Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wise* TrafView Flow-based Measurement and Analysis System Pipefilters BOF, TIP2004 Jan. 27, 2004 Hyungseok Chung ETRI.

Published byThomasine Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "Wise* TrafView Flow-based Measurement and Analysis System Pipefilters BOF, TIP2004 Jan. 27, 2004 Hyungseok Chung ETRI."— Presentation transcript:

1 Wise* TrafView Flow-based Measurement and Analysis System Pipefilters BOF, TIP2004 Jan. 27, 2004 Hyungseok Chung ETRI

2 2 Topics Backgrounds Content-aware Application Recognition Wise* TrafView Functionality GUI Snapshots & Demonstration

3 3 Common Measurement & Analysis Tools RTT, Packet loss Tool : ping, echoping, fping, gnuplotping, sting, … System : Ping-ER, AMP, IWR - use ping internally One-way delay, Packet delay Designated measurement BOX Surveyor, RIPE-NCC project, Smartbits Route discovery traceroute, skitter, mtr, ping plot, visualroute, neotrace,… Misc : remote traceroute execution server Throughput netperf, iperf, treno, tcpblast, tcpspray, ttcp, pchar Packet Capture & Analysis tcpdump, Coralreef, cflowd, snoop, ethereal, … Per Interface Traffic Volume and Errors MRTG

4 4 Why they are not enough? Capturing Packets in Current Networks High-speed networks (Mbps  Gbps  Tbps) High-volume traffic Streaming media (Windows Media, Real Media, Quicktime) P2P traffic Network Games Network Security Attacks Typical Flow-based Measurement Non-flow based measurement is not enough for the above requirements Typical Flow-based Measurement Typically a flow is defined as a set of packets passing an observation point in the network during a certain time interval and having a set of common properties 5-tuple packet header fields are used for this New applications such as P2P, streaming and network games have characteristics of dynamic port allocation More Detailed Analysis is needed Typical Flow-based Measurement is not enough Need more detailed analysis depending on applications It may require content filtering

5 5 How does Wise* TrafView work? Router Switch Splitter Traffic Capture Agent raw streams of packets Analysis Server flow records Network Operators analysis result AS 100 AS 200

6 6 Application Recognition Limitations of port-based recognition The port database maintained by IANA doesn’t reflect real-world situation well Most newer applications simply do not register their ports Sometimes they even take advantage of well-known ports to pass thorough firewalls Most bandwidth hogs, nowadays, dynamically allocate ports They are not linked up with any fixed ports!

7 7 Real-world Situation Port/Application Port-based Accounting Contents-aware Accounting 80/HTTP67 GB 59.1 GB (11.8% reduced) 21/FTP_CTRL0.29 GB0.28 GB 20/FTP_DATA43 GB42 GB ?/FTP_DATA_PASSIVEn/a 6 GB (14.3% of FTP_DATA, 2% of the total volume) 5003/?692 MB HTTP: 13.2 MB BUGS_MUSIC: 420.8 MB EDONKEY: 172.3 MB etc.: 85.7 MB PosTech Traffic Breakdown - PosTech Campus Network (24h sum in May, 304GB total volume)

8 8 Enhanced Application Recognition Wise* TrafView utilizes some enhanced proprietary recognition mechanisms in a comprehensive way Internet Application Classification signature matching flow correlation dynamic port recognition and utilization some heuristics Not only capable of discriminating applications, but also their sub-flows e.g., HTTP  HTTP_REQ, HTTP_REP, HTTP_REQACK, etc.

9 9 Internet Application Classification Type S: Simple Application Type for an application which uses a well-known port number or which uses a registered port number but are popularly used Type P: Payload Application Type for an application which uses a registered or ephemeral port number but requires payload inspections for precise classification Type R: Reverse Application Type for an application which uses a registered or ephemeral port number but requires comparison with a correlated reverse flow for the precise classification Type C: Co-related Application Type for an application which uses a dynamic port number assignment Type U: Unknown Application Type for applications which do not use registered port numbers and do not belong to any of the four types mentioned above

