Network Monitoring and Traffic Analysis in CSTNET Chunjing Han Aug. 2013 CSTNET, CNIC
Topics 1. The background of network monitoring 2. Network monitoring protocols and related tools 3. Network monitoring and traffic analysis systems in CSTNET
1, Background of network monitoring
Network monitoring and traffic analysis systems in CSTNET Question: for network management center Network equipment utilization Traffic utilization for a link or organization Traffic TopN: IP URL protocol Application distribution User behavior analysis Network attack and security events
2, Network monitoring protocols and related tools
Network monitoring protocols and related tools Monitoring Network technologies categories Passive SNMP, Netflow Active Ping,Iperf
Passvie monitoring-snmp SNMP(Simple network management protocol) Version 1, 2, 3 Management information base (MIB) An SNMP-managed network consists of three key components: Managed device Agent software which runs on managed devices Network management system (NMS) software which runs on the manager SNMP Architecture >
Passvie monitoring-netflow Netflow 5-tuple fields Define a Flow 1. Source Address 2. Destination Address 3. Source Port 4. Destination Port 5. Layer 3 Protocol NetFlow Data Exported
NetFlow define TWO flows for ONE TCP connection Request Response Client Server Flow Cache Active Timeout Inactive timeout Content Client Server ONE flow for ONE UDP Stream
Netflow development Using UDP to send multiple flow records in one packet Formats Version 1 (V1) Version 5 (V5) Version 7 (V7) Version 8 (V8) Version 9 (V9) Header Sequence Number Record Count Version Number Flow Record Flow Record Versions 2, 3, 4, and 6 were not released Flow Record Flow Record
3, Network monitoring and traffic analysis systems in CSTNET
CNMS (Cloud network management system) A network management system based on cloud computing technology a multi-tenant cloud application, SaaS Cloud core and probe model
System function modules of CNMS Data collecting Data center executes data collection, through SNMP, Ping, etc; Data receiving and processing Data receiving, data model and alarm rules matching, sending alarm events to alarm process model, data persistence; Alarm processing Correlation, filtering and compress of alarm events; Alarm releasing According to the rules of the alarm, releasing the related alarm notice to administrator; Data visualization Using the graph and tables tools to show the network data result Cloud server Data visualization i Alarm release Alarm processing Data receiving and processing Data collecting Selfmanagement
Collecting data probe Topology discovery Regularly scan topology according to the topology discovery requests Data collecting Through SNMP, Ping, Telnet and service simulation method, probes collect the data of network management objects ; Data visualization Built in Web Server can view the local information when the WAN link failure occurs Data Sending Formatting and sending the management data to the cloud management center Self management Self status monitoring; Communicate with the center of the CNMS; upgrading software version automatically; Local Database caching data in local probe, providing local ability; probe Data visualization Data Sending Data collecting Selfmanagement
Fucntion module Overview TOP N performance, topology thumbnail, custom dashboard view manages IPv4/IPv6 network topology machine room architecture resource management Network devices, server management, and the management of the IP and MAC Performance management Traffic of device (bps pps loss packet packet error ratio etc.) Ping: Rtt, loss,jitter Configuration management Storing configuration of device and providing version comparison feature Alarm center Implementation of alarm filtering, compression, correlation and other related operations, providing an unification of the alarm center. System management Tenants, accounts, permissions, role management
LDTM( Large scale distribution traffic monitor) A large scale distribution traffic monitor Comprehensive traffic direction and volume analysis Advanced traffic data comparison and intelligent analysis techniques
Flexible deployments Software deployment
Features list Traffic weather map Traffic trend Distribution of region, application, organization Top N IP,session, protocol, packet size Capture packet service IP utilization statistic IP location service IP traffic report
Network overview traffic weather map A geo-view of top IP session and traffic volume distribution. Two levels of zoom: continent, country and area Many time granularity query condition Top IP session and organization, region distribution
Top N analysis When the customer s network congestion happens, the first thing we need to do is query toe Top N IP address, mostly a certain IP address can gobble up a most of the bandwidth. By this, operator can quickly locate the IP address which will be blocked. Top N packet size: When the network has a DDos Top N packet size: When the network has a DDos attack, for Top N package size traffic ranking,, generally small size package flow occupy the front of the rankings under the pps units.
IP address usage statistic IPv4 address resource is very precious, we need to monitor IP usage each customer. By counting IP addresses on which actual flows transfer, we get the real statistics of IP ratio. Although the number of IPv6 address approaches infinity, we still need the analysis of the address utilization. According to the IPv6 usage, we can locate the customers who has rarely use IPv6 and find the cause why they are reluctant to use IPv6 network, which all gradually to improve the IPv6 transition.
北 京 市 海 淀 区 中 关 村 南 四 街 四 号 中 科 院 软 件 园 邮 编 : 100190 www.cnnic.cn