Short answers:
Read the names - it's pretty bloody obvious. Just parse them into words at
the capitals.
and, No - it's hardcoded in the source.
Long answer:
arpReplyPktsRcvd.rrd - parse them into words at the capitals and apply a
little knowledge of the various protocols (google for them by name if
nothing else or use a reference book):
arp (which is a protocol) Reply Pkts (Packets) Rcvd (Received)
arpReplyPktsSent.rrd
arp reply packets sent
etc.
If there's a specific one you can't figure out, grep in the source for the
name, check the counter and see what it's counting...
$ grep --line-number arpReplyPktsSent plugins/*.[ch]
plugins/rrdPlugin.c: updateTrafficCounter(rrdPath,
"arpReplyPktsSent", &el->arpReplyPktsSent);
So
$ grep --line-number arpReplyPktsSent *.[ch]
emitter.c:829: if(checkFilter(filter, "arpReplyPktsSent"))
emitter.c:830: wrtLlongItm(fDescr, lang, "\t", "arpReplyPktsSent",
el->arpReplyPktsSent, ',', numEntries);
globals-structtypes.h:578: TrafficCounter arpReqPktsSent,
arpReplyPktsSent, arpReplyPktsRcvd;
pbuf.c:2537: if(srcHost != NULL)
incrementTrafficCounter(&srcHost->arpReplyPktsSent, 1);
reportUtils.c:2006:
if(el->arpReqPktsSent.value+el->arpReplyPktsSent.value+el->arpReplyPktsRcvd.
value > 0) {
reportUtils.c:2038: formatPkts(el->arpReplyPktsSent.value)) < 0)
17:47:01 tigger [Linux] user=bstrauss pwd=/shared/work/linux/ntop $
Open up pbuf.c and look at line 2537...
The code really isn't THAT hard to read for this stuff - just ignore the
C-ish stuff and read it in pseudo-English, checking against a protocol
reference book if necessary.
So:
switch(eth_type) {
case ETHERTYPE_ARP: /* ARP - Address resolution Protocol */
memcpy(&arpHdr, p+hlen, sizeof(arpHdr));
if(EXTRACT_16BITS(&arpHdr.arp_pro) == ETHERTYPE_IP) {
int arpOp = EXTRACT_16BITS(&arpHdr.arp_op);
switch(arpOp) {
case ARPOP_REPLY: /* ARP REPLY */
memcpy(&addr.s_addr, arpHdr.arp_tpa, sizeof(addr.s_addr));
addr.s_addr = ntohl(addr.s_addr);
dstHost = lookupHost(&addr, (u_char*)&arpHdr.arp_tha, 0, 0,
actualDeviceId);
memcpy(&addr.s_addr, arpHdr.arp_spa, sizeof(addr.s_addr));
addr.s_addr = ntohl(addr.s_addr);
srcHost = lookupHost(&addr, (u_char*)&arpHdr.arp_sha, 0, 0,
actualDeviceId);
if(srcHost != NULL)
incrementTrafficCounter(&srcHost->arpReplyPktsSent, 1);
if(dstHost != NULL)
incrementTrafficCounter(&dstHost->arpReplyPktsRcvd, 1);
/* DO NOT ADD A break ABOVE ! */
case ARPOP_REQUEST: /* ARP request */
memcpy(&addr.s_addr, arpHdr.arp_spa, sizeof(addr.s_addr));
addr.s_addr = ntohl(addr.s_addr);
srcHost = lookupHost(&addr, (u_char*)&arpHdr.arp_sha, 0, 0,
actualDeviceId);
if((arpOp == ARPOP_REQUEST) && (srcHost != NULL))
incrementTrafficCounter(&srcHost->arpReqPktsSent, 1);
}
Becomes
switch on EtherType (which is a field defined in the Ethernet protocol)
if it's ARP REPLY
(Have a source host)? increment traffic counter for arpReplyPktsSent
(Have a destination host)? increment traffic counter for
arpReplyPktsRcvd
if it's ARP REQUEST (also fall in here from above because there's no
break)
(ARP REQUEST? and Have a source host?)? increment traffic counter for
arpReqPktsSent
All the C you need to know is that switch(something) case value is like
asking "Does 'something' have the value 'value'". And that 'break' means
I'm done with that question, let's ask another...
Try it! You'll be surprised how easy it is to follow, especially in
pbuf.c - which is long, but it's really just endless lists of "if something
is this, do this, otherwise if it's that, do this other thing, otherwise
..."
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
raptor
Sent: Saturday, July 26, 2003 4:25 PM
To: [EMAIL PROTECTED]
Subject: [Ntop] rrd output description ?
hi,
could someone point me to a description of the meaning off all rrd graphics.
Yes there is some abbreviations, i need just a short description if there is
such.. tia.
Is there an easy way to change the labels on the graphs and/or
additional text on the right where the cumulative transffered size is
shown.. The number of the graphics are alot so that if I can set some
text, i can find them faster if I do Ctrl+F on the web page...
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
