Presentation is loading. Please wait.

Presentation is loading. Please wait.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Operating a Flexible Network Monitoring Infrastructure June 17, 2010 Dr Stephen Donnelly Core Software.

Published byMatteo Fleeman Modified over 10 years ago

Similar presentations

Presentation on theme: "SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Operating a Flexible Network Monitoring Infrastructure June 17, 2010 Dr Stephen Donnelly Core Software."— Presentation transcript:

1 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Operating a Flexible Network Monitoring Infrastructure June 17, 2010 Dr Stephen Donnelly Core Software Manager | Endace Technology Ltd SHARKFEST ‘10 Stanford University June 14-17, 2010

2 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireshark

3 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireshark Hundreds of protocols Live capture via libpcap/WinPcap Offline analysis Broad format support Comprehensive filtering Many analysis tools – Sessions – Service latency – VOIP

4 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wide range of Network Monitoring Interfaces – TDM/PDH T1/E1-DS3/E3 – 10/100/1000/10G Ethernet – SONET/SDH OC-3 to OC-768c – InfiniBand x4 SDR and DDR Low Overhead/Zero Loss capture Hardware time stamps Global Clock Synchronization In-band Metadata Endace

5 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Wireshark + Endace Endace Record Format file support since 2003 ERF dissector since 2007 High resolution hardware time stamps Multiple interfaces In-band loss/error reporting – Expert Info Live capture via libpcap/WinPcap – DLT_ERF means no loss of metadata

6 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Endace Record Format

7 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Use Cases Wireshark works well on small scales – Network debugging – Protocol development Need permanent / remote installations – Security – Forensics – Latency – Lawful Intercept

8 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Issues Scalability/Management Capture rates Storage volumes/backhaul Reliability/Redundancy Remote management Purchasing Warranty/Support/Spares Deployment logistics

9 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Planning Many more people involved – Senior management – NOC – SOC – System Admins/Operators – Data Center techs – Lawyers Corporate policy Some groups are also customers

10 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Outsource Appliance – Single Vendor – Hardened systems – Pre-integrated – Optimized – Support multiple users – Tick Boxes The fewer the better! – Appliance Sprawl

11 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Endace Probe

12 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Endace Probe DA G Applications Capture Files IDS LI Replay Pilot Event RoutingConfiguration and Management NIC SOAP/XML CLI GUI SNMP Monitored Links LAN ERF Stream Engine Filtering

13 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Capture once platform Scalable – Storage options – Load balancing Multiple applications – Analytics, Forensics, Latency, LI, Security Central management – Configuration, health, reporting and logging Remote access Endace Probe

14 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 CLI – Powerful, familiar interface Web GUI – Quick start, easy configuration SNMP – Remote monitoring – NMS/back-end integration CMS/CMC Remote KVM/Power/Health Management

15 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Central high speed capture for packet data – LI – Forensics – Replay – Continuous capture Data Mining – Time Indexed – Search filters Up to 32TBytes in a 3U system Network Forensics

16 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 CACE Technologies Pilot – Client/Server since 2008 Pilot Server on Probe – Connects to a Data Pipe Windows Pilot Client – can connect to multiple Probes – Visualize live data – Mine trace file sets – Correlate events Analytics

17 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 NetFlow NetFlow v5 generation – Avoid loading core router CPUs Large ecosystem – Accounting – Analytics – Trending – Capacity planning Unsampled – 100% packet/flow coverage File or Port outputs

18 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Snort – Proven Open Source IDS engine – Large user community Suricata – Open InfoSec Foundation (OISF) – http://openinfosecfoundation.org http://openinfosecfoundation.org Endace Security Manager – Central management – Alert console Security

19 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Correlated multi-point passive measurement – Monitor latency in real-time – Pinpoint bottlenecks – Track trends Process flow views – Order flow – Volume sensitivity – System processing time Latency

20 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Open APIs

21 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Endace Stream Manager API User control over Data Pipes Export live or pre-captured data SOAP API – List Sources/Sinks – Create/Destroy Filters – Create/Destroy Data Pipes Authenticated/Encrypted Examples provided

22 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Data Pipe FilteringNetFlowTruncationFormat Conversion Application DAG ERF Stream DAG Raw packets NIC ERF-Stream Rotation FileVM Stats and counters Packet Count Bytes/Bits Drop Count Filter matches … DAG Interface ERF-Stream NIC (net address) ERF-Stream Rotation File

23 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Data Pipes Sources – DAG Cards – File sets Sinks – DAG Cards – File sets – Remote ports IPv4/6, TCP/UDP, Rate-limit – VMs Transformations – Filtering Tcpdump style Time range – NetFlow Packet sampling Flow sampling – Truncation – Format ERF or PCAP

24 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Data Pipes Data Statistics – Total packets/Bytes – Filtered Packets/Bytes – Output packets/Bytes NetFlow Statistics – Total Flows – Sampled Flows – Current Flows in memory

25 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Eventing API Communication between applications Intelligent Reactive Behavior Apps generate and consume events Intra and Inter-Probe messaging Probe Event Manager – Log – SNMP Trap – Email – Route

