Download presentation
Presentation is loading. Please wait.
1
NetFlow Very useful for traffic analysis Very useful for traffic analysis Standard sampler: Standard sampler: –Cisco Netflow –Juniper Traffic Sampling Parameters: Parameters: –Flow export timer (Determines when current flow info is written to disk) –Sampling scheme (Deterministic, Stratified, Simple random) –Sampling rate Available resources: Available resources: –GEANT network routers in Europe1/1000 deterministic + Unanonymized –Abilene (Internet2) routers in US1/100 deterministic + Anonymized –GT ingress/egress (Dr.Russ Clark)Unsampled + Anonymized
2
NetFlow (contd.) Netflow format: Netflow format: –unix_secs, unix_nsecs, sysuptime, exaddr, dpkts, doctets, first, last, engine_type, engi ne_id, srcaddr, dstaddr, nexthop, input, output, srcport, dstport, prot, tos, tcp_flags, sr c_mask, dst_mask, src_as, dst_as NetFlow data Example: 1070236831,0,3175466240,198.32.11.5,1,1500,3175436989,3175436989,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,3,1884,3175408565,3175433201,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,628,3175448463,3175448463,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3855,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175442525,3175442525,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3864,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175451974,3175451974,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,6,3768,3175398562,3175449061,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,24,16,16,25656,52 1070236836,0,3175471250,198.32.11.5,1,92,3175454577,3175454577,0,0,130.18.248.0,202.28.48.0,198.32.11.4,18,35,0,0,1,0,0,16,24,10546,4621 1070236836,0,3175471250,198.32.11.5,1,92,3175414202,3175414202,0,0,130.18.248.0,165.132.224.0,198.32.11.4,18,35,0,0,1,0,0,16,16,10546,4665 1070236836,0,3175471250,198.32.11.5,1,92,3175433202,3175433202,0,0,130.18.248.0,210.103.24.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 1070236836,0,3175471250,198.32.11.5,1,92,3175403033,3175403033,0,0,130.18.248.0,211.248.144.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 NetFlow data Example: 1070236831,0,3175466240,198.32.11.5,1,1500,3175436989,3175436989,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,3,1884,3175408565,3175433201,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,628,3175448463,3175448463,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3855,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175442525,3175442525,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3864,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175451974,3175451974,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,6,3768,3175398562,3175449061,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,24,16,16,25656,52 1070236836,0,3175471250,198.32.11.5,1,92,3175454577,3175454577,0,0,130.18.248.0,202.28.48.0,198.32.11.4,18,35,0,0,1,0,0,16,24,10546,4621 1070236836,0,3175471250,198.32.11.5,1,92,3175414202,3175414202,0,0,130.18.248.0,165.132.224.0,198.32.11.4,18,35,0,0,1,0,0,16,16,10546,4665 1070236836,0,3175471250,198.32.11.5,1,92,3175433202,3175433202,0,0,130.18.248.0,210.103.24.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 1070236836,0,3175471250,198.32.11.5,1,92,3175403033,3175403033,0,0,130.18.248.0,211.248.144.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 TCPDump data Example: 1144154983.524877 IP 220.135.232.0.61606 > 130.207.208.0.32459:. ack 2904096123 win 65535 1144154983.524950 IP 140.247.56.0.443 > 199.77.128.0.39948:. 1448:2896(1448) ack 1 win 13228 1144154983.524985 IP 216.77.184.0.37169 > 130.207.240.0.119:. 2920:4380(1460) ack 1 win 49640 1144154983.525037 IP 64.215.168.0.80 > 199.77.200.0.50643:. 747182892:747184340(1448) ack 742379073 win 14416 1144154983.525039 IP 217.129.248.0.2585 > 130.207.160.0.443:. ack 4289220173 win 65201 1144154983.525064 IP 64.215.168.0.80 > 199.77.200.0.50643:. 1448:2896(1448) ack 1 win 14416 1144154983.525066 IP 65.196.176.0.80 > 199.77.200.0.64548: R 0:0(0) ack 1 win 0 1144154983.525079 IP 140.247.56.0.443 > 199.77.128.0.39948:. 