Packet Sampling and Network Monitoring



Similar documents
Traffic Monitoring using sflow

Gaining Operational Efficiencies with the Enterasys S-Series

Network traffic monitoring and management. Sonia Panchen 11 th November 2010

Traffic monitoring with sflow and ProCurve Manager Plus

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Observer Probe Family

Scalable High Resolution Network Monitoring

Cisco IOS Flexible NetFlow Technology

SNMP Monitoring: One Critical Component to Network Management

Flow Based Traffic Analysis

Network congestion control using NetFlow

Beyond Monitoring Root-Cause Analysis

The ntop Project: Open Source Network Monitoring

Brocade sflow for Network Traffic Monitoring

Network Instruments white paper

The next IP SLA generation Solution. Advisor SLA. Network Performance Monitoring Solution.

Cisco Performance Visibility Manager 1.0.1

Network Management & Security (CS 330) RMON

Network Management and Monitoring Software

WHITE PAPER. Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency

On-Premises DDoS Mitigation for the Enterprise

Network Management Functions RMON1, RMON2. Network Management

Observer Analysis Advantages

Business case for VoIP Readiness Network Assessment

Unified network traffic monitoring for physical and VMware environments

Extending Network Visibility by Leveraging NetFlow and sflow Technologies

Observer Probe Family

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Analyzing Full-Duplex Networks

A Summary of Network Traffic Monitoring and Analysis Techniques

Maintaining Non-Stop Services with Multi Layer Monitoring

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Dell SonicWALL report portfolio

and reporting Slavko Gajin

Network Assessment Services

WhatsUp Gold vs. Orion

Network Visibility Guide

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

Monitoring high-speed networks using ntop. Luca Deri

Elevating Data Center Performance Management

Service Definition. Internet Service. Introduction. Product Overview. Service Specification

Research on Errors of Utilized Bandwidth Measured by NetFlow

Best Practices for NetFlow/IPFIX Analysis and Reporting

SDN CENTRALIZED NETWORK COMMAND AND CONTROL

Internet Management and Measurements Measurements

Network Security Demonstration - Snort based IDS Integration -

Optimizing Data Center Networks for Cloud Computing

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Present and Desired Network Management to Cope with the Expected Expansion, NM-AIST Study Case.

Beyond Monitoring Root-Cause Analysis

Network Virtualization for Large-Scale Data Centers

Network System Design Lesson Objectives

Cisco Bandwidth Quality Manager 3.1

Network Traceability Technologies for Identifying Performance Degradation and Fault Locations for Dependable Networks

4 Internet QoS Management

ethernet services for multi-site connectivity security, performance, ip transparency

Cisco Integrated Services Routers Performance Overview

Challenges in High Performance Network Monitoring

Perspective on secure network for control systems in SPring-8

TELCO challenge: Learning and managing the network behavior

Fail-Safe IPS Integration with Bypass Technology

Latency Analyzer (LANZ)

E-Guide. Sponsored By:

Network Analysis Modules

RMON, the New SNMP Remote Monitoring Standard Nathan J. Muller

Top-Down Network Design

Firewalls Overview and Best Practices. White Paper

Internet Traffic Measurement

ISSN: (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies

Traffic Management for the Enterprise

Traffic Monitoring in a Switched Environment

RUGGEDCOM NMS. Monitor Availability Quick detection of network failures at the port and

Data Center Load Balancing Kristian Hartikainen

Network Monitoring Comparison

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

The Ecosystem of Computer Networks. Ripe 46 Amsterdam, The Netherlands

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

Whitepaper. 10 Metrics to Monitor in the LTE Network. blog.sevone.com

Programmable Networking with Open vswitch

Where IT perceptions are reality. Test Report. OCe14000 Performance. Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine

Network Management Functions - Performance. Network Management

PANDORA FMS NETWORK DEVICE MONITORING

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

RoCE vs. iwarp Competitive Analysis

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

How To Switch In Sonicos Enhanced (Sonicwall) On A 2400Mmi 2400Mm2 (Solarwall Nametra) (Soulwall 2400Mm1) (Network) (

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

Comprehensive IP Traffic Monitoring with FTAS System

NetFlow The De Facto Standard for Traffic Analytics

Using RMON to Manage Remote Networks Gilbert Held

Transcription:

Packet Sampling and Network Monitoring CERN openlab Monthly Technical Meeting 13 th November, 2007 Milosz Marian Hulboj milosz.marian.hulboj@cern.ch Ryszard Erazm Jurga ryszard.jurga@cern.ch

What is Network Monitoring? Network Health Inspection Observation and analysis of following objects: Network devices End systems Network links Network traffic Network applications CERN openlab presentation 2007 2

Why Network Monitoring (1) Networks are getting more complex and harder to comprehend Networks are a business-critical element Occurrence of problems in any network is inevitable: Increasing configuration and topology complexity Increasing number and complexity of threats, attacks, viruses, etc. Conclusion: It is just a matter of time Detect the problems as early as possible Reduce the unavailability time CERN openlab presentation 2007 3

