Distributed Network Traffic Monitoring and Analysis using Load Balancing Technology



Similar documents
WebTrafMon: Web-based Internet/Intranet network traffic monitoring and analysis system

Lab VI Capturing and monitoring the network traffic

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System

A Research Study on Packet Sniffing Tool TCPDUMP

Introduction to Analyzer and the ARP protocol

Network Security TCP/IP Refresher

Module 1: Reviewing the Suite of TCP/IP Protocols

Unix System Administration

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Management & Security (CS 330) RMON

SDN Programming Languages. Programming SDNs!

NfSen Plugin Supporting The Virtual Network Monitoring

Network Management Functions RMON1, RMON2. Network Management

Linux Network Security

Server Iron Hands-on Training

SNMP and Web-based Load Cluster Management System

Network Layers. CSC358 - Introduction to Computer Networks

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

HTGR- Netflow. or, how to know what your network really did without going broke

USING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA

COMP416 Lab (1) Wireshark I. 23 September 2013

EKT 332/4 COMPUTER NETWORK

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

Introduction to Passive Network Traffic Monitoring

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

Modern snoop lab lite version

Flow Monitoring With Cisco Routers

Transport and Network Layer

How good can databases deal with Netflow data

Chapter 15. Firewalls, IDS and IPS

EMIST Network Traffic Digesting (NTD) Tool Manual (Version I)

Network Models OSI vs. TCP/IP

Load Balancing. FortiOS Handbook v3 for FortiOS 4.0 MR3

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Safe network analysis

FortiOS Handbook - Load Balancing VERSION 5.2.2

Network Security: Workshop

A Design and Implementation of Network Traffic Monitoring System for PC-room Management

Internet Working 5 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2004

LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide

Firewalls. Chien-Chung Shen

Minimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized.

How to Make the Client IP Address Available to the Back-end Server

Configuring Security for FTP Traffic

CS197U: A Hands on Introduction to Unix

Sidewinder G2 v6.1.2 and Skype

Who s Doing What? Analyzing Ethernet LAN Traffic

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Network Forensics: Log Analysis

CISCO IOS NETFLOW AND SECURITY

Application. Transport. Network. Data Link. Physical. Network Layers. Goal

Intrusion Detection, Packet Sniffing

EAGLE EYE IP TAP. 1. Introduction

Sniffer s Network Packet Analyzer. Basics

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

2. IP Networks, IP Hosts and IP Ports

IPScan V3.5 User s Guide

No. Time Source Destination Protocol Info DNS Standard query A weather.noaa.gov

Network Packet Analysis and Scapy Introduction

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

How do I get to

Network Traffic Analysis

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Firewalls, IDS and IPS

Introduction to Network Security Lab 1 - Wireshark

Ethereal: Getting Started

Understanding Slow Start

Firewall Log Format. Log ID is a Unique 12 characters code (c1c2c3c4c5c6c7c8c9c10c11c12) e.g ,

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Snapt Balancer Manual

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

This sequence diagram was generated with EventStudio System Designer (

Firewall Examples. Using a firewall to control traffic in networks

hp ProLiant network adapter teaming

Pre-lab and In-class Laboratory Exercise 10 (L10)

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

A S B

Industrial Communication Whitepaper. Principles of EtherNet/IP Communication

Software Defined Networking (SDN) - Open Flow

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Protocols. Packets. What's in an IP packet

Load-Balancing Introduction (with examples...)

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Network Address Translation (NAT)

Network- vs. Host-based Intrusion Detection

BASIC ANALYSIS OF TCP/IP NETWORKS

Network Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative

Packet Sniffing with Wireshark and Tcpdump

Transcription:

Distributed Network Traffic Monitoring and Analysis using Load Balancing Technology Soon-Hwa Hong, Jae-Young Kim, Bum-Rae Cho and James W. Hong Dept. of Computer Science and Engineering, Pohang Korea Email: {padosori, jay, brcho, jwkhong}@postech.ac.kr http://dpnm.postech.ac.kr/

Introduction Network traffic (text, image, software, audio, video) is increasing continuously both on the Internet and Intranet. A simple, accurate and efficient network traffic monitoring and analysis is required to understand the current usage as well as to plan for future. Many shortcomings exist in currently available monitoring systems. cannot analyze long-term traffic. do not have monitoring capability from multiple network points. capture, analysis and presentation all in one machine. cannot prevent packet drops from the system overload. attempts to overcome these shortcomings using distributed architecture and load balancing technique. (2/16)

Related Work Capture Method Analysis Method Analysis Interval Analysis Scope Support for Multiple network points Distributed Architecture User Interface tcpdump libpcap real time current layer 7 no no Text ntop libpcap batch 5 second, hourly layer 7 no no Web ethereal libpcap real time, batch current, user-specified time layer 7 no no X- Windows MRTG snmp agent batch 5 minute, hourly, daily, weekly, monthly layer 2 yes yes Web WebTrafMon libpcap real time, batch current, hourly layer 7 no no Web libpcap real time, batch current, hourly, daily, monthly, yearly layer 7 yes yes Web (3/16)

