Network Management and Realtime Traf c Flow Measurement



Similar documents
Challenges and Approaches in Providing QoS Monitoring

Gaining Operational Efficiencies with the Enterasys S-Series

LOW OVERHEAD CONTINUOUS MONITORING OF IP NETWORK PERFORMANCE

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

A Web-Based Real-Time Traffic Monitoring Scheme Using CORBA

Chapter 18. Network Management Basics

An Introduction to VoIP Protocols

SNMP Monitoring: One Critical Component to Network Management

Network Management & Security (CS 330) RMON

SLA para aplicaciones en redes WAN. Alvaro Cayo Urrutia

RMON, the New SNMP Remote Monitoring Standard Nathan J. Muller

Integrated Quality of Service and Network Management

Lecture 12: Network Management Architecture

UPPER LAYER SWITCHING

Ranch Networks for Hosted Data Centers

Sage ERP Accpac Online

Sage 300 ERP Online. Mac Resource Guide. (Formerly Sage ERP Accpac Online) Updated June 1, Page 1

Avaya ExpertNet Lite Assessment Tool

Top-Down Network Design

Transport and Network Layer

ABSTRACT 1.1 MEASUREMENT APPROACHES 1. INTRODUCTION 2. OCXMON/CORAL PASSIVE MONITORING OF INTERNET TRAFFIC AT SUPERCOMPUTING 98

Network Management 2. Learning Objectives. Centralized network management? School of Business Eastern Illinois University

MANAGING NETWORK COMPONENTS USING SNMP

Cisco Performance Visibility Manager 1.0.1

Observer Probe Family

Network traffic monitoring and management. Sonia Panchen 11 th November 2010

How To Set Up Foglight Nms For A Proof Of Concept

How To Understand Network Performance Monitoring And Performance Monitoring Tools

Application Note. Pre-Deployment and Network Readiness Assessment Is Essential. Types of VoIP Performance Problems. Contents

Chapter 2 - The TCP/IP and OSI Networking Models

Network Management and Monitoring Software

Configuring and Managing Token Ring Switches Using Cisco s Network Management Products

Cisco Network Analysis Module Software 4.0

CSE 3461 / 5461: Computer Networking & Internet Technologies

Performance of voice and video conferencing over ATM and Gigabit Ethernet backbone networks

Traffic Monitoring in a Switched Environment

SNMP Network Management Concepts

Cisco Bandwidth Quality Manager 3.1

Clearing the Way for VoIP

PART OF THE PICTURE: The TCP/IP Communications Architecture

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

netstar - Integrated Network monitoring and Traffic Analysis System

NQA Technology White Paper

A Summary of Network Traffic Monitoring and Analysis Techniques

pc resource monitoring and performance advisor

Computer Networks. Definition of LAN. Connection of Network. Key Points of LAN. Lecture 06 Connecting Networks

Intelligent Network Monitoring for Your LAN, WAN and ATM Network

How To Understand and Configure Your Network for IntraVUE

NETWORK SECURITY 10.1 ROUTERS

Application Notes. Introduction. Contents. Managing IP Centrex & Hosted PBX Services. Series. VoIP Performance Management. Overview.

Observer Analysis Advantages

Simplify VoIP Network Setup and Troubleshooting with NetTool VoIP

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Virtual Server in SP883

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

REMOTE MONITORING MATRIX

OptiView. Total integration Total control Total Network SuperVision. Network Analysis Solution. No one knows the value of an

Network Management Functions RMON1, RMON2. Network Management

OptiView. Total integration Total control Total Network SuperVision. Network Analysis Solution. No one knows the value of an

AN IMPROVED REAL-TIME TRAFFIC FLOW MONITORING SCHEME

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Basic Network Configuration

Providing quality of service (QoS) guarantees

Network Simulation Traffic, Paths and Impairment

Objectives of Lecture. Network Architecture. Protocols. Contents

NETWORK DESIGN BY USING OPNET IT GURU ACADEMIC EDITION SOFTWARE

High-performance VoIP Traffic Optimizer Client Solution

Simple Network Management Protocol

Get Your FIX: Flow Information export Analysis and Visualization

THE IMPORTANCE OF TESTING TCP PERFORMANCE IN CARRIER ETHERNET NETWORKS

How To Use Ntop

Network Security Policy: Best Practices White Paper

Operating System Concepts. Operating System 資 訊 工 程 學 系 袁 賢 銘 老 師

Communications and Computer Networks

Network Monitoring. Chu-Sing Yang. Department of Electrical Engineering National Cheng Kung University

The Ecosystem of Computer Networks. Ripe 46 Amsterdam, The Netherlands

NETWORK BASELINING AS A PLANNING TOOL

PictureTel H.323 Videoconferencing Network Bandwidth Analysis

PANDORA FMS NETWORK DEVICES MONITORING

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

ReadyNAS Remote White Paper. NETGEAR May 2010

L2 / L3 Switches. Remote Network Monitoring (RMON) Configuration Guide

Chapter 5. Data Communication And Internet Technology

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

Observer Probe Family

RUGGEDCOM NMS. Monitor Availability Quick detection of network failures at the port and

How To Analyse Internet Traffic With A Java Applet

APPENDIX 8 TO SCHEDULE 3.3

Cisco Prime Network Analysis Module Software 5.1 for Nexus 1010

EXPERIMENTAL STUDY FOR QUALITY OF SERVICE IN VOICE OVER IP

Bandwidth Aggregation, Teaming and Bonding

Jean Parrend 1/6 SNMP. Content. 1. Introduction...1

Protocols. Packets. What's in an IP packet

DC70 NETWORK MANAGEMENT JUN 2015

The Picture must be Clear. IPTV Quality of Experience

Top-Down Network Design

AT-S60 Version Management Software for the AT-8400 Series Switch. Software Release Notes

