Introduction

NeTAMS is the software for an accounting and control of IP traffic in your data network. It works under the control of the Linux, FreeBSD or Solaris operating systems and does continuous collection, analysis, filtering and statistic analysing of information transferred in your local area network. NeTAMS is executed in the form of monolithic process - "daemon" and written in C/C++ language as the multithreaded application. It consists of the following components (which will called "services" here and below):

1. processor stores the complete information about all objects, which be the subject of accounting (IP address, subnets), accounting policies, and manages of communication between other services
2. data-source supplies the data about the traffic passed to the processor service
3. storage stores statistical information, and partially configuration information
4. server does the interactive interaction between working program and administrator or external scripts through telnet-like API
5. scheduler, html, quota, billing and so forth are ensure the secondary functions of processings of statistics, such as the support of quotas, profiles of the billing users, static HTML-pages, etc.

Since IP packet is the primary source of information about the traffic, the basic object, statistics on which is considered, is the IP address. Together with the address, rules (policy) of accounting and filtering are stored, among with the database key and other information, together forming an unique object, or "unit" (NetUnit). At the present moment the following types of units are supported:

1. host - is characterized by a single IP- address
2. cluster - is characterized by the collection (up to 12) of IP- addresses
3. net - is characterized by the address of subnetwork and by the net mask
4. user - the same as host type; however, can bear the additional parameters, for example an e-mail address, or a password
5. group - is the logic group (association) of any quantity of units of any type, including other groups (can be nested)

Information about the traffic had passed can be supplied by the data-source service, both from the operating system or from the external source. Operating system can allow some mechanisms of interception (divert, ipq) and/or copying (tee, ulog) of the data packets passing through the kernel to userland application, like NeTAMS, or to "snoop" the packets, which pass "by" or "through" the network interface with libpcap library. From the other side, information about the traffic passed can be generated in the form of the Cisco's NetFlow "flow data". This data comes from the nearby Cisco router of PC-based router running any of freely available netflow generators. Fprobe (http://www.fprobe.org), ng_netflow (FreeBSD only, /usr/ports/net/ng_netflow), ipfw2netflow and flowprobe (included with NeTAMS) are among them.

The list of the compartible data-source types vs operating system in use is given below:

Method of seizing the packets	Linux	FreeBSD	Solaris
Interception of packets in nucleus OS	IPQ	IPFW divert
Copying packets from the nucleus OS		IPFW tee
Copying the packets, passing through by the net interfey	libpcap	libpcap	libpcap
External source NetFlow	+	+	+
Source NetFlow on the same computer	flowprobe ulog2netflow	flowprobe ipfw2netflow ng_netflow	flowprobe
NETGRAPH module		+

To guarantee the safety of data, support of search, mapping summary statistics the storage service is used. It stores the NeTAMS data in the database. Four types of databases are currently supported:

1. unix hash (Berkley DB)
2. MySQL (version 4.0.x and above)
3. PostgresSQL
4. Oracle

Usually unix hash is already present with the operating system (for example, it is used by sendmail), that simplifies the installation. However, the operation speed, reliability and functionality are bad. It is strongly advised to use one of the SQL-kind of databases.

One NeTAMS copy can have a several configured and simultaneously working services of data-source and storage type.