Stephanie Clarke Investigation and implementation of a network monitoring system in an academic College environment: Presentation

Introduction (1) St Catharine’s College, Cambridge has a diverse user population, many with their own computers on the network St Catharine’s College, Cambridge has a diverse user population, many with their own computers on the network The Computer Office has little control over privately-owned computers The Computer Office has little control over privately-owned computers Remote hostels make on-site visits time consuming Remote hostels make on-site visits time consuming

Introduction (2) IP addresses are allocated to individual students but conflicts do arise IP addresses are allocated to individual students but conflicts do arise Not all users obey the rules, particularly regarding traffic levels Not all users obey the rules, particularly regarding traffic levels In the survey of users for this project most supported having restrictions on either traffic levels and/or content In the survey of users for this project most supported having restrictions on either traffic levels and/or content

The need for this project Users need a stable, reliable network Users need a stable, reliable network In order to manage the network effectively it is important to obtain timely information about problems In order to manage the network effectively it is important to obtain timely information about problems Although some basic information is available there is a need for a system to easily provide access to relevant information Although some basic information is available there is a need for a system to easily provide access to relevant information

General design options ‘Monitoring’ is a wide-ranging term ‘Monitoring’ is a wide-ranging term The literature search revealed a variety of options The literature search revealed a variety of options Commercial and freeware tools are available Commercial and freeware tools are available Some researchers have written tools aimed at specific tasks Some researchers have written tools aimed at specific tasks The survey of system administrators for this project revealed that many monitored in some way but there was little consensus about how The survey of system administrators for this project revealed that many monitored in some way but there was little consensus about how

Design chosen A succinct daily report would be generated highlighting matters of particular interest A succinct daily report would be generated highlighting matters of particular interest More detailed data would be logged for reference More detailed data would be logged for reference

Aspects of the report (1) The report would include: The report would include: –Information about users creating more than 500Mb in total (incoming + outgoing) in a day –Information about users in the top 20 traffic generators using KaZaA, Napster or Gnutella –Traffic on certain ports –Warnings about IP conflicts

Aspects of the report (2) And also: And also: –A database of all IP addresses seen on the network, with corresponding MAC addresses and hostnames –Traffic graphs for all Ethernet switch ports –Other items of note

Aspects of the report (3) The ‘Other items of note’ requirement was open-ended, and ultimately included: The ‘Other items of note’ requirement was open-ended, and ultimately included: –First-time connections seen that day –IP/MAC address pairs reappearing after 6 months or more –MAC address mismatches

Limitations of available options No available tool would do exactly what was wanted No available tool would do exactly what was wanted The solution was to use a selection of tools to gather the data and to write scripts to interrogate this data and generate the reports The solution was to use a selection of tools to gather the data and to write scripts to interrogate this data and generate the reports

Implementation A self-contained system sitting on the edge of the network A self-contained system sitting on the edge of the network Linux was chosen as the operating system, being free and suitable for the task Linux was chosen as the operating system, being free and suitable for the task Different scripts were used in the generation of different aspects of the report, for robustness and ease of maintenance Different scripts were used in the generation of different aspects of the report, for robustness and ease of maintenance Scripts were written in Perl Scripts were written in Perl

Data generation tools (1) Arpwatch provided the raw data for use in creating the database and the sections on first-time connections, IP conflicts, IP/MAC address pairs reappearing after 6 months or more and MAC address mismatches Arpwatch provided the raw data for use in creating the database and the sections on first-time connections, IP conflicts, IP/MAC address pairs reappearing after 6 months or more and MAC address mismatches Mrtg was used to create the traffic graphs Mrtg was used to create the traffic graphs

Data generation tools (2) Data on the top 20 traffic generators in College - available from the University of Cambridge - was interrogated for details on users creating more than 500Mb, those using KaZaA, Napster or Gnutella, and those using certain ports Data on the top 20 traffic generators in College - available from the University of Cambridge - was interrogated for details on users creating more than 500Mb, those using KaZaA, Napster or Gnutella, and those using certain ports The Data Protection Act 1998 prevented more detailed port traffic analysis The Data Protection Act 1998 prevented more detailed port traffic analysis

User interface Presented as a password-protected website Presented as a password-protected website Menus added for ease of use Menus added for ease of use Previous reports can be reached if required Previous reports can be reached if required

Evaluation The system provides information in a convenient format that was previously unavailable or difficult and time consuming to obtain The system provides information in a convenient format that was previously unavailable or difficult and time consuming to obtain Problem detection and resolution is now much easier Problem detection and resolution is now much easier The system has additional benefits beyond those originally envisaged The system has additional benefits beyond those originally envisaged

Unexpected results The system threw up some surprising information, including: The system threw up some surprising information, including: –The number of IP conflicts that arise is higher than was previously supposed –The load varies widely between switches and is not always distributed in the pattern previously supposed

Future possibilities The system has potential for future expansion The system has potential for future expansion Some tweaks to the system would make it even better, including: Some tweaks to the system would make it even better, including: –Adding the dates an entry is first seen and most recently seen to the database –Adding the hostname to the ‘first seen’ section of the report

Conclusions The project resulted in a robust, easy-to- use system The project resulted in a robust, easy-to- use system The information it provides makes it a valuable asset to the College The information it provides makes it a valuable asset to the College The system will also be of assistance in planning future improvements to the network The system will also be of assistance in planning future improvements to the network