10 10 Application Recognition Configuration Language (ARCL) application WWW { port_rep_name HTTP port 80 protocol TCP{ decision_group HTTP_REQ_REP_ACK { src_port >= 1024 dst_port == 80 } decision_group HTTP_REP_REQ_ACK { src_port == 80 dst_port >= 1024 }} port_rep_name HTTP_ALT port 8080 protocol TCP{ src_disc_pattern=="HTTP" in pkt 0-2 at byte 0 - 4 ( dst_disc_pattern=="GET" in pkt 0-3 at byte 0 - 10 || dst_disc_pattern=="POST" in pkt 0-3 at byte 0 - 10 ) decision_group HTTP_ALT_REQ_REP_ACK { src_port >= 1024 dst_port == 8080 } decision_group HTTP_ALT_REP_REQ_ACK { src_port == 8080 dst_port >= 1024 }} } application EDONKEY { port_rep_name EDONKEY_DOWN port 4662 protocol TCP{ dst_disc_pattern=="0xe33d000000" in pkt 2-3 at byte 0 - 4 decision_group EDONKEY_DOWN_REQ_REP_ACK { src_port >= 1024 dst_port == 4662 ~ 4666 || 4242 || 4224 || 4660 || 5555 } decision_group EDONKEY_DOWN_REP_REQ_ACK { src_port == 4662 ~ 4666 || 4242 || 4224 || 4660 || 5555 dst_port >= 1024 }} application FTP { port_rep_name FTP port 21 protocol TCP{ src_ref_pattern=="r/227 Entering Passive Mode \(\d{1,3},\d{1,3},\d{1,3},\d{1,3},(\d{1,4}),(\d{1,4})\)/$src_port = atoi($1)*1024 + atoi($2)" in pkt any at byte 0-35 induce FTP_DOWN_P decision_group FTP_REQ_REP_ACK { src_port >= 1024 dst_port == 21 } decision_group FTP_REP_REQ_ACK { src_port == 21 dst_port >= 1024 }} }

11 11 Application Recognition Example client.1302 server.21 (FTP_CTRL_REQ) 0 server.21 (FTP_CTRL_REP) client.1302 client.1303 server.20 (FTP_DATA_DOWN) server.20 (FTP_DATA_UP) server.49152 (FTP_DATA_PSV_UP) client.1306 Time (sec) 24681012 server.49152 (FTP_DATA_PSV_DOWN) % ls % passive % get wmggw.mp3 % quit % ftp server 49152

12 12 System Architecture Overview Database Capture Agent NIC IPCAP Card... Capture Agent NIC IPCAP Card... ARCL Config-File Recognition and analysis Results (ODBC) Flow and packet Records (NFS) Analysis Server GUI

13 13 Capturing Internet Traffic Passive traffic capture No side-effect imposed on any network devices and links An optical or electric splitter, a.k.a. tap, is utilized Wise* TrafView ’s approach Splitters + Packet Capture Card + High Performance Capture Engine Adaptability maintained by supporting software-based capture as well PCAP (Packet Capture) library Doesn’t necessarily require a dedicated capture card; common Unix boxes can substitute the cards But yet, software-based capture is not equivalent to the card- based capture in terms of performance and functionality

14 14 Link Signal Splitters Electrical Ethernet tap, DS-3 tap, etc. Optical ordinary optical splitter independent of physical and data-link layer protocols High Performance Packet Capture Cards Model A: for lower speed links Ethernet, FastEthernet, DS-3/(E3) Model B: for middle speed links ATM at OC-3, POS at OC-3, OC-12 (622Mbps), and GigaEthernet Specialized Packet Capture Devices

15 15 Flow Concept A “flow” is a sequence of packets whose are all identical Why flow? The size of entire raw packet streams for a given unit time are prohibitively enormous to be analyzed in time Each individual packets in a flow contain duplicate information Packets in the same flow are correlated; we can identify more packets which were previously categorized as unknown application a packet a distinctive signature of application “X” a flow Now, these pkts can also be identified as “X”

16 16 Agent Side: Generating Flow Records Agents carry on simple filtering and signature matching functions generate flow records This procedure aggregates and organizes the traffic information and reduces the amount of traffic volume transferred to the server

17 17 Agent Structure

18 18 Server Side: AS and Country Mapping Identifying flow sources and destinations Both source and destination IP address of a flow are mapped to ASes and finally to countries This helps to locate the source and the sink of a flow Discrimination among transit, inbound, and outbound traffic flows

