1. Sven Ubik, Aleš Friedl CESNET TNC 2009, Malaga, Spain, 11 June 2009 Experience with passive monitoring deployment in GEANT2 network

2. Active monitoring: - send and receive test packets Passive monitoring: - capture and analyze real traffic Network infrastructure monitoring: - collect information from network equipment Monitoring approaches

3. Advantages: - non-intrusive - provides information about real traffic, e.g.: load dynamics protocols and applications anomalies, attacks real packet loss (very difficult to test actively) Difficulties: - compute-intensive Passive monitoring

4. Pilot deployment in GN2 Partners - ACAD (BG), CESNET (CZ), PIONIER (PL), SWITCH (CH) GEANT2-NREN border links - 3x 10G, 1x 1G Central user interface htpps://perfmon.geant2.net

5. Hardware Tapping the line - optical splitter, router mirroring port Packet capture card - Ethernet NIC, approx < 300 Mb/s - monitoring card (DAG, Napatech, COMBO, Xena) zero CPU load for line-rate packet copy some acceleration on card PC - fast memory is most important

6. Software Linux + driver of packet capture card Middleware - DiMAPI (Distributed Monitoring API) - abstraction level for programmers - portability to various packet capture cards - transparent HW acceleration Monitoring applications ABWLoad dynamics, protocols and applications PacketlossPacket loss in real traffic BurstTraffic burstiness TbwtoolsThroughput tests with diagnostics Perfmon + ServmonStatus and resources monitoring

7. ABW L3 & L4 protocols L7 protocols L7 protocols classified by trackflib library DiMAPI libraries of „monitoring functions“ easily replaceable different algorithms and different accelerating HW can be used

8. Packet loss ~10 -5 can affect TCP and applications seriously If we send 100 test packets / second (quite a lot), it takes ~1000 seconds to detect such loss! How to measure full-mesh loss (scalability)? What applications and what users were affected by loss? How to measure loss bursts? Packet loss – monitoring issues

9. Packetloss - idea Compare number of packets in expired flows at network boundaries

10. User interface + Many tabular statistics + List of flows affected by losses Expired flows (each station) Matched flows (each pair of stations) Packet loss count Packet loss rate

11. Conclusion Link load in each direction - 1-hour averages 300 Mb/s – 2.5 Gb/s - 1-minute averages 700 Mb/s – 3.6 Gb/s - 1-second averages up to 9.6 Gb/s Approx. 5 Gb/s of sustained live traffic can be processed by our applications on one monitoring station with 2 CPU cores utilized Approx. 4*10 -6 packets dropped by the system For username and password see: http://wiki.geant2.net/bin/view/JRA1/Jra1WorkingArea

12. Future work Lightweight application detection - replacement tracking libraries in DiMAPI Packet loss monitoring based on (sampled) Netflow records - currently Packetloss uses extra information Less expensive options to 10 Gb/s monitoring cards - MTPP (Modular Traffic Processing Platform) 40 Gb/s monitoring - own 40 Gb/s prototype More partners!

13. Thank you for your attention! ubik@cesnet.cz