Requirements analyze various types of information: host information, network, transport, and application layer protocols. analyze present real-time, hourly, daily, monthly and yearly network traffic data automatically. analyze multiple network points traffic. no packet drops. web-based graphical user interface. (4/16)

Centralized vs. Distributed Centralized Traffic Analysis Architecture Distributed Traffic Analysis Architecture analysis distributed environment analysis packet header information network traffic data packet header information network traffic data capture presentation capture presentation network point user analyzed information network point user analyzed information system overload occurs frequently and many packets are dropped cannot support for multiple network points presentation time is slow capture, analysis and presentation modules execute on separate machines to minimize system overload can support for multiple network points presentation time is fast (5/16)

1. multiple network point packet capture and analyze packet header distributed environment promiscuous mode packet capture network point : Design packet header information 2. analyze packet header and save into DB and make short term and long term traffic data analyze packet header and save into DB make real-time, short term, long term traffic data 3. query to database from user request and give information to user statistics network traffic data request response promiscuous mode packet capture user network point (real-time, hourly, daily, monthly, yearly) (6/16)

Packet Capture Module (Probe) Probe captures packet with promiscuous mode, analyzes packet header and saves into log file No packet drops from system overload using an independent packet capture module. save packet header information into log file Log File log format log format promiscuous mode packet capture network point log format log format Log format : time, length, frame_type, source ip, destination ip, protocol, source port and destination port information (7/16)

Ethernet Dst addr IP Log Format 46-1500 bytes data 6 6 2 4 TCP Src addr Type Log format 2 2 TCP data time length frame_type src_ip dst_ip protocol src_port dst_port 4 2 2 4 4 2 2 frame capture time Src addr Dst addr Protocol 4 4 1 IP data total Ethernet frame size(ethernet header + data + CRC) src port dst port 1 (bytes) CRC (8/16)

Packet Analysis Module (Analyzer) log data Log Transformer IP-based, non IP-based data IP-based, non IP-based data DB Analyzer statistical real-time, hourly, daily, monthly and yearly data. An Analyzer is divided into a Log Transformer module and DB Analyzer module. Log Transformer assorts log files into IP-based data, and non IP-based data (e.g., ARP, RARP, IPX). Log Transformer saves these assorted data to database. DB Analyzer analyzes assorted data in database and makes statistical real-time,hourly, daily, monthly and yearly data. (9/16)

Data Translation by Analyzer for Long-Term Traffic hourly daily monthly yearly (10/16)

DB Schema Name time length frame_type src_ip dst_ip protocol src_port dst_port Name time length ether_type Type INT SMALLINT SMALLINT INT INT TINYINT SMALLINT SMALLINT Type INT SMALLINT SMALLINT hourly Name hour frame_type frame_name bytes count Name day frame_type frame_name bytes count daily Type TINYINT VARCHAR(20) VARCHAR(100) BIGINT BIGINT Type TINYINT VARCHAR(20) VARCHAR(100) BIGINT BIGINT monthly Name year frame_type frame_name bytes count Name month frame_type frame_name bytes count Type TINYINT VARCHAR(20) VARCHAR(100) BIGINT BIGINT yearly Type TINYINT VARCHAR(20) VARCHAR(100) BIGINT BIGINT This is a *_network_table example. network_table has IP information from raw_ip_table and ARP and so on information from raw_non_ip_table. (11/16)

Web Viewer Module Design Web Viewer Database raw_ip, non_ip table data_sent table data_received table data_exchanged table network table transport table application table query reply Database Client CGI Web Server request response (12/16)

probe packet capture using libpcap Binary Log File analyzer save packet header information into log file MySQL Client Implementation NFS distributed environment save packet header information into database raw ip, non-ip, table web viewer C-CGI, MySQL Client query make real-time, hourly, daily, monthly and yearly host, protocol and application information table reply C-CGI, Apache web-server MySQL Server http Database raw_ip, non_ip_table data sent table data received table data exchanged table network table transport table application table Internet user (13/16)

Web-based User Interface: Main View menu time interval menu analysis time hourly total traffic detailed views (14/16)

1 Detailed Views 5 2 3 6 4 (15/16)

Summary & Future Work overcomes many shortcomings of existing monitoring and analysis systems. can analyze real-time and hourly, daily, monthly and yearly network traffic data. With load balancing, independent packet capture prevents packet drops from monitoring system overload. can analyze multiple network points traffic. Future work on More analysis on host and application relationships. Adapt to monitor and analyze other types of IP networks (IPoA, IPoWDM, etc.) Traffic analysis based on contents (video, audio, etc.) (16/16)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information