Gigascope A stream database for network monitoring

Slides:

Advertisements

Similar presentations

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.

Advertisements

Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.

IEEE INFOCOM 2004 MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Enabling Real Time Data Analysis.

Frenetic: A High-Level Language for OpenFlow Networks Nate Foster, Rob Harrison, Matthew L. Meola, Michael J. Freedman, Jennifer Rexford, David Walker.

Ns-2 tutorial Karthik Sadasivam Banuprasad Samudrala CSCI 5931 Network Security Instructor : Dr. T. Andrew Yang.

Module 8: Concepts of a Network Load Balancing Cluster

Engine Design: Stream Operators Everywhere Theodore Johnson AT&T Labs – Research Contributors: Chuck Cranor Vladislav Shkapenyuk.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

How to Build a Stream Database Theodore Johnson AT&T Labs - Research.

A Heartbeat Mechanism and its Application in Gigascope Johnson, Muthukrishnan, Shkapenyuk, Spatscheck Presented by: Joseph Frate and John Russo.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Applications : Network Monitoring Theodore Johnson AT&T Labs – Research Contributors: Chuck Cranor Vladislav Shkapenyuk Oliver.

© 2006, The Technology Firm Ethereal The Technology Firm.

NETWORK CENTRIC COMPUTING (With included EMBEDDED SYSTEMS)

Introduction to USB Development. USB Development Introduction Technical Overview USB in Embedded Systems Recent Developments Extensions to USB USB as.

HyperTransport™ Technology I/O Link Presentation by Mike Jonas.

Wave Relay System and General Project Details. Wave Relay System Provides seamless multi-hop connectivity Operates at layer 2 of networking stack Seamless.

SensIT PI Meeting, January 15-17, Self-Organizing Sensor Networks: Efficient Distributed Mechanisms Alvin S. Lim Computer Science and Software Engineering.

LiNK: An Operating System Architecture for Network Processors Steve Muir, Jonathan Smith Princeton University, University of Pennsylvania

Components of Database Management System

RiceNIC: A Reconfigurable and Programmable Gigabit Network Interface Card Jeff Shafer, Dr. Scott Rixner Rice Computer Architecture:

Heartbeat Mechanism and its Applications in Gigascope Vladislav Shkapenyuk (speaker), Muthu S. Muthukrishnan Rutgers University Theodore Johnson Oliver.

1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.

The τ - Synopses System Yossi Matias Leon Portman Tel Aviv University.

MongoDB is a database management system designed for web applications and internet infrastructure. The data model and persistence strategies are built.

Lecture 12: Reconfigurable Systems II October 20, 2004 ECE 697F Reconfigurable Computing Lecture 12 Reconfigurable Systems II: Exploring Programmable Systems.

© 2002 Global Knowledge Network, Inc. All rights reserved. Windows Server 2003 MCSA and MCSE Upgrade Clustering Servers.

Marcelo R.N. Mendes. What is FINCoS? A set of tools for data generation, load submission, and performance measurement of CEP systems; Main Characteristics:

 A hub is a central connecting device in a network.  Each node is connected directly to the hub.  They receive a data packet from one node and send.

1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.

1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

Transmission Control Protocol (TCP) Internet Protocol (IP)

Management of the LHCb DAQ Network Guoming Liu *†, Niko Neufeld * * CERN, Switzerland † University of Ferrara, Italy.

Marcelo R.N. Mendes. What is FINCoS? A Java-based set of tools for data generation, load submission, and performance measurement of event processing systems;

1 Netflow Collection and Aggregation in the AT&T Common Backbone Carsten Lund.

Building OC-768 Monitor using GS Tool Vladislav Shkapenyuk Theodore Johnson Oliver Spatscheck June 2009.

Streaming Data Warehouses Theodore Johnson

Network Analyzer :- Introduction to Ethereal Computer Networking (Graduate Class)

Ad Hoc – Wireless connection between two devices Backbone – The hardware used in networking Bandwidth – The speed at which the network is capable of sending.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI network layer CCNA Exploration Semester 1 – Chapter 5.

1 Out of Order Processing for Stream Query Evaluation Jin Li (Portland State Universtiy) Joint work with Theodore Johnson, Vladislav Shkapenyuk, David.

Identify internal hardware devices (e. g

KID - KLOE Integrated Dataflow

By: Samuel Oswald Hunter Supervisor: Mr Barry Irwin

Lecture 3 By Miss Irum Matloob.

