Extracting Performance Metrics from NetFlow in Enterprise Networks



Similar documents
Passively Detecting Remote Connectivity Issues Using Flow Accounting. 2nd EMANICS Workshop on Netflow/IPFIX usage in network management

Monitoring WAAS Using Cisco Network Analysis Module. Information About NAM CHAPTER

Wireshark Developer and User Conference

TE in action. Some problems that TE tries to solve. Concept of Traffic Engineering (TE)

NetFlow/IPFIX Various Thoughts

Advanced Computer Networks IN Dec 2015

EE627 Lecture 22. Multihoming Route Control Devices

STANDPOINT FOR QUALITY-OF-SERVICE MEASUREMENT

Flow Analysis Versus Packet Analysis. What Should You Choose?

An API for dynamic firewall control and its implementation for Linux Netfilter

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Internet Infrastructure Measurement: Challenges and Tools

Research on Errors of Utilized Bandwidth Measured by NetFlow

PANDORA FMS NETWORK DEVICES MONITORING

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Introduction. The Inherent Unpredictability of IP Networks # $# #

PANDORA FMS NETWORK DEVICE MONITORING

Chapter 4. VoIP Metric based Traffic Engineering to Support the Service Quality over the Internet (Inter-domain IP network)

Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information

TFTP TRIVIAL FILE TRANSFER PROTOCOL OVERVIEW OF TFTP, A VERY SIMPLE FILE TRANSFER PROTOCOL FOR SIMPLE AND CONSTRAINED DEVICES

Gaining Operational Efficiencies with the Enterasys S-Series

IP Network Monitoring and Measurements: Techniques and Experiences

Metrics One Way. Two way. Availability Other metrics (R, BW,..?) latency packet loss Jitter delay variation. extensions of one-way metrics

EQ-BGP: an efficient inter-domain QoS routing protocol

Scalable Extraction, Aggregation, and Response to Network Intelligence

Network Monitoring Based on IP Data Flows

Limitations of Packet Measurement

Network Monitoring Based on IP Data Flows Best Practice Document

04 Internet Protocol (IP)

Improving our Evaluation of Transport Protocols. Sally Floyd Hamilton Institute July 29, 2005

From NetFlow to IPFIX the evolution of IP flow information export

The ISP Column A monthly column on all things Internet

HPAM: Hybrid Protocol for Application Level Multicast. Yeo Chai Kiat

Service Level Monitoring with Nagios. National Technical University of Athens Network Operations Center

Monitoring and analyzing audio, video, and multimedia traffic on the network

The Power of SA as a SLM Tool

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Network Monitoring and Traffic CSTNET, CNIC

Standardizing IP Traffic Flow Measurement at the IETF

LOW OVERHEAD CONTINUOUS MONITORING OF IP NETWORK PERFORMANCE

Emulex and SevOne Provide Unparalleled Clarity for Enterprise Network Performance Management

Infrastructure for active and passive measurements at 10Gbps and beyond

Qcast : IP Multicast Traffic Monitoring System with IPFIX/PSAMP

A VoIP Traffic Monitoring System based on NetFlow v9

End-to-End Network Centric Performance Management

Flow Monitoring With Cisco Routers

Measuring IP Network Routing Convergence. A new approach to the problem

The next IP SLA generation Solution. Advisor SLA. Network Performance Monitoring Solution.

Traffic Monitoring in a Switched Environment

Requirements for Simulation and Modeling Tools. Sally Floyd NSF Workshop August 2005

Data Center Real User Monitoring

How to configure an Advanced Expert Probe as NetFlow Collector

Mobile Communications Chapter 9: Mobile Transport Layer

Voice over IP Probe! for Network Operators and! Internet Service Providers

QoS Measurements Methods and Tools

Innovative, High-Density, Massively Scalable Packet Capture and Cyber Analytics Cluster for Enterprise Customers

Chapter 2. Literature Review

Final for ECE374 05/06/13 Solution!!

WAN Optimization in MPLS Networks- the Transparency Challenge!

Internet Management and Measurements Measurements

Experimentation driven traffic monitoring and engineering research

Challenges in NetFlow based Event Logging

How To Measure Quality Of Service On An Hpla (Html) Website

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Flow Based Traffic Analysis

IPTV Traffic Monitoring System with IPFIX/PSAMP

REAL-TIME PERFORMANCE MONITORING ON JUNIPER NETWORKS DEVICES

Extreme Networks CoreFlow2 Technology TECHNOLOGY STRATEGY BRIEF

Efficient Transport of VoIP Firewall Control Signaling

TELE9752 Network Operations and Control Week 10p: Performance

Real-Time Traffic Engineering Management With Route Analytics

mbits Network Operations Centrec

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Cisco Network Foundation Protection Overview

Port evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently.

CS551 End-to-End Internet Packet Dynamics [Paxson99b]

Introduction to Performance Measurements and Monitoring. Vinayak

NetFlow The De Facto Standard for Traffic Analytics

Tech Note #015. General requirements

Kevin Webb, Alex Snoeren, Ken Yocum UC San Diego Computer Science March 29, 2011 Hot-ICE 2011

Beyond Monitoring Root-Cause Analysis

How To Provide Qos Based Routing In The Internet

ExamPDF. Higher Quality,Better service!

