Traffic analysis with NetFlow



Similar documents
Network traffic telemetry (NetFlow, IPFIX, sflow)

NetFlow & BGP multi-path: quo vadis?

SolarWinds Technical Reference

NetFlow & BGP multi-path: quo vadis?

pmacct: introducing BGP na2vely into a NetFlow/sFlow collector

Introduction to Netflow

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

sflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007

Network Monitoring and Management NetFlow Overview

Fluke Networks NetFlow Tracker

NetFlow/IPFIX Various Thoughts

pmacct: introducing BGP natively into a NetFlow/sFlow collector

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Scalable Extraction, Aggregation, and Response to Network Intelligence

NetFlow-Lite offers network administrators and engineers the following capabilities:

IPv6 network management. Where and when?

Wireshark Developer and User Conference

Agenda. sflow intro. sflow architecture. sflow config example. Summary

Flow Analysis Versus Packet Analysis. What Should You Choose?

Cisco IOS Flexible NetFlow Technology

IPv6 network management. 6DEPLOY. IPv6 Deployment and Support

Open Source in Network Administration: the ntop Project

NetQoS Delivers Distributed Network

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Understanding Flow and Packet Deduplication

PANDORA FMS NETWORK DEVICE MONITORING

Netflow Overview. PacNOG 6 Nadi, Fiji

and reporting Slavko Gajin

PANDORA FMS NETWORK DEVICES MONITORING

Maintaining Non-Stop Services with Multi Layer Monitoring

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

DD2491 p Load balancing BGP. Johan Nicklasson KTHNOC/NADA

Monitoring high-speed networks using ntop. Luca Deri

TE in action. Some problems that TE tries to solve. Concept of Traffic Engineering (TE)

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

How NOC manages and controls inter-domain traffic? 5 th tf-noc meeting, Dubrovnik nino.ciurleo@garr.it

What network engineers can learn from web developers when thinking SDN.

Monitoring backbone networks

Overview. Why use netflow? What is a flow? Deploying Netflow Performance Impact

Section 2: Network monitoring based on flow measurement techniques

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Whitepaper. NetFlow vs. sflow: A Technical Review. plixer. International

How To Set Up Foglight Nms For A Proof Of Concept

Troubleshooting and Maintaining Cisco IP Networks Volume 1

The Value of Flow Data for Peering Decisions

IPv6 Network Management.

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document

Gaining Operational Efficiencies with the Enterasys S-Series

Network Management & Monitoring

NETWORK TRAFFIC ANALYSIS: HADOOP PIG VS TYPICAL MAPREDUCE

Traffic Monitoring using sflow

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

Practical Experience with IPFIX Flow Collectors

Best of Breed of an ITIL based IT Monitoring. The System Management strategy of NetEye

NetFlow Subinterface Support

Network congestion control using NetFlow

Analyzing Capabilities of Commercial and Open-Source Routers to Implement Atomic BGP

Application Latency Monitoring using nprobe

WhatsUpGold. v NetFlow Monitor User Guide

redborder IPS redborder Just common sense IPS overview Common sense

Network traffic monitoring and management. Sonia Panchen 11 th November 2010

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

[Optional] Network Visibility with NetFlow

End-to-End Network Centric Performance Management

Product Summary RADIUS Servers

CHAPTER 1 WhatsUp Flow Monitor Overview. CHAPTER 2 Configuring WhatsUp Flow Monitor. CHAPTER 3 Navigating WhatsUp Flow Monitor

The use of SNMP and other network management tools in UNINETT. Arne Øslebø March 4, 2014

Unified network traffic monitoring for physical and VMware environments

Flow Based Traffic Analysis

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Riverbed SteelCentral. Product Family Brochure

Connecting North Carolina s Future Today. Application Monitoring: ClassScape Case Study. NCSU Centennial Networking Lab

Securing and Monitoring BYOD Networks using NetFlow

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Network-Wide Class of Service (CoS) Management with Route Analytics. Integrated Traffic and Routing Visibility for Effective CoS Delivery

Monitoring individual traffic flows within the ATLAS TDAQ network

Network management tools: Torrus, Gerty, Mooxu

JUNIPER CARE PLUS ADVANCED SERVICES CREDITS

IPv6 network management

An overview of traffic analysis using NetFlow

Who is Generating all This Traffic?

