TMeter :: FAQ2

Traffic counting with TMeter FAQ

Q: I installed TMeter on NAT router to do the Internet traffic accounting of users from my office network. I created the filter with the rule "A specific IP address - IP addresses of WAN" with "Both direction" flag enabled. I filled out the LAT, selected for capturing the network adapter. After starting the capture, I noticed that sent bytes counter doesn't work although received bytes counter works perfect. How to resolve this problem?

A: You should use Active Capture Mode for capturing the traffic on NAT routers.

Q: What is the technique of calculating the length of an IP packet in TMeter?

A: Every IP packet has a field in the header named "Total length". It contains the number of bytes in the entire packet, including the header. TMeter uses only the value obtained in this field to calculate the length of IP packet.

Q: I have created a filter with the rule from "Any address" to "Any address" with a mirrored flag enabled. The "sent bytes" cell displays a number that is very closely to the captured traffic but the "received bytes" cell shows zero. Incoming traffic isn't counted. What's wrong?

A: You can't split the traffic (sent & received) in the rule "from Any to Any". Imagine that you stand at the side of a two-way road and you see car traffic. What cars are incoming and what cars are outgoing? You can't answer because you need to get a reference point. Let's decide, the cars to the city "A" are inbound traffic and the cars to the city "B" are outgoing traffic.

Q: I have created a filter with the rule from "My computer" to "Any address" which only takes the ICMP packets into account. If I ping any host in my LAN, the counters will be increased normally. When I try to ping a nonexistent host in LAN, the counters will not be updated. What is wrong?

If you try to ping any host in LAN, ARP-request will be sent first to obtain a MAC address of pinged host. If your computer doesn't receive the ARP-response (because the pinged host doesn't exist), the ICMP packets will not be sent. Therefore, the counters of the ICMP filter will not be updated.

Q: I have a connection to Internet via a DSL modem plugged into an Ethernet hub and want to monitor traffic between my PC and the Internet. My PC has the IP address 192.168.1.2 and DSL modem has the IP address 192.168.1.1. I have created a TMeter filter with a rule "192.168.1.2 as source address" and "192.168.1.1 as destination address". I start capturing the traffic but all counters show zero. What's wrong?

A: You measure the traffic between your PC and your DSL modem. This is your mistake. Packets transmitted from your PC to the Internet don't have the IP address of your DSL modem as the destination. First, fill in a Local Address Table (LAT) with all addresses of your network (e.g., from 192.168.1.1 to 192.168.1.255). Second, create the filter with the rule "192.168.1.2 as source address" and "IP addresses of WAN as destination address".

Q: I use TMeter on my Internet gateway running web-caching proxy server SquidNT. All clients from my office network use proxy. TMeter counts successfully the traffic between clients and proxy server port but I want to not count the traffic of requests serving from cache. What should I do?

A: Unfortunately, you can't do that. TMeter reads raw network packets. These packets don't contain information whether that request was served directly or from cache.

Q: How to measure FTP traffic ?

A: FTP is an acronym that stands for "File Transfer Protocol". FTP is used for transferring files over the Internet. There are 2 types of FTP connections, Active FTP and Passive FTP. The rules that you will require to count FTP are dependant on which mode of FTP you are using. The default behavior for most browsers is to use Passive FTP, while for most FTP Client programs (i.e. CuteFTP, Internet Neighborhood, WS-FTP) it is Active.

FTP consists of 2 unique connections between the client machine and the FTP server. One is called the "control" connection. This handles the user connecting to and logging into the FTP server. Once the user is logged in, the "data" connection is established to permit the listing of files in a directory, and allow for files to be uploaded or downloaded.

The "control" connection is the same for both Passive and Active FTP. The client makes the initial TCP connection from their temporary range of ports (i.e. any available port higher than 1023) to the servers port 21 and says "Hi! I want to connect with you. Here is my user name and password". What happens next depends on whether Active or Passive mode is being used.

In Active mode, when the client says "Hi!" and logs in, they also tell the server a port number (again, somewhere in the temporary range) to use to connect back to them on to make the data connection. The FTP server logs the user in and then connects back to them from the servers port 20 to the port that was given to open the data connection.

In Passive mode, after the client says "Hi!" and logs in, the FTP server logs them in, then tells the client what port to connect to the server on to make the data connection (this will be a port in the temporary range, 1024+). The client receives that information, then connects back from a temporary port to the FTP server on the port they were instructed to use, to open the data connection.

The major difference between Active and Passive mode FTP is which side is opening the data connection. In Active mode, the client machine needs to accept a data connection originating from the FTP server. In Passive mode, the client machine is always the one originating the connection.

Active Mode Example:
[1] Control Connection: Client port 1026 -> Server port 21
[2] Data Connection: Client port 1027 <- Server port 20

Passive Mode Example:
[1] Control Connection: Client port 1026 -> Server port 21
[2] Data Connection: Client port 1027 -> Server port 2065

We hope, that this information will help to create rules to count FTP traffic. BTW, TMeter can analyze the control connection, extract port numbers for the data connection and create dynamic rules (regardless of Active or Passive mode FTP) to count data transferred over data connection. To do this, you should create a rule with enabled "FTP option".