19 19 Analysis Server Structure

20 20 Configurability and Adaptability Why adaptability so important? The highly frequenting nature of Internet applications’ appearance and disappearance Swift mutation of applications Localization of the use patterns of applications Wise* TrafView copes with the problem by introducing ARCL By taking advantage of ARCL, Wise* TrafView doesn’t need to be re-built or re-installed by any module for extension can be easily reconfigured to handle a new application; modifying the configuration in ARCL and re-enforcing suffices

21 21 The Major Functionality of Wise* TrafView Transparent Packet Capture complete independence of the existing networking equipment Flow-based Measurement and Analysis reduced load higher degree of recognition Understanding Application Specific Contexts by means of enhanced application recognition algorithms Scalable can scale up from tens of Mbps to Gbps supports various physical and data-link layer technologies Highly Extensible and Adaptable easy configuration with ARCL

22 22 User Interface Web-based Interface simple easy to use intuitive portable A web site for each measurement site can be easily established Authentication and authorization supported

23 23 Visualization: Traffic Breakdown Report

24 24 Visualization: Traffic Matrices

25 25 Platforms Hardware For lower speed links (<= 622Mbps) capture agent high performance PC: 2 * P-III 1GHz+ CPU, 2GB+ RAM, 30GB+ HDD analysis server high performance PC: 2 * P-IV 1GHz+ CPU, 1GB+ RAM, 100GB+ HDD For Higher speed links ( > 1 Gbps) Dedicated Standalone Capture System Hardwised logics for supporting wire-speed processing Software capture agent Linux analysis server Linux, MySQL

26 26 A Possible Deployment Scenario ISP 1 ISP 3 ISP 2 IX Router Measurement Agent Traffic Center Traffic Generator Server Traffic Generator GPS Satellite Traffic Center Analysis Server CDMA Basestation

27 Thank you ! Q & A Contact: Hyungseok Chung, Taesang Choi, Taesoo Jeong {chunghs, choits, tsjeong}@etri.re.krchoits, tsjeong}@etri.re.kr

Download ppt "Wise* TrafView Flow-based Measurement and Analysis System Pipefilters BOF, TIP2004 Jan. 27, 2004 Hyungseok Chung ETRI."

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
By Aaron Thomas. Quick Network Protocol Intro. Layers 1- 3 of the 7 layer OSI Open System Interconnection Reference Model  Layer 1 Physical Transmission.

By Aaron Thomas. Quick Network Protocol Intro. Layers 1- 3 of the 7 layer OSI Open System Interconnection Reference Model  Layer 1 Physical Transmission.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Department of Computer Engineering University of California at Santa Cruz Networking Systems (1) Hai Tao.

Department of Computer Engineering University of California at Santa Cruz Networking Systems (1) Hai Tao.
Protocols and the TCP/IP Suite

Protocols and the TCP/IP Suite
Inside the Internet. INTERNET ARCHITECTURE The Internet system consists of a number of interconnected packet networks supporting communication among host.

Inside the Internet. INTERNET ARCHITECTURE The Internet system consists of a number of interconnected packet networks supporting communication among host.
Internet Bandwidth Measurement Techniques Muhammad Ali Dec 17 th 2005.

Internet Bandwidth Measurement Techniques Muhammad Ali Dec 17 th 2005.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
Ch. 28 Q and A IS 333 Spring 2015. Q1 Q: What is network latency? 1.Changes in delay and duration of the changes 2.time required to transfer data across.

Ch. 28 Q and A IS 333 Spring Q1 Q: What is network latency? 1.Changes in delay and duration of the changes 2.time required to transfer data across.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Sven Ubik, CESNET TNC2004, Rhodos, 9 June 2004 Performance monitoring of high-speed networks from NREN perspective.

Sven Ubik, CESNET TNC2004, Rhodos, 9 June 2004 Performance monitoring of high-speed networks from NREN perspective.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.

Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
Sepehr Firewalls Sepehr Sadra Tehran Co. Ltd. Ali Shayan December 2008.

Sepehr Firewalls Sepehr Sadra Tehran Co. Ltd. Ali Shayan December 2008.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Document Number ETH100-3.1.2-08 1 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187

Document Number ETH West Diamond Avenue - Third Floor, Gaithersburg, MD Phone: (301) Fax: (301)
Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.

Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.
Barracuda Load Balancer Server Availability and Scalability.

Barracuda Load Balancer Server Availability and Scalability.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

Similar presentations

Ads by Google