Live Traffic Monitoring with Tstat: Capabilities and Experiences

Transcription

1 Live Traffic Monitoring with Tstat: Capabilities and Experiences Maurizio M. Munafò Alessandro Finamore Marco Mellia Michela Meo Dario Rossi WWIC - Luleå, June 3, 2010

2 Outline Motivations Tstat - TCP STatistic and Analysis Tool Deployment Scenarios Features Layer-3 / Layer-4 Characterization Layer-7 Analysis and DPI LibTstat Outputs Gallery of Tstat Capabilities Conclusions

3 Traffic Classification & Measurement Why? Identify normal and anomalous behavior Characterize the network and its users Quality of service monitoring Traffic engineering Firewall tuning Pricing

4 Tstat at a Glance

5 Worm and Viruses? Did someone open a Christmas card? Happy new year to Windows!!

6 Anomalies (Good!) Spammer Disappear McColo SpamNet shut off on Tuesday, November 11th, 2008

7 New Applications P2PTV Fiorentina 4 - Udinese 2 Inter 1 - Juventus 0

8 TCP STatistic and Analysis Tool Tstat is a long term software project from the TLC Networks Group in Politecnico di Torino Project born to characterize the behavior of TCP connections Evolved to a full-fledged tool to monitor and analyze the traffic in IP networks Runs on most Linux/FreeBSD/NetBSD systems Working both as passive live sniffer and as offline trace analyzer Support for integration in other monitoring tools (libtstat)

9 Live Monitor Probe Just passively listen (sniff) the traffic passing on an operative link No need for special equipment Good performance with off-the-shelf hardware Manage hundreds of Mpbs with common PC hardware and integrated NIC Support for hi-end NIC cards Using Endace DAG able to manage a couple of Gbps of traffic with no fuss

10 Monitor Probe Setup LOCAL OUT IN EXTERN

11 Offline Traffic Analyzer Processing of already captured traffic traces for offline analysis Popular packet trace formats: pcap, erf, etherpeek Common compression formats: gzip, bzip, and 7zip

12 Tstat Workflow L7 L4 L3 Behavioral FSM DPI Pure DPI TCP/UDP IPv4/IPv6 Skype, Encrypted P2P Web, Mail, IM Peer-to-peer, P2P-TV #bytes, #flows, IP bitrate, packet length,

13 Tstat Workflow Layer 2 MAC encapsulation Tstat supports several MAC encapsulations (Ethernet, VLAN, MPLS), but no explicit statistic on them L4 L3 TCP/UDP IPv4/IPv6 Layer 3 IP IPv4 and IPv6 datagrams: anything different is ignored Layer 4 TCP and UDP Identification and complete characterization of TCP flows: flow length, lifetime, RTTs, window size, UDP flows: size, length, ports usage

14 Tstat Features L7 L4 Behavioral FSM DPI Pure DPI TCP/UDP Layer 7 Internet applications protocols L3 Pure Deep Packet Inspection Simple matching of known signatures in the packet payload P2P file sharing (emule/kad, Bittorrent), P2P-TV (Sopcast, PPLive, TVAnts) Finite State Machine DPI Mixes the Pure DPI with a FSM to consider packets in both directions Internet Protocols (HTTP,SMTP,SSL, SSH, ), Instant Messaging (MSN, Yahoo, Jabber), Web 2.0 Applications (Facebook, YouTube, RapidShare, Megaupload, ) Behavioral Classifier Classification of encrypted traffic through statistical properties Skype, Obfuscated emule/kad, Encrypted Bittorrent IPv4/IPv6

15 Tstat Outputs Connection Logs Text files reporting all of the relevant measures collected for the identified flows Histograms Text files collecting the empirical frequencies distributions for the collected parameters, saved at regular intervals RRD Round Robin Database Popular compact format to collect monitored statistics on several timescales. Used to monitor the probe through a CGI Web page Packed traces Dump of classes of packets into pcap traces for further elaborations

16 LibTstat Tstat can be compiled as a library to be linked with other measurement tools Simple API to pass packets to the Tstat engine The linking application can control all the aspects of the analyzed traffic Anonymization Packed payload Traffic filtering Successfully used by TIE (Univ. of Naples) and METAWIN (ftw.)

17 Where Tstat Lives

18 Gallery of Tstat Capabilities Live probe on the edge of the Politecnico campus network 1 Gbps link connecting to GARR, the Italian Research Network Traffic quite regular, with common workplace patterns (nine-to-five activity, no traffic in the weekends) Hybrid research/education/administration environment, so possibility of peculiar behaviors Traffic from February 2010

19 One Year of TCP Flows 40 flows [x1000] http smtp ssl/tsl unknown Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar

20 IP Traffic bitrate [Mbps] tcp udp Bitrate Mon Tue Wed Thu Fri Sat Sun Mon 250 Flows flows [x1000] tcp udp -200 Mon Tue Wed Thu Fri Sat Sun Mon

21 IP Bitrate bitrate [Mbps] tcp udp Mon Tue Wed Thu Fri Sat Sun Mon

22 IP Flows flows [x1000] Mon Tue Wed Thu Fri Sat Sun Mon tcp udp

23 Chat Sessions flows msn act msn pre xmpp act xmpp pre yahoo act yahoo pre 0 Mon Tue Wed Thu Fri Sat Sun Mon

24 Tracked Flows flows [x1000] udp tcp 20 0 Mon Tue Wed Thu Fri Sat Sun Mon

25 CPU Load %cpu load max system+user system+user avg system avg 0 Mon Tue Wed Thu Fri Sat Sun Mon

26 TCP Bitrate per Application bitrate [Mbps] http bit+obf ssl/tls ssh other unknown Mon Tue Wed Thu Fri Sat Sun Mon

27 HTTP Bitrate per Application 50 0 bitrate [Mbps] http-get megaupload facebook -300 youtube rapidshare other Mon Tue Wed Thu Fri Sat Sun Mon

28 Conclusions Mature tool for network monitoring and analysis Always on the cutting edge, adapting to the changes in the Internet and to the research trends in networking outperform [other] signature based tools used in the literature (IMC 2009) Web site

29 Frågor?

30 Tack!