Presentation is loading. Please wait.

Presentation is loading. Please wait.

Experiences in Analyzing Network Traffic Shou-Chuan Lai National Tsing Hua University Computer and Communication Center Nov. 20, 2003.

Published byChristine Little Modified over 9 years ago

Similar presentations

Presentation on theme: "Experiences in Analyzing Network Traffic Shou-Chuan Lai National Tsing Hua University Computer and Communication Center Nov. 20, 2003."— Presentation transcript:

1 Experiences in Analyzing Network Traffic Shou-Chuan Lai National Tsing Hua University Computer and Communication Center Nov. 20, 2003

2 Houston, we have a problem!

3 What happened?

4 What can we do?

5 5 Problem Diagnose Call for help Call our contracted support Ask an expert Do it yourself Cable tester Network analyzer Network Management System

6 6 Possible Solution Replace malfunction parts Adjust network configurations Expand network capacity

7 Network Traffic Analysis

8 8 Network Traffic Information Link Host Service port Application User behavior

9 9 Analyze Tools Device built-in functions LED status LCD messages MRTG SNMP + MIB-II NetFlow Cisco Routers w/ NetFlow export function Switch w/ mirror/SPAN + NetFlow generator

10 SNMP + MIB-II

11 11 SNMP + MIB-II Simple Network Management Protocol RFC 1157 Management Information Base RFC 1213

12 12 MANAGER AGENTS SNMP AGENTS SNMP MIB Simple Network Management Protocol Architecture

13 13 SNMP Manager SNMP Agent UDP port 161 GetRequest GetNextRequest SetRequest GetResponse TrapUDP port 162 SNMP Operations

14 14 MIB Object Names itu(2) root iso(1) org(3) dod(6) internet(1) directory(1)mgmt(2)experiment(3)private(4) enterprise(1)mib(1) system(1)interface(2)at(3)ip(4)icmp(5)tcp(6)udp(7)

15 15 MIB-II Common Operational Statistics (RFC 1857) ifInUcastPkts (unicast packets in) ifOutUcastPkts (unicast packets out) ifInNUcastPkts (non-unicast packets in) ifOutNUcastPkts (non-unicast packets out) ifInOctets (octets in) ifOutOctets (octets out)

16 MRTG

17 17 MRTG (Multi Router Traffic Grapher) A tool to monitor the traffic load on network-links. Generates HTML pages containing graphical images which provide a LIVE visual representation of this traffic. Based on Perl and C and works under UNIX and Windows NT.

18 18 MRTG (I) – An Example Packet per Second Byte per Second

19 19 MRTG (II) – A Suspicious Case Excess Outgoing Packets

20 20 MRTG (III) – Other Applications Mail Server Queue Length Router CPU Utilization

21 21 MRTG Track Back Deploy MRTG on each switch w/ SNMP support In case of abnormal traffic behavior, with each link information, we may be able to trace back to the switch port which nearest the problem node. With SNMP SET, we may disable that port as a temporal solution.

22 NetFlow

23 23 Why NetFlow ? NetFlow statistics empowers users with the ability to characterize their IP data flows The who, what, where, when, and how much IP traffic questions are answered Offers a rich data set to be mined for network management, traffic engineering, and value-added service offerings (i.e. marketing data, personal NMS data)

24 24 What is a Flow? Defined by 7 unique keys Source IP address Destination IP address Source port Destination port Layer 3 protocol type TOS byte (DSCP) Input logical interface (ifIndex)

25 25 Source IP Address Destination IP Address Input ifIndex Output ifIndex Type of Service TCP Flags Protocol Start sysUpTime End sysUpTime Source TCP/UDP Port Destination TCP/UDP Port Next Hop Address Source AS Number Dest. AS Number Source Prefix Mask Dest. Prefix Mask Source IP Address Destination IP Address From/To Application Routing and Peering Usage Time of Day Port Utilization Quality of Service Packet Count Byte Count NetFlow Version 5 Format

26 26 NetFlow Collection Campus Network Department Network Internet NetFlow Collector NetFlow

27 27 NetFlow Example I DateIn (GB)Out (GB) Mon Nov 17 20039241730 Sun Nov 16 20036651506 Sat Nov 15 20038471780 Fri Nov 14 20038931623 Thu Nov 13 20038911627 Wed Nov 12 20039261607 Tue Nov 11 20038251425