2896:4344(1448) ack 1 win 13228 1144154983.525092 IP 64.215.168.0.80 > 199.77.200.0.50643:. 2896:4344(1448) ack 1 win 14416 1144154983.525105 IP 64.215.168.0.80 > 199.77.200.0.50643:. 5792:7240(1448) ack TCPDump data Example: 1144154983.524877 IP 220.135.232.0.61606 > 130.207.208.0.32459:. ack 2904096123 win 65535 1144154983.524950 IP 140.247.56.0.443 > 199.77.128.0.39948:. 1448:2896(1448) ack 1 win 13228 1144154983.524985 IP 216.77.184.0.37169 > 130.207.240.0.119:. 2920:4380(1460) ack 1 win 49640 1144154983.525037 IP 64.215.168.0.80 > 199.77.200.0.50643:. 747182892:747184340(1448) ack 742379073 win 14416 1144154983.525039 IP 217.129.248.0.2585 > 130.207.160.0.443:. ack 4289220173 win 65201 1144154983.525064 IP 64.215.168.0.80 > 199.77.200.0.50643:. 1448:2896(1448) ack 1 win 14416 1144154983.525066 IP 65.196.176.0.80 > 199.77.200.0.64548: R 0:0(0) ack 1 win 0 1144154983.525079 IP 140.247.56.0.443 > 199.77.128.0.39948:. 2896:4344(1448) ack 1 win 13228 1144154983.525092 IP 64.215.168.0.80 > 199.77.200.0.50643:. 2896:4344(1448) ack 1 win 14416 1144154983.525105 IP 64.215.168.0.80 > 199.77.200.0.50643:. 5792:7240(1448) ack
3
ns2 Important components: Important components: –Basic ns2 code downloaded from http://www.isi.edu/nsnam http://www.isi.edu/nsnam –TCL script to setup and simulate the test environment –Topology generator (Ex: GT-ITM) Example TCL script: Example TCL script: #Create links between the nodes $ns duplex-link $n0 $n2 1Mb 10ms DropTail $ns duplex-link $n1 $n2 1Mb 10ms DropTail $ns duplex-link $n3 $n2 1Mb 10ms SFQ $ns duplex-link-op $n0 $n2 orient right- down $ns duplex-link-op $n1 $n2 orient right- up $ns duplex-link-op $n2 $n3 orient right #Monitor the queue for link between node 2 and 3 $ns duplex-link-op $n2 $n3 queuePos 0.5 #Create a UDP agent and attach it to node n0 set udp0 [new Agent/UDP] $udp0 set class_ 1 $ns attach-agent $n0 $udp0 # Create a CBR traffic source and attach it to udp0 set cbr0 [new Application/Traffic/CBR] $cbr0 set packetSize_ 500 $cbr0 set interval_ 0.005 $cbr0 attach-agent $udp0 #Create a UDP agent and attach it to node n1 set udp1 [new Agent/UDP] $udp1 set class_ 2 $ns attach-agent $n1 $udp1 #Create a simulator object set ns [new Simulator] #Define different colors for flows $ns color 1 Blue $ns color 2 Red #Open the nam trace file set nf [open out.nam w] $ns namtrace-all $nf #Define a 'finish' procedure proc finish {} { global ns nf $ns flush-trace #Close the trace file close $nf exit 0 } #Create four nodes set n0 [$ns node] set n1 [$ns node] set n2 [$ns node] set n3 [$ns node] # Create a CBR traffic source and # attach it to udp1 set cbr1 [new Application/Traffic/CBR] $cbr1 set packetSize_ 500 $cbr1 set interval_ 0.005 $cbr1 attach-agent $udp1 #Create a Null agent (a traffic sink) # and attach it to node n3 set null0 [new Agent/Null] $ns attach-agent $n3 $null0 #Connect the traffic sources with # the traffic sink $ns connect $udp0 $null0 $ns connect $udp1 $null0 # Schedule events for the CBR agents $ns at 0.5 "$cbr0 start" $ns at 1.0 "$cbr1 start" $ns at 4.0 "$cbr1 stop" $ns at 4.5 "$cbr0 stop" #Call the finish procedure after # 5 seconds of simulation time $ns at 5.0 "finish" #Run the simulation $ns run
![ns2 Important components: Important components: –Basic ns2 code downloaded from –TCL script to setup and simulate the test environment –Topology generator (Ex: GT-ITM) Example TCL script: Example TCL script: #Create links between the nodes $ns duplex-link $n0 $n2 1Mb 10ms DropTail $ns duplex-link $n1 $n2 1Mb 10ms DropTail $ns duplex-link $n3 $n2 1Mb 10ms SFQ $ns duplex-link-op $n0 $n2 orient right- down $ns duplex-link-op $n1 $n2 orient right- up $ns duplex-link-op $n2 $n3 orient right #Monitor the queue for link between node 2 and 3 $ns duplex-link-op $n2 $n3 queuePos 0.5 #Create a UDP agent and attach it to node n0 set udp0 [new Agent/UDP] $udp0 set class_ 1 $ns attach-agent $n0 $udp0 # Create a CBR traffic source and attach it