Cisco Catalyst 4948E NetFlow- lite

Computer Networks II Master degree in Computer Engineering Exam session: 11/02/2009 Teacher: Emiliano Trevisani. Student Identification number

Cisco Performance Agent Data Source Configuration in the Branch-Office Router

Transcription:

Extracting Performance Metrics from NetFlow in Enterprise Networks 2nd EMANICS Workshop on NetFlow/IPFIX Usage Jochen Kögel jochen.koegel@ikr.uni-stuttgart.de 8. October 2009 Universität Stuttgart Institute of Communication Networks and Computer Engineering (IKR) Prof. Dr.-Ing. Andreas Kirstädter

Overview Motivation and scenario Monitoring in enterprise networks What could be extracted from NetFlow? Metrics extraction process Evaluation and results Conclusion and outlook 2

Motivation and scenario Monitoring in global enterprise networks Global MPLS-Cloud connects several locations Network metrics (RTT, delay, loss,...) monitored by active probes (partly, no full mesh) Unsampled NetFlow (v5) from many routers (own routers + customer edge) Application level: Response time measured by active probing (E2E-probes) Correlating network metrics with application response times: NetFlow-based? Extract metrics from NetFlow-Data to enrich/validate/replace active measurements? 3

Motivation and scenario What could be extracted from NetFlow Records? Round-Trip-Time (RTT) data from one router (depends on routing) One way delay data from several routers (+ synchronized clocks) Packet loss Flow contention (roughly) Partly covered in QoS-Monitoring-Section of RFC 5472 (IPFIX Applicability), but no investigation on flow-level so far (?) Constraints Incomplete NetFlow data (table contention, packet loss) Rerouting, ECMP, disjoint paths 4

Metrics extraction process Preprocessing Steps 1. Join flow records of same forward flow based on 5-Tuple (JoinedFlow) 2. Build FlowAcrossExporters: associate JoinedFlows of all exporters 3. Associate forward and reverse flows (BiFlow) RTT Extraction 1. Take complete BiFlows 2. Calculate start-flow record offset (mid-flow offset also contains server response time) Delay Extraction 1. Step through JoinedFlows of FlowAcrossExporters 2. Calculate delay between every exporter pair based on start time 5

Evaluation scenario NetFlow data NetFlow data of 3 days taken for this evaluation Filter: TCP-Connections of E2E-Probe and IP SLA flows IP SLA (active measurement between routers) Three UDP measurement flows per minute Reports on average RTT every five minutes 6

Evaluation 1: NetFlow-RTT/E2E vs. IP SLA RTT Comparison of active measurement results and NetFlow-RTT RTT measurements in different directions, but same path 7

Evaluation 1: NetFlow-RTT/E2E vs. IP SLA RTT IPSLA vs. TCP-Flows of E2E-Probes 650 600 IP SLA/Netflow RTT Comparison Netflow RTT, E2E Probe IPSLA RTT 440 420 Netflow/IPSLA RTT,E2E Comparison IPSLA RTT smoothed Netflow RTT, E2E Probe, smoothed 550 400 500 380 RTT/ms 450 RTT/ms 360 340 400 320 350 300 300 280 250 11.09 260 11.09 Left: without further processing, right: smoothed (window 15) 1-4 NetFlow-RTT/E2E samples per IPSLA-sample NetFlow-RTT timestamp may differ several seconds from IPSLA-Measurement time Closer look on flows from IPSLA-Measurement 8

Evaluation 2: NetFlow-RTT/IP SLA vs. IP SLA RTT Compare RTT gained from IP SLA with RTT calculated from measurement flows 9

Evaluation 2: NetFlow-RTT/IP SLA vs. IP SLA RTT 650 600 Netflow/IP SLA RTT Comparison Netflow RTT IP SLA RTT 400 380 Netflow/IP SLA RTT Comparison IPSLA RTT smoothed Netflow RTT smoothed 550 360 500 340 RTT/ms 450 400 350 RTT/ms 320 300 300 280 250 260 200 240 150 11.09 220 11.09 Left: without further processing, right: smoothed (window 20) ~15 NetFlow-RTT samples per IP SLA sample IP SLA flows reuse 5-Tuple matching problem reason for difference? 10

Evaluation 3: NetFlow-RTT vs. NetFlow-delay 1. Calculate NetFlow-delays independently of NetFlow-RTT 2. Match Netflow delay samples based on timestamp and sum up Direct comparison possible (if R3 and R4 were inaccurate, we would notice) 11

Evaluation 3: NetFlow-RTT vs. NetFlow-delay Delay of complete path: R1 - R4 600 550 500 Netflow RTT/Netflow delay sum (R1 R4) Netflow delay sum Netflow RTT/E2E 450 400 350 300 Difference between RTT, delay sum (6 outliers dropped) RTT/ms 450 400 350 300 samples 250 200 150 100 50 250 11.09 0 10 8 6 4 2 0 2 4 6 8 10 Difference/ms Sum of forward and reverse delay almost equal to NetFlow RTT Delay contribution of segment from R4 to reverse proxy negligible 12

Evaluation 3: NetFlow-RTT vs. NetFlow-delay Delay of partial path: R1 - R3 600 550 500 Netflow RTT/Netflow delay sum (R1 R3) Netflow delay sum Netflow RTT/E2E Difference between RTT, delay sum (15 outliers dropped) 180 160 140 120 RTT/ms 450 400 samples 100 80 350 300 60 40 20 250 11.09 0 5 0 5 10 15 20 25 30 35 Difference/ms Delay contribution of segment between R3 and R4 measurable 13

Conclusion and Outlook Conclusion NetFlow as basis for performance metrics: "QoS Monitoring" and server response Comparison to RTT of IP SLA data: differences, but trends are the same Comparison of NetFlow-delay and NetFlow-RTT delay contribution of network segments measurable Outlook Comparison on a large scale Improved algorithms to deal with missing or inaccurate records Compensation of record loss by combining information from several routers Take knowledge about record loss into account (IPFIX Reliability Statistics?) Is active per-packet measurement required at all? 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information