WP18, High-speed data recording Krzysztof Wrona, European XFEL

Lab 2: Packet Capture & Traffic Analysis with Wireshark

HyperTransport™ Technology I/O Link

MongoDB Er. Shiva K. Shrestha ME Computer, NCIT

Local Area Networks, 3rd Edition David A. Stamper

Part I. Overview of Data Communications and Networking

COMP2322 Lab 1 Wireshark Steven Lee Jan. 25, 2017.

Spark Presentation.

Chapter 6 Network Performance Measurement

Traffic Analysis with Ethereal

How data travels through a network The Internet

Grid Information Services: alternate models

Virtual Network Management

Virtualization Techniques

Karthik Sadasivam Banuprasad Samudrala

Chapter Goals Compare and contrast various technologies for home Internet connections Explain packet switching Describe the basic roles of various network.

Overview of big data tools

Network Analyzer :- Introduction to Wireshark

Network Analyzer :- Introduction to Wireshark

PlanetFlow The PlanetLab Network Auditing Service Mark Huang

Windows sockets Iveta LenčiauskaitE.

Overview of Computer system

Presentation transcript:

Gigascope A stream database for network monitoring Chuck Cranor Yuan Gao Theodore Johnson Vladislav Shkapenyuk Oliver Spatscheck AT&T Labs - Research

Fast and Flexible Network Monitoring High speed Monitor Gigabit Ethernet with a low loss rate Flexible SQL-like language to express monitoring queries Simple C-language interface for applications Perl interface Applications Network debugging Protocol debugging Network security Ad-hoc applications

Architecture HFTA : high level query node LFTA : low level query node Clearing house : data stream manager Perl Appl’n C/C++ Appl’n C/C++ and Perl host libraries HFTAs and applications subscribe to data streams at the clearing house. HFTAs also register data streams. HFTA HFTA Firmware interface PCAP library LFTAs FTA registry Clearing house The clearing house manages data streams and registers the queries and schemas of data stream producers LFTAs can run either in the clearing house, or in the Network Interface Card (NIC) supported by a NIC RTS Standard device driver G’scope device driver LFTAs NIC NIC NIC RTS

Query Language Gigascope queries are written in GSQL Similar to SQL Support for stream database queries Stream fields can have ordering properties Deduce when aggregates are closed and can be flushed to the output stream Currently limited to selection and aggregation Stream merge and stream join in the works. Query traffic_count.gsql: Schema of output stream: Select timebucket, sourceIP, destIP, source_port,dest_port, SUM(length) From TCP Where protocol=6 and (source_port=80 or dest_port=80) Group by time/5 as timebucket, sourceIP, destIP, source_port,dest_port STREAM traffic_count { UINT timebucket ( INCREASING ) ; UINT sourceIP UINT destIP ; UINT source_port ; UINT dest_port ; UINT SUM_length ; }

Query Architecture GSQL queries are translated into C or C++ code LFTAs : translated into C code, interface with a Run Time System (RTS) HFTAs : translated into C++ code, using templatized push-based operators Self-documenting executables Generated code contains the defining query and the schema of the output stream GSQL queries can read from a network packet stream, or from the output of a GSQL query Queries that read packets from the network become LFTAs LFTA queries are tightly resource constrained Intended for execution in the kernel or the NIC Gigascope automatically splits queries into an LFTA and an HFTA

Query Splitting Select timebucket, sourceIP, destIP, source_port,dest_port, SUM(length) From TCP Where protocol=6 and (source_port=80 or dest_port=80) Group by time/5 as timebucket, sourceIP, destIP, source_port,dest_port LFTA query: DEFINE{ query_name _fta_trafficcnt } Select timebucket, sourceIP, destIP, source_port,dest_port, SUM(length) From TCP Where protocol=6 and (source_port=80 or dest_port=80) Group by time/5 as timebucket, sourceIP, destIP, source_port,dest_port HFTA query: Select timebucket, sourceIP, destIP, source_port,dest_port, SUM(SUM_length) From _fta_trafficcnt Group by timebucket, sourceIP, destIP, source_port,dest_port

Performance Goal : Simple and rapid application development while increasing performance. Experiment : measure packet loss rate with different levels of traffic Gigabit Ethernet network 2% loss rate is acceptable Application : measure the volume of HTTP1.0 and HTTP1.1 traffic using port 80 Four approaches Dump all data to disk Monitor network using libpcap, but do no processing Gigascope using libpcap Gigascope running queries on the Gigabit Ethernet NIC