to udp0 set cbr0 [new Application/Traffic/CBR] $cbr0 set packetSize_ 500 $cbr0 set interval_ $cbr0 attach-agent $udp0 #Create a UDP agent and attach it to node n1 set udp1 [new Agent/UDP] $udp1 set class_ 2 $ns attach-agent $n1 $udp1 #Create a simulator object set ns [new Simulator] #Define different colors for flows $ns color 1 Blue $ns color 2 Red #Open the nam trace file set nf [open out.nam w] $ns namtrace-all $nf #Define a finish procedure proc finish {} { global ns nf $ns flush-trace #Close the trace file close $nf exit 0 } #Create four nodes set n0 [$ns node] set n1 [$ns node] set n2 [$ns node] set n3 [$ns node] # Create a CBR traffic source and # attach it to udp1 set cbr1 [new Application/Traffic/CBR] $cbr1 set packetSize_ 500 $cbr1 set interval_ $cbr1 attach-agent $udp1 #Create a Null agent (a traffic sink) # and attach it to node n3 set null0 [new Agent/Null] $ns attach-agent $n3 $null0 #Connect the traffic sources with # the traffic sink $ns connect $udp0 $null0 $ns connect $udp1 $null0 # Schedule events for the CBR agents $ns at 0.5 $cbr0 start $ns at 1.0 $cbr1 start $ns at 4.0 $cbr1 stop $ns at 4.5 $cbr0 stop #Call the finish procedure after # 5 seconds of simulation time $ns at 5.0 finish #Run the simulation $ns run](http://images.slideplayer.com./25/8079542/slides/slide_3.jpg "ns2 Important components: Important components: –Basic ns2 code downloaded from –TCL script to setup and simulate the test environment –Topology generator (Ex: GT-ITM) Example TCL script: Example TCL script: #Create links between the nodes $ns duplex-link $n0 $n2 1Mb 10ms DropTail $ns duplex-link $n1 $n2 1Mb 10ms DropTail $ns duplex-link $n3 $n2 1Mb 10ms SFQ $ns duplex-link-op $n0 $n2 orient right- down $ns duplex-link-op $n1 $n2 orient right- up $ns duplex-link-op $n2 $n3 orient right #Monitor the queue for link between node 2 and 3 $ns duplex-link-op $n2 $n3 queuePos 0.5 #Create a UDP agent and attach it to node n0 set udp0 [new Agent/UDP] $udp0 set class_ 1 $ns attach-agent $n0 $udp0 # Create a CBR traffic source and attach it to udp0 set cbr0 [new Application/Traffic/CBR] $cbr0 set packetSize_ 500 $cbr0 set interval_ $cbr0 attach-agent $udp0 #Create a UDP agent and attach it to node n1 set udp1 [new Agent/UDP] $udp1 set class_ 2 $ns attach-agent $n1 $udp1 #Create a simulator object set ns [new Simulator] #Define different colors for flows $ns color 1 Blue $ns color 2 Red #Open the nam trace file set nf [open out.nam w] $ns namtrace-all $nf #Define a finish procedure proc finish {} { global ns nf $ns flush-trace #Close the trace file close $nf exit 0 } #Create four nodes set n0 [$ns node] set n1 [$ns node] set n2 [$ns node] set n3 [$ns node] # Create a CBR traffic source and # attach it to udp1 set cbr1 [new Application/Traffic/CBR] $cbr1 set packetSize_ 500 $cbr1 set interval_ $cbr1 attach-agent $udp1 #Create a Null agent (a traffic sink) # and attach it to node n3 set null0 [new Agent/Null] $ns attach-agent $n3 $null0 #Connect the traffic sources with # the traffic sink $ns connect $udp0 $null0 $ns connect $udp1 $null0 # Schedule events for the CBR agents $ns at 0.5 $cbr0 start $ns at 1.0 $cbr1 start $ns at 4.0 $cbr1 stop $ns at 4.5 $cbr0 stop #Call the finish procedure after # 5 seconds of simulation time $ns at 5.0 finish #Run the simulation $ns run")
4
ns2 (contd.) Topology Topology –Create Spec file (“Geo” is used for Intra-domain topologies. Use “ts” for inter- domain transit-stub topologies): ## Comments : ## [ ] ## ## [ ] [ ] ## number of nodes = 1*8* (1 + 4*6) = 200 geo 5 100 10 3 0.5 –Execute command: itm –Execute command: itm –Generates topology in Stanford Graph Base format * GraphBase graph (util_types ZZZIIZIZIZZZZZ,9V,102A) "geo(0,{5,10,3,1.000,0.000,0.000})",5,20,10 * Vertices "0",A6,3,2"1",A12,9,9"2",A16,2,4"3",A18,8,4"4",A19,2,1"",0,0,0"",0,0,0"",0,0,0"",0,0,0 –Convert SGB to NS format using sgb2ns command * Arcs V1,0,9, 0 V0,0,9, 0 V2,A0,2,0 V0,0,2, 0 V3,A2,5,0 V0,0,5, 0 V4,A4,1,0 V0,0,1, 0 V2,A1,9,0 V1,A3,9,0
Similar presentations
