A SURVEY ON NETWORK traffic Monitoring Tools. BY: Medarametla Jasmitha Harshini Sri Bingi Nanduri Sai Gopal

Introduction. Network traffic monitoring is the process of reviewing, analyzing and managing the network traffic for any abnormality or process that can affect network performance, availability and security. Traffic monitoring and analyzing has become more important in this modern world as the number of network elements are increasing in a very large number when compared to past. Network administrators have to not only deal with higher speed wired networks but also wireless networks.

Network Administrators need more sophisticated monitoring tools in order to deal with the network stability and to avoid the network failure. Based on data acquisition methods, the tools are categorized into three types: Network traffic flow from Netflow-like devices SNMP Packet Sniffing

Traffic flow: Traffic flow is a sequence of packets from particular source to particular destination. Network traffic flow information from network devices like NetFlow, such as "Cisco NetFlow" and "sFlow", by SNMP such as "MRTG" and "Cricket", and by packet sniffer such as "snoop" and "tcpdump“ are discussed.

1.CISCO NETFLOW: CISCO NetFlow services provide network administrators with access to information concerning IP flows within their data networks. Exported NetFlow data can be used for a variety of purposes, including network management and planning, enterprise accounting, Internet Service Provider (ISP) billing, data warehousing, combating Denial of Service (DoS) attacks, and data mining for marketing purposes. The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as NetFlow has matured. The most recent evolution of the NetFlow flow-record format is known as Version 9. 

NETFLOW COLLECTOR TOOLS: Software/OS Input Output Functions/Features flow Script Netflow Text Script for NetFlow-generating software traffic probe flowd BSD-liked, OpenBSD, Linux Text or SQL Flow collector (IPv4 and IPv6 transports) Support NetFlow V9 nfdump BSD-liked text A set of tools to capture/record, dump, filter, and replay NetFlow (v5/v7/9) data Neye Linux, Solaris, AIX, Irix, HP/UX, Mac OS X, Digital Unix, Ultrix, Nextstep NetFlow v5 ASCII, MySQL, SQLite Support various operating systems, make full use of POSIX threads pcNetFlow Linux, FreeBSD A software running on normal PC hosts

NETWORK TRAFFIC FLOW MONITORING AND ANALYSIS TOOLS: These tools generate graph or function as the visualization tools, which provide the summarization and classification of network flow information. FlowScan, Autofocus, and Fluxoscope are few popular tools for network traffic monitoring and analysis. Flowscan Visualization tool Output in gif or png format cflowd- data collector Buffer management

PRTG: Powerful and Low-cost tool. Supports all three data acquisition methods. Both free and commercial versions. AutoFocus: Traffic analysis and visualization tool. Output-text reports and time series plots. Traffic cluster aggregation. Fluxoscope: Aggregation and analysis tool. Web based tool. Supports multiple netflow streams.

FREE NETFLOW M AND A TOOLS: HARDWARE/SOFTWARE INPUT OUTPUT MONITOR-M CAPTURE-C ANALYSIS-A REAL TIME-R/OFFLINE-O Argus (S) Linux, Solaris, FreeBSD, MAC, OpenBSD, NetBSD packet capture files, data from a live interface Text (log files) M, C, A: report/ audit R, O Autofocus(Cluster) (S) N/A packet header traces, NetFlow GUI (Web*) visualization A O Aflow N/A NetFlow GUI(web*) M, C, A AsItHappens (S) Java SNMP and Netflow GUI M, C R CAIDA cflowd (S) Unix-liked, FreeBSD flow-export data from one or more Cisco routers Tabular summaries

CONTINUED.. TOOL HARDWARE/SOFTWARE INPUT OUTPUT MONITOR-M CAPTURE-C ANALYSIS-A REAL TIME-R/OFFLINE-O CoMo (S) Linux, FreeBSD NetFlow and other traffic capture source N/A M, C R CUFlow (S) Unix-liked, Debian NetFlow TexT CANINE (S) Linux, MAC, Solaris, Windows GUI CoralReef(optical net) (S) Unix-liked, Linux, FreeBSD ATM Traffic live O Cricket (S) BSD-liked, Linux, FreeBSD, HP-UX SNMP GUI (Web*) A (time-series data)

2.Network traffic flow information by snmp Application layer protocol defined by IEFT to monitor network-attached devices. Manager-Agent model. Uses MIB to exchange information SNMP uses five basic messages to exchange information: Get Get-Next Get-Response Set Trap

Thus the network information can be retrieved from the networking device by SNMP, like the network traffic flow information. Cannot store all flow and packet information. Link utilization, interface bandwidth are provided. Net-SNMP is a suite of software for using and deploying the SNMP protocol. SnmpGet is a tool that allows you to monitor networks using SNMP.

MRTG (MULTI ROUTER TRAFFIC GRAPHER) : Visualization tool for monitoring SNMP based devices. To generate the output via SNMP agent, input and output object identifiers are queried regularly (the default is 5 minutes). Output is a HTML file with graphs displaying the traffic up and down speed. So far, it supports up to 600 router ports per 5 minutes. Limitation: SNMP performance.

Cricket: Free high performance, extremely flexible system for monitoring trends in time-series data. Two components-Collector and grapher. Written entirely in Perl. Developed on Solaris machines running under Apache. Inftraf: Another tool to monitor the SNMP based network devices.

3.Local traffic flow information by packet sniffer. A "sniffer" can be either hardware or software, which mainly intercept and collect the local traffic. Then, it provides a function to decode and analyze the entire content of the packet in human readable. Traffic flow information in this category is local. Limitation: Cannot read encrypted packets. Commercial and free packet sniffers.

Software sniffer: Snoop: simple packet capture tool bundled on Solaris OS. Command line interface and displays packet in text. Drawback-Does not reassemble IP fragments. Microsoft network monitor: Bundled with Microsoft windows. All "sniffer" provided for each operating system can run either in real-time and in batch modes.

Continued.. tcpdump: Bundled in Linux operating system. windump can be used in windows. Runs on command line and output as to common text file for further analysis. Only used as Traffic capturing tool. Wireshark: User-friendly interface, with sorting filtering features. Capturing packets both from live network and from a saved capture file

Comparison of network traffic information Sniffer RMON (4 groups) RMON II NetFlow Packet capture Y N Interface counters P Protocols: Packet Header Ethernet/802.3 IP/ICMP/UDP/TCP IPX Appletalk Y= fully supported, N= not supported, P= partially supported

Conclusion: The network traffic information is used to meet the administrators need. Tools based on three categories: SNMP - more suitable for remote management and configuration. Packet Sniffer - local tool where the device is attached. Netflow-like information is very useful for further analysis, but the limitations remain, such as high cost implementation and privacy concerns.

Queries….?

Thank you.