Network Statistics: Why Network Monitoring (2) Identification of performance characteristics: For traffic engineering (pkt/s, bytes/s, connections/s, flows, traffic matrix) QoS metrics, latency, bandwidth (SLA, billing) Planning (busiest services, traffic distribution, throughput) Network Inventory: Identification of equipment on the network Troubleshooting: Failures of interface cards, power supplies Connectivity problems Service availability CERN openlab presentation 2007 4

Why Network Monitoring (3) Accounting User activity Security Policy violations: Unauthorised services, machines Unauthorised access Unauthorised applications (e.g. p2p) Intrusion detection Compromised hosts detection Protection against cyberattacks, worms, etc. CERN openlab presentation 2007 5

Performance Problem CERN openlab presentation 2007 6

Packet Analysis - old methods (1) Sniffing in the old times ( old shared Ethernet ) Slow network speed Captures everything (all packets+payload) Old shared Ethernet is a history CERN openlab presentation 2007 7

Packet Analysis modern methods (2) Port mirroring: Captures all the traffic (per port, group, VLAN, etc) Requires HW support Requires fast network interface Problematic determination of originating port Network device-based data: Captures (partial) data from selected ports Sampled packet data Sampled flow data Requires HW support Port mirroring CERN openlab presentation 2007 8

Other Common Sources of Data (1) SNMP Operations via simple variable manipulation Standard mean for retrieving generic statistics, network status, etc: Packet arrival and departure rates, packet top rates, error rates, system load, etc. Used also for network configuration Cannot customise monitored variables within agent Different vendors use different proprietary MIBs for detailed information CERN openlab presentation 2007 9

Other Common Sources of Data (2) RMON and RMON2 Extension of the basic set of SNMP Remote data collection and processing RMON2 decodes packets at layers 3 7 and handles certain protocols Collects aggregate statistics (volume, rate, Top Talkers, etc) about network and application traffic Implementation of RMON agents is complex Probes might be expensive and require administration Cannot add new features to the existing MIB CERN openlab presentation 2007 10

Packet Sampling A mean of passive network monitoring Simple to implement Low CPU and memory overhead Sample only the packet header (~128 bytes) Traffic patterns estimated from the samples with certain error CERN openlab presentation 2007 11

Error Estimation Decreasing error = increasing the sampling rate CERN openlab presentation 2007 12

sflow Packet Sampling RFC 3176 Multi-vendor standard Complete packet header and switching/routing information Some SNMP counters information Low CPU/memory requirements scalable CERN openlab presentation 2007 13

Usage of sflow Profiling network traffic Building flow statistics Accounting and billing Route profiling (forwarding information) Security analysis / intrusion detection: Packet headers analysis Traffic pattern analysis CERN openlab presentation 2007 14

Current Research Influence of sampling on flow estimates Influence of sampling on anomaly detection: Access only to packet headers Unable to reconstruct the sessions from samples Traffic prediction: Packet count prediction Traffic volume prediction Adjusting of sampling rate: Attempt to maintain the constant error Attempt to fully utilise the hardware capabilities CERN openlab presentation 2007 15

Bibliography N.Duffield, Sampling for Passive Internet Measurement: A Review, Statistical Science 2004, Vol. 19, No. 3 http://www.sflow.org J.Jedwab, P.Phaal, B.Pinna, Traffic Estimation for the Largest Sources on a Network, Using Packet Sampling with Limited Storage, HP Laboratories Bristol, HPL-92-35, 1992 B.Choi, J.Park, Z.Zhang, Adaptive Random Sampling for Load Change Detection, University of Minnesota Technical Report 01-041, 2001 B.Choi, J.Park, Z.Zhang, Adaptive Random Sampling for Flow Volume Measurement, University of Minnesota Technical Report 02-040, 2002 K.Ishibashi, R.Kawahara, M.Tatsuya, T.Kondoh, S.Asano, Effect of Sampling Rate and Monitoring Granularity on Anomaly Detectability, IEEE Global Internet Symposium, 2007 R.Kawahara, T.Mori, N.Kamiyama, S.Harada, S.Asano, A Study on Detecting Network Anomalies Using Sampled Flow Statistics, IEEE International Symposium on Applications and the Internet Workshops 2007 Y.Gao, G.He, J.Hou, On Exploiting Traffic Predictability in Active Queue Management, in Proceedings of IEEE INFOCOM, 2002 N.Duffield, C.Lund, M.Thorup, Estimating Flow Distributions from Sampled Flow Statistics, Proceedings the ACM SIGCOMM Conference on Applications, Technologies, Architectures, 2003 K.Xu, Z.Zhang, S.Bhattacharyya, Profiling Internet Backbone Traffic: Behavior Models and Applications, SIGCOMM Comput. Commun. Rev., Vol. 35, No. 4. (October 2005), pp. 169-180. And many more CERN openlab presentation 2007 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information