26 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Event Fixed fields – Session Id – Sequence No. – Length – Type Extendable Body Filtering/Routing on fields Global Addressing Events routed up to CMC

27 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Pilot Client Network Monitor Latency Monitoring App Endace Probe Event Routing Lookup Table Event Type A: Route to X Event Type B: Route to Pilot Pilot Server Applications App X App Y NIC

28 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Pilot Client Network Monitor Latency Monitoring App Endace Probe Event Routing Lookup Table Event Type A: Route to X Event Type B: Route to Pilot Pilot Server Applications App X App Y NIC Event Type: B Time of Event

29 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Pilot Client Network Monitor Latency Monitoring App Endace Probe Event Routing Lookup Table Event Type A: Route to X Event Type B: Route to Pilot Pilot Server Applications App X App Y NIC Event Type B: Route to Pilot Event Type: B Time of Event

30 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Pilot Client Network Monitor Latency Monitoring App Endace Probe Event Routing Lookup Table Event Type A: Route to X Event Type B: Route to Pilot Pilot Server Applications App X App Y NIC Updated View

31 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 External events appear in real-time within the Pilot Events window Roll the mouse over an event to see additional event information. There need not be any views running Events are searchable, as usual

32 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Events can be overlaid on any strip chart applied to any live capture session or stored file They can also be seen in the time- control window (bottom-center) Enables immediate correlation of event with select / targeted network activity Events are not tied to any specific view Views can be closed without deleting events

33 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 To analyze data around the event, drag/drop it onto the Probe’s rotation file The trace clip editor defaults with the event number and a time window of 1-min either side of the event

34 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Once the 2-minute time period has been clipped from the rotation file, it can be worked with in the same way as a stored file Views can be applied and layered Ultimately, packets can be isolated for decode in Wireshark

35 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Virtualization DA G Applications Capture Files IDS LI Replay Pilot Event RoutingConfiguration and Management NIC SOAP/XML CLI GUI SNMP Monitored Links LAN ERF Stream Engine Filtering

36 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Virtualization DA G Applications Capture Files IDS VM2 IDS VM2 User VM3 User VM# Pilot VM1 Pilot VM1 Event RoutingConfiguration and Management NIC SOAP/XML CLI GUI SNMP Monitored Links LAN ERF Stream Engine Filtering

37 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Virtualization More flexible appliance – User control of VM environments on Probe Consolidation – Move User Apps onto Probe – Save space/power – Apps closer to data Staged upgrades – Run new and old versions in parallel Add capacity as required

38 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Virtualization Performance isolation – Resource reservation Security isolation – Separate environments for users High Performance Capture Interfaces – Connect to Data Pipes on Probe – DAG native or libpcap APIs – Multi-gigabit performance Stream Manager and Eventing API access

Download ppt "SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Operating a Flexible Network Monitoring Infrastructure June 17, 2010 Dr Stephen Donnelly Core Software."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, 2009 1:30 pm –

SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm –
Network Systems Sales LLC

Network Systems Sales LLC
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Traffic Analyst Complete Network Visibility. © 2013 Impact Technologies Inc., All Rights ReservedSlide 2 Capacity Calibration Definitive Requirements.

Traffic Analyst Complete Network Visibility. © 2013 Impact Technologies Inc., All Rights ReservedSlide 2 Capacity Calibration Definitive Requirements.
powerful network monitoring & management solution

powerful network monitoring & management solution
High Speed Network Monitoring and Traffic Analysis Peter Tatai AITIA International, Inc.

High Speed Network Monitoring and Traffic Analysis Peter Tatai AITIA International, Inc.
XProtect ® Professional Efficient solutions for mid-sized installations.

XProtect ® Professional Efficient solutions for mid-sized installations.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Ravi Sankar Technology Evangelist | Microsoft

Ravi Sankar Technology Evangelist | Microsoft
Network Performance Measurement

Network Performance Measurement
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Decreasing Incident Response Time ______________________________ Benefits of Packet Capture & Real-time NetFlow Generation Boni Bruno, CISSP, CISM, CGEIT.

Decreasing Incident Response Time ______________________________ Benefits of Packet Capture & Real-time NetFlow Generation Boni Bruno, CISSP, CISM, CGEIT.
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 High-performance Gigabit Ethernet ports rapidly transfer large files supporting.
A new Network Concept for transporting and storing digital video…………

A new Network Concept for transporting and storing digital video…………
Multi-granular, multi-purpose and multi-Gb/s monitoring on off-the-shelf systems TELE9752 Group 3.

Multi-granular, multi-purpose and multi-Gb/s monitoring on off-the-shelf systems TELE9752 Group 3.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
SHARKFEST '09 | Stanford University | June 15–18, 2009 Now and Then, How and When? June 16 th, 2009 Stephen Donnelly Technologist | Endace Technology SHARKFEST.

SHARKFEST '09 | Stanford University | June 15–18, 2009 Now and Then, How and When? June 16 th, 2009 Stephen Donnelly Technologist | Endace Technology SHARKFEST.
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro

Similar presentations

Ads by Google