Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong
2 Introduction – Motivation Needs of Service Providers Understand the behavior of their networks Provide fast, high-quality, reliable service to satisfy customers and thus reduce churn rate Plan for network deployment and expansion SLA monitoring, network security Needs of Customers Want to get their money’s worth Fast, reliable, high-quality, secure, virus-free Internet access
3 Generic Monitoring Metrics Availability Connectivity Functionality Loss One way loss Round trip loss Delay One way delay Round trip delay Delay variance Throughput Bandwidth Utilization
4 3. Monitoring Approaches Active Monitoring Passive Monitoring
5 Network Monitoring Active Approach Performed by sending test traffic into network 1) Generate Test packet periodically or on-demand 2) Measure performance of test packet or response 3) Take the statistics Impose extra traffic on network and distort its behavior in the process Used to monitor network performance e.g., Availability, Delay, Loss
6 Network Monitoring (cont’d) Passive Approach Carried out by observing normal network traffic 1) Collect network flow from device or generate it after capturing 2) Perform analysis for the purpose Using high-performance computing device (harder as traffic rates increase) Used to perform traffic characterization analysis Spatial, temporal and composition Network Link
7 Comparison of Monitoring Approaches Active monitoring Passive monitoring ConfigurationMulti-pointSingle or multi- point Data sizeSmallLarge Network overhead Additional traffic- Device overhead - No overhead if splitter is used PurposeDelay, packet loss, availability Throughput, traffic pattern CPU Requirement Low to ModerateHigh
8 Active Monitoring Techniques ICMP-based method Diagnose network problems Availability / Round-trip delay / Round-trip packet loss TCP-based method One-way bandwidth / Round trip bandwidth Bulk transfer rate UDP-based method One-way packet loss / Round trip bandwidth
9 Measurement Method Example via Ping Ping (ICMP) – Availability, RT Loss, RTT Delay Measurement Test Machine Measurement Test Machine Gigabit Ethernet Backbone Network RSM Period : 10 min. Packet Size : 40 bytes Packet Generator (ICMP) Customer SLA DB
10 Measurement Method Example via TCP TCP – Throughput Measurement Source Machine Measurement Source Machine Measurement Destination Machine Measurement Destination Machine NTP Synchronized hosts TCP local time : t1 local time : t2 t1 t2 Throughput (Mbps) = t2( ㎲ ) – t1( ㎲ ) 10 5 x KB
11 Measurement Method Example via UDP UDP – One Way Loss Measurement Source Machine Measurement Source Machine Measurement Destination Machine Measurement Destination Machine NTP Synchronized hosts UDP 100 KB One way Loss = x 100 (%) Sent Packet Counts Received Packet Counts 1 Packet (1000 Byte)
12 Passive Monitoring - Packet Capturing Packets can be captured using Port Mirroring or Network Splitter (Tap) Mirroring Probe system Splitting Probe system Port MirroringNetwork Splitter (Tap) How it worksCopies all packets passing on a port to another port Splits the signal and send a signal to original path and another to probe AdvantageNo extra hardware required No processing overhead on router/switch DisadvantageProcessing overhead on router/switch Splitter hardware required
13 Passive Monitoring - Sampling If the rate is too high to capture all packets reliably, there is no alternative but to sample the packets Sampling algorithms: every Nth packet or fixed time interval (a) 2:1 sampling (b) 1 msec sampling 0 msec1 msec2 msec3 msec4 msec
14 5. Passive Monitoring - Flow Generation Flow is a collection of packets with the same {SRC and DST IP address, SRC and DST port number, protocol number, TOS} Flow data can be collected from routers directly, or standalone flow generator having packet capturing capability Popular flow formats NetFlow (Cisco), sFlow (sFlow.org), IPFIX (IETF) Issues in flow generation What information should be included in a flow data? How to generate flow data from raw packet information efficiently? How to save bulk flow data into DB or binary file in a collector? How long should the data be preserved? flow 4flow 1flow 2flow 3
15 Passive Monitoring - Flow Technology: NetFlow Cisco IOS NetFlow technology is an integral part of Cisco IOS software that collects and measures data as it enters specific routers or switch interfaces enables to perform IP traffic flow analysis without custom probes 3 key components in a NetFlow system Flow Exporter Flow Collector Network Data Analyzer (Flow Analyzer) Routers supporting NetFlow – Cisco, Foundry routers Vendors providing NetFlow Data Analyzer Cisco IFeelNet ( 20+ companies (
16 Passive Monitoring - Flow Technology: sFlow sFlow is described in RFC 3176: “InMon's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks” sFlow is a monitoring technology that gives visibility into the use of networks, enabling performance optimization, accounting/billing for usage, and defense against security threats sFlow provides a means of embedding traffic monitoring in high-speed switches and routers sFlow samples packets using statistical sampling theory Devices Supporting sFlow Foundry Networks BigIron, FastIron, NetIron Series InMon’s sFlow Probe
17 Passive Monitoring - Traffic Analysis Spatial aspect The patterns of traffic flow relative to the network topology Important for proper network design and planning Identification of bottleneck & avoidance of congestion Example: Flow aggregation by src, dst IP address or AS number Temporal aspect The stochastic behavior of a traffic flow, usually described in statistical terms Important for resource management and traffic control Important for traffic shaping and caching policies Example: Packet or byte per hour, day, week, month Composition of traffic A breakdown of traffic according to the contents, application, packet length, flow duration Helps to explain its temporal and spatial characteristics Example: game, streaming media traffic for a week from peer ISP
18 Traffic Monitoring R&D, Standards Activities R&D Groups NLANR CAIDA SLAC NMTF Standard Activities IETF RTFM (Real Time Flow Measurement) IETF IPFIX (IP Flow Information Export) IETF RMONMIB (Remote Network Monitoring) IETF IPPM (IP Performance Metrics) Conferences & Workshops Passive & Active Measurement Workshop (PAM) PAM2000, PAM2001, PAM 2002, PAM2003 Internet Measurement Workshop (IMW) Sponsored by ACM SICCOMM IMW2001, IMW2002, IMW2003
19 Questions ?