In Memory Accelerator for MongoDB

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Network Agent Quick Start

High-Speed Network Traffic Monitoring Using ntopng. Luca

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Copyright SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified,

WhatsUp Gold 2016 Getting Started Guide

Transcription:

Traffic analysis with NetFlow Paolo Lucente <paolo at pmacct dot net> http://www.pmacct.net/ RIPE Regional meeting, Dubrovnik Sep 2011

Traffic analysis with NetFlow Agenda o o whoami: Paolo & pmacct Ramblings: Square 0 to reporting RIPE Regional meeting, Dubrovnik Sep 2011

whoami: Paolo Been working for operators for a while Been involved with IP accounting for a while Hence I stumbled upon NetFlow a while ago Within operators, NetFlow is beneficial in several contexts, ie.: Traffic engineering Capacity planning Peering and also (ie. not only) security

pmacct is open-source, free, GPL ed software http://www.pmacct.net/

Traffic analysis with NetFlow Agenda o o whoami: Paolo & pmacct Ramblings: Square 0 to reporting RIPE Regional meeting, Dubrovnik Sep 2011

Square 0 NetFlow is not the only existing export protocol Current trend is to build extensible protocol formats by means of templates (NetFlow v9, IPFIX) or modules (sflow) Export protocols, versions and templates (or modules) available are solely mandated by the underlying network hardware, ie.: Cisco? NetFlow (and NetFlow-Lite on switches?) Juniper? NetFlow and IPFIX (so baaaad as we speak!) on M/T/MX; sflow on EX Brocade? sflow!

Square 1 Essentially, top-down approach Do: Start with a vision Start with goals to achieve Don t: Collect just for the sake of Collect because one day raw data will be useful.. Goals drive to requirements

Requirements (1/2) Given goals, network topology, hardware, etc. Define what devices (routers, switches,..) need to export Define what interfaces need to report Define which direction, inbound or outbound or both? Define whether to sample or not and if yes how much Reality checks: don t just assume hardware can follow decisions; verify completeness of traffic sources

Requirements (2/2) Is NetFlow (or similars) going to do the job alone? Correlation with BGP benefits peering and IP transit analysis (profitability, costs, violations, etc.) Correlation with IGP (plus estimation methods) benefits traffic engineering and capacity planning Is there any margin for use of data reduction techniques? Micro-flow information and as much as possible 1:1 sampling rate benefits security applications and R&D Requirements drive to choice of tooling and storage (ie. flat-files, RRD, RDBMS, etc.)

Collector implementation - gotchas Organizational 800 pound gorilla project spanning across different departments (including IT and Security where existing) Technical Probes loosing traffic along the way, ie.: Cisco 7600 TCAM space being overwhelmed Juniper MX series requiring extra hardware, a MS-DPC ($$$), to cope with sustained export load Over-engineered protocol features (ie. NetFlow v9, IPFIX sampling) drive to bizarre, creative implementations Verify expectations and perform consistency checks against other sources, ie. interface counters

Collector implementation - scalability Divide-et-impera approach, ie.: Assign probes to collectors Assign collectors to storages, ie. RDBMS Work on data reduction: Increase sampling rate Strip down the aggregation method Fit data into larger time-bins Remove from the equation interfaces which are not strictly essential to the task, ie. low-speed Do take into account on larger deployments that a single collector might not fit all the bill due to, typically, CPU or memory constraints

Storage method selection Plenty on the offer both on the commercial and open-source side: flat-files, RDBMS, RRD, columnoriented DB, memory, etc.: I do not come here with general statements In fully integrated products (ie. backend + frontend) this is transparent to end-users Otherwise, going open access (which btw some fully integrated products also offer): Depends, ie. whether a well-known query language like SQL is a pro; an indexed storage is a pro; an have it all to the microflow level kind of storage is a pro; etc. Often it s matter of personal preferences, ie. what one feels most comfortable to query once in production

Maintenance (1/2) (Script to) verify the right set of data is hitting the collector: Ingress + egress directions can lead to duplicates Backbone + edge interfaces can lead to duplicates Network infrastructure evolves: mistakes and forgetting is around the corner (Script to) track collector hardware resources: Supports the divide-et-impera approach It s good rule to do it anyway

Maintenance (2/2) (Script to) keep data-set size under control: Valid for both memory and disk-based storage methods Drop older data is less complex than consolidating; if going for inexpensive storage, ie. disk, consider collecting same data at different time resolutions, with different expiration periods

Reporting Reporting via email or web is popular Key is interaction between backend and frontend: If open access is granted to data-set, great stuff! Otherwise, make sure new reports can be (easily) generated as requirements emerge Reporting can influence organization of the backend, ie. RDBMS re-indexing Flexibility must be possible (if Sales, Purchase, Product Management, etc. find it useful be prepared to handle their creativity!)

Traffic analysis with NetFlow Thanks for your attention! Questions? Paolo Lucente <paolo at pmacct dot net> http://www.pmacct.net/ RIPE Regional meeting, Dubrovnik Sep 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information