NetFlow Very useful for traffic analysis Very useful for traffic analysis Standard sampler: Standard sampler: –Cisco Netflow –Juniper Traffic Sampling Parameters: Parameters: –Flow export timer (Determines when current flow info is written to disk) –Sampling scheme (Deterministic, Stratified, Simple random) –Sampling rate Available resources: Available resources: –GEANT network routers in Europe1/1000 deterministic + Unanonymized –Abilene (Internet2) routers in US1/100 deterministic + Anonymized –GT ingress/egress (Dr.Russ Clark)Unsampled + Anonymized

NetFlow (contd.) Netflow format: Netflow format: –unix_secs, unix_nsecs, sysuptime, exaddr, dpkts, doctets, first, last, engine_type, engi ne_id, srcaddr, dstaddr, nexthop, input, output, srcport, dstport, prot, tos, tcp_flags, sr c_mask, dst_mask, src_as, dst_as NetFlow data Example: ,0, , ,1,1500, , ,0,0, , , ,33,35,1373,4753,6,0,16,16,16,25656, ,0, , ,3,1884, , ,0,0, , , ,33,35,1373,4753,6,0,24,16,16,25656, ,0, , ,1,628, , ,0,0, , , ,33,35,1373,3855,6,0,24,16,16,25656, ,0, , ,1,1500, , ,0,0, , , ,33,35,1373,3864,6,0,16,16,16,25656, ,0, , ,1,1500, , ,0,0, , , ,33,35,1373,3831,6,0,16,16,16,25656, ,0, , ,6,3768, , ,0,0, , , ,33,35,1373,3831,6,0,24,16,16,25656, ,0, , ,1,92, , ,0,0, , , ,18,35,0,0,1,0,0,16,24,10546, ,0, , ,1,92, , ,0,0, , , ,18,35,0,0,1,0,0,16,16,10546, ,0, , ,1,92, , ,0,0, , , ,18,35,0,0,1,0,0,16,17,10546, ,0, , ,1,92, , ,0,0, , , ,18,35,0,0,1,0,0,16,17,10546,9768 NetFlow data Example: ,0, , ,1,1500, , ,0,0, , , ,33,35,1373,4753,6,0,16,16,16,25656, ,0, , ,3,1884, , ,0,0, , , ,33,35,1373,4753,6,0,24,16,16,25656, ,0, , ,1,628, , ,0,0, , , ,33,35,1373,3855,6,0,24,16,16,25656, ,0, , ,1,1500, , ,0,0, , , ,33,35,1373,3864,6,0,16,16,16,25656, ,0, , ,1,1500, , ,0,0, , , ,33,35,1373,3831,6,0,16,16,16,25656, ,0, , ,6,3768, , ,0,0, , , ,33,35,1373,3831,6,0,24,16,16,25656, ,0, , ,1,92, , ,0,0, , , ,18,35,0,0,1,0,0,16,24,10546, ,0, , ,1,92, , ,0,0, , , ,18,35,0,0,1,0,0,16,16,10546, ,0, , ,1,92, , ,0,0, , , ,18,35,0,0,1,0,0,16,17,10546, ,0, , ,1,92, , ,0,0, , , ,18,35,0,0,1,0,0,16,17,10546,9768 TCPDump data Example: IP > :. ack win IP > :. 1448:2896(1448) ack 1 win IP > :. 2920:4380(1460) ack 1 win IP > : : (1448) ack win IP > :. ack win IP > :. 1448:2896(1448) ack 1 win IP > : R 0:0(0) ack 1 win IP > :. 2896:4344(1448) ack 1 win IP > :. 2896:4344(1448) ack 1 win IP > :. 5792:7240(1448) ack TCPDump data Example: IP > :. ack win IP > :. 1448:2896(1448) ack 1 win IP > :. 2920:4380(1460) ack 1 win IP > : : (1448) ack win IP > :. ack win IP > :. 1448:2896(1448) ack 1 win IP > : R 0:0(0) ack 1 win IP > :. 2896:4344(1448) ack 1 win IP > :. 2896:4344(1448) ack 1 win IP > :. 5792:7240(1448) ack

ns2 Important components: Important components: –Basic ns2 code downloaded from –TCL script to setup and simulate the test environment –Topology generator (Ex: GT-ITM) Example TCL script: Example TCL script: #Create links between the nodes $ns duplex-link $n0 $n2 1Mb 10ms DropTail $ns duplex-link $n1 $n2 1Mb 10ms DropTail $ns duplex-link $n3 $n2 1Mb 10ms SFQ $ns duplex-link-op $n0 $n2 orient right- down $ns duplex-link-op $n1 $n2 orient right- up $ns duplex-link-op $n2 $n3 orient right #Monitor the queue for link between node 2 and 3 $ns duplex-link-op $n2 $n3 queuePos 0.5 #Create a UDP agent and attach it to node n0 set udp0 [new Agent/UDP] $udp0 set class_ 1 $ns attach-agent $n0 $udp0 # Create a CBR traffic source and attach it to udp0 set cbr0 [new Application/Traffic/CBR] $cbr0 set packetSize_ 500 $cbr0 set interval_ $cbr0 attach-agent $udp0 #Create a UDP agent and attach it to node n1 set udp1 [new Agent/UDP] $udp1 set class_ 2 $ns attach-agent $n1 $udp1 #Create a simulator object set ns [new Simulator] #Define different colors for flows $ns color 1 Blue $ns color 2 Red #Open the nam trace file set nf [open out.nam w] $ns namtrace-all $nf #Define a 'finish' procedure proc finish {} { global ns nf $ns flush-trace #Close the trace file close $nf exit 0 } #Create four nodes set n0 [$ns node] set n1 [$ns node] set n2 [$ns node] set n3 [$ns node] # Create a CBR traffic source and # attach it to udp1 set cbr1 [new Application/Traffic/CBR] $cbr1 set packetSize_ 500 $cbr1 set interval_ $cbr1 attach-agent $udp1 #Create a Null agent (a traffic sink) # and attach it to node n3 set null0 [new Agent/Null] $ns attach-agent $n3 $null0 #Connect the traffic sources with # the traffic sink $ns connect $udp0 $null0 $ns connect $udp1 $null0 # Schedule events for the CBR agents $ns at 0.5 "$cbr0 start" $ns at 1.0 "$cbr1 start" $ns at 4.0 "$cbr1 stop" $ns at 4.5 "$cbr0 stop" #Call the finish procedure after # 5 seconds of simulation time $ns at 5.0 "finish" #Run the simulation $ns run

ns2 (contd.) Topology Topology –Create Spec file (“Geo” is used for Intra-domain topologies. Use “ts” for inter- domain transit-stub topologies): ## Comments : ## [ ] ## ## [ ] [ ] ## number of nodes = 1*8* (1 + 4*6) = 200 geo –Execute command: itm –Execute command: itm –Generates topology in Stanford Graph Base format * GraphBase graph (util_types ZZZIIZIZIZZZZZ,9V,102A) "geo(0,{5,10,3,1.000,0.000,0.000})",5,20,10 * Vertices "0",A6,3,2"1",A12,9,9"2",A16,2,4"3",A18,8,4"4",A19,2,1"",0,0,0"",0,0,0"",0,0,0"",0,0,0 –Convert SGB to NS format using sgb2ns command * Arcs V1,0,9, 0 V0,0,9, 0 V2,A0,2,0 V0,0,2, 0 V3,A2,5,0 V0,0,5, 0 V4,A4,1,0 V0,0,1, 0 V2,A1,9,0 V1,A3,9,0