribute with an Identifier() equal to
artsC_ATTR_HOST) indicating the router from which the data was
collected. Finally, it may also have in interface index attribute
(an ArtsAttribute with an Identifier() equal to
artsC_ATTR_IFINDEX) indicating the input interface on which the
data was seen.
The selected port table contains counters for input and output traffic (packets and bytes) versus transport layer port number for a set of ports, plus one additional counter for all other ports (summed traffic across all other ports). Input counters represent traffic destined for the port while output counters represent traffic sourced from the port. For example, the input counters for port 80 would normally indicate the amount of traffic sent from Web browsers to Web servers, while the output counters for port 80 would normally indicate the amount of traffic sent from Web servers to Web browsers.
The table is sparse; there are no entries for ports on which no traffic
was seen. Since this data is typically collected by cflowd,
a port table normally contains counters for traffic forwarded by a
particular Cisco.
The difference between this object and a plain port table: the selected
port table contains inidividual port entries for only selected ports,
and lumps all other data under the port 0 entry. Inside the selected
port table, there is an ArtsPortChooser object which contains
the ports chosen when the object was created. Data is only counted
once: we put it under the lower of the source or destination
ports that is in the ArtsPortChooser, or put it under port 0 if
neither the source nor destination port was in the
ArtsPortChooser.
This object is usually generated by using port matrix objects and an
ArtsPortChooser object as input to the
ArtsPortMatrixAggregator class. This permits a simple user
configurable means of boiling port matrix data down to data usable for
tracking per-application traffic patterns. This functionality is
available in the artsportmagg(l) utility.
When selected port table data is stored in a file, it is stored with a
period attribute (an ArtsAttribute with an
Identifier() equal to artsC_ATTR_PERIOD) which
represents the time interval in which the traffic was seen. It is also
stored with a host attribute (an ArtsAttribute with an
Identifier() equal to artsC_ATTR_HOST) indicating the
router from which the data was collected. Finally, it may also have in
interface index attribute (an ArtsAttribute with an
Identifier() equal to artsC_ATTR_IFINDEX) indicating
the input interface on which the data was seen.
The protocol table contains counters (packets and bytes) versus IP
protocol (TCP, UDP, ICMP, IGMP, et. al.). The table is sparse; there
are no entries for protocols that were not seen in the measured traffic.
Since this data is typically collected by cflowd, a protocol
table normally contains counters for traffic forwarded by a particular
Cisco.
When protocol table data is stored in a file, it is stored with a period
attribute (an ArtsAttribute with an Identifier() equal
to artsC_ATTR_PERIOD) which represents the time interval in
which the traffic was seen. It is also stored with a host attribute (an
ArtsAttribute with an Identifier() equal to
artsC_ATTR_HOST) indicating the router from which the data was
collected. Finally, it may also have in interface index attribute
(an ArtsAttribute with an Identifier() equal to
artsC_ATTR_IFINDEX) indicating the input interface on which the
data was seen.
The interface matrix contains counters (packets and bytes) for traffic from input interfaces to output interfaces. Input and output interfaces are identified by their index (ifIndex); the matrix can be viewed as having rows for input interfaces and columns for output interfaces.
When interface matrix data is stored in a file, it is stored with a period
attribute (an ArtsAttribute with an Identifier() equal
to artsC_ATTR_PERIOD) which represents the time interval in
which the traffic was seen. It is also stored with a host attribute (an
ArtsAttribute with an Identifier() equal to
artsC_ATTR_HOST) indicating the router from which the data was
collected. Finally, it may also have in interface index attribute
(an ArtsAttribute with an Identifier() equal to
artsC_ATTR_IFINDEX) indicating the input interface on which the
data was seen (this is redundant but matches the current indentification
scheme used by other classes used for cflowd data).
The nexthop table contains counters (packets and bytes) versus IP nexthop.
Since this data is typically collected by cflowd, a nexthop
table normally contains counters for traffic forwarded by a particular
Cisco.
When nexthop table data is stored in a file, it is stored with a period
attribute (an ArtsAttribute with an Identifier() equal
to artsC_ATTR_PERIOD) which represents the time interval in
which the traffic was seen. It is also stored with a host attribute (an
ArtsAttribute with an Identifier() equal to
artsC_ATTR_HOST) indicating the router from which the data was
collected. Finally, it may also have in interface index attribute
(an ArtsAttribute with an Identifier() equal to
artsC_ATTR_IFINDEX) indicating the input interface on which the
data was seen.