28 28 NetFlow Example II Out-going Traffic (SRC IP) NoFQDNIP Address Octets (MB) %Note 1140.--.--.158496192.80AB 2140.--.--.34462532.61Dept 3140.--.--.27270241.53Dept 4140.--.--.92246081.39AB 5140.--.--.157193961.09AB

29 29 NetFlow Example III Destination Hosts: 100 NoFQDNIP Address Octets (KB) % Packets (K) Packet Size Note 1140.---.119.411237866724.3688141404450 2163.25.---.3738773627.6327611404178 3163.25.---.3926204575.1618671403190 4---.203.138.8623594994.641680140493 5---.66.245.24523436504.6116691404131

30 30 NetFlow Example IV SRC PORT: TCP#=1849 UDP#=1 NoProt.Port#Con# Octets (KB) %Packets Packet Size Note 1TCP32120843856978216.879055670969914 2TCP3212177126860.0136580751526 3UDP1371220.001612316 4TCP6112972230.015730012914 5TCP139410.0014444

31 31 Internet Worm Problem Network Security Responding System NetFlow Analyzer Blocking System Notifying System Manual Control Web Pages Internet IP NetFlow

32 32 Open Mail Relay Problem NetFlow Analyzer Blocking System Notifying System IP:Port NetFlow IP Open Relay Analyzer

33 Feature Works

34 34 The Issues Octets vs. Contents Service port vs. Application Quantity vs. Quality Network Security Personal Privacy

35 35 Reference University of Twente, Netherlands, “SimpleWeb,” http://www.simpleweb.org/ http://www.simpleweb.org/ Tobias Oetiker, Dave Rand, “MRTG,” http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ Tobi Oetiker, “RRDtool,” http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ Cisco Systems, Inc., “Cisco IOS NetFlow,” http://www.cisco.com/go/netflow http://www.cisco.com/go/netflow Mark Fullmer, “flow-tools,” http://www.splintered.net/sw/flow-tools/ http://www.splintered.net/sw/flow-tools/ ntop.org, “ntop,” http://www.ntop.org/http://www.ntop.org/ Slava Astashonok, “fprobe,” http://sourceforge.net/projects/fprobe http://sourceforge.net/projects/fprobe

36 Thank You! Q & A

Download ppt "Experiences in Analyzing Network Traffic Shou-Chuan Lai National Tsing Hua University Computer and Communication Center Nov. 20, 2003."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Supercomputing Center Measurement and Performance Analysis of Supercomputing Traffic by FlowScan+ 2.0 Supercomputing Center of KISTI Kookhan Kim August.

Supercomputing Center Measurement and Performance Analysis of Supercomputing Traffic by FlowScan+ 2.0 Supercomputing Center of KISTI Kookhan Kim August.
Implementing a Highly Available Network

Implementing a Highly Available Network
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
Monitoring network traffic of Cisco 2950 switch and Cisco 1600 router Group 4 Ishan Shah (CIN:304387556) Jyotsna Mishra (CIN:303231024) Parth Chavda (CIN:304381810)

Monitoring network traffic of Cisco 2950 switch and Cisco 1600 router Group 4 Ishan Shah (CIN: ) Jyotsna Mishra (CIN: ) Parth Chavda (CIN: )
Embracing the chaos mark lorenc

Embracing the chaos mark lorenc
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Network Management Management Tools –Desirable features Management Architectures Simple Network Management Protocol.

Network Management Management Tools –Desirable features Management Architectures Simple Network Management Protocol.
Simple Comparison By Akhyari Nasir. Intro  Network monitoring and measurement have become more and more important in a modern complicated network. 

Simple Comparison By Akhyari Nasir. Intro  Network monitoring and measurement have become more and more important in a modern complicated network. 
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
HiVision SNMP Software.

HiVision SNMP Software.
1.  TCP/IP network management model: 1. Management station 2. Management agent 3. „Management information base 4. Network management protocol 2.

1.  TCP/IP network management model: 1. Management station 2. Management agent 3. „Management information base 4. Network management protocol 2.
Netflow Overview PacNOG 6 Nadi, Fiji. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation –Cisco.

Netflow Overview PacNOG 6 Nadi, Fiji. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation –Cisco.
1 © 2000, Cisco Systems, Inc. 2218 1203_05_2000_c3 Netflow Michael Lin.

1 © 2000, Cisco Systems, Inc _05_2000_c3 Netflow Michael Lin.
Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.

Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.

Similar presentations

Ads by Google