1 Introduction to ntop

QoS Switching. Two Related Areas to Cover (1) Switched IP Forwarding (2) 802.1Q (Virtual LANs) and 802.1p (GARP/Priorities)

NetView for z/os V6.1 Packet Trace Analysis

Transcription:

Journal of Network and Systems Management, Vol. 6, No. 2, 1998 Report Edited by Paul Brusil Network Management and Realtime Traf c Flow Measurement Nevil Brownlee 1 An understanding of the traf c ows in a network is vital for network management. One needs to collect traf c ow data from many points throughout the network for performance monitoring and capacity planning, and be able to analyze it in terms of users and traf c types for security and congestion management. The Realtime Traf c Flow Measurement (RTFM) Architecture provides an effective method for obtaining traf c ow data, and for these purposes it offers some advantages over current remote monitoring (RMON) techniques. The IETF s RTFM Working Group has developed the architecture and is re ning it within the IETF Standards process [1±4]. Managing Network Traf c Flows In a connectionless network, traf c appears as streams of packets moving from one end-point to another, e.g., from a user s desktop computer to a server in another country. Such streams are usually described as ows of network traf- c. Depending on how their end-points are de ned, ows may have various degrees of granularity, from coarse-grained (e.g., from one network to another) to ne-grained (e.g., between speci ed ports on individual hosts). They may be large (carrying many packets) or small, bi-directional (carrying packets in both directions) or unidirectiona l, etc. When a network begins operation there is usually plenty of capacity available. Over time the number of users grows, along with the demands they each place on the network. We can describe this as an increase in the number and size of the network s traf c ows. To effectively manage this growth, it is useful to 1 IT Systems & Services, The University of Auckland, New Zealand. E-mail: n.brownlee@auckla nd. ac.nz 223 1064-7570 / 98 / 0600-0223$15.00 / 0 Ó 1998 Plenum Publishing Corporation

224 Brownlee develop and maintain a good understanding of the traf c ows [5]. Traf c ow data can be used in several ways, as illustrated later. Troubleshootin g From time-to-time there may be abnormally high levels of network traf c, e.g., a ood of packets from a faulty network card, a server being backed up across the network during working hours instead of overnight, etc. Tools such as stand-alone network analyzers are generally well suited to nding single highvolume ows of this kind. Performance Monitoring Most of the time, however, one needs to look at more than just total volume. One really needs to know the network s normal usage patterns, in terms of user or traf c type. For security management it is essential to detect activities such as repeated login attempts from unusual hosts and sequences of packets sent to many different ports on a few hosts. Once normal patterns are known one can determine whether, over time, traf c ows change their character; for example average ow durations may lengthen, some protocols may increase in popularity while others decline, and so on. Congestion Managem ent It is of particular interest to know whether, in the short or long term, there are ows which consume an unusually large portion of the network resources. If there are, steps can be taken to improve the situation. Many approaches are possible, including `social methodsð persuading users to change their work patternsð and/ or `economic methodsð charging users for their network traf c. Upgrading the Network Eventually it becomes necessary to increase the network s capacity. In some networks it may be possible to simply increase the bandwidth everywhere, e.g., one might change an Ethernet LAN from 10 to 100 Mbps. Usually, however, one must decide which parts of the network to upgrade. At this stage it becomes vital to understand the makeup of the traf c ows through the network so as to determine where the traf c is heaviest, and where upgrades will provide the most bene t.

Network Management and Realtime Traf c Flow Measurement 225 RTFM ARCHITECTURE The RTFM Architecture includes four components: meters, meter readers, managers and analysis applications. The Architecture does not specify the method used for communication between these components, but m ost implementation experience (see later) has been gained using SNMP carried over UDP. A meter is a self-contained logical entity which observes network traf c ows and builds up a table of ow data records for them. It can be implemented as a stand-alone device, observing ows at the point where it is connected to the network. Alternatively it could be implemented within a network device (such as a multiport switch or router), in which case it could observe traf c passing through the device. The ows which a meter is to observe, and the ow data records to be created for them are speci ed by a rule set, as described later. A meter reader collects traf c ow data from one or more meters, producing les of traf c ow data. It would normally be implemented as a process running within a multi-user computer system, writing its ow data les to disk. An RTFM manager is a computer program which oversees the operation of meters and meter readers. Its responsibilities include downloading con guration les to meters and setting parameters for meter readers. It should also verify that they continue to operate properly, and notify operations staff if a meter or meter reader fails. Analysis Applications process ow data les so as to provide information and reports as required by Network Operations staff. Because these differ widely between networks, the RTFM Working Group has not attempted any standards work in this area. Analysis Applications are, nonetheless, an essential part of any on-going network management effort, and the requirement for on-going development and maintenance of them should not be underestimated. Specifying Flows: Attributes and Rule Sets The notion of a traf c ow was introduced earlier. In more detail, a traf- c ow is an abstract entity with a set of `attributes. A ow s data record in an RTFM meter is a data structure holding its current attribute values. These attributes include its end-point addresses and other information about it, such as its start and stop times and the number of packets and bytes it has carried in each direction. End-points are speci ed by a set of address attribute values, one for each network layer, e.g., network X, host H, port P. `Wildcard values and/ or lists of values are allowed at each layer, which provides a simple but very powerful way to specify end-points, e.g., all FTP traf c from networks A, B, or C which passed through local router R.

226 Brownlee While a meter is running it uses a rule set to specify which ows are of interest; this is very similar to the use of ` lters in other network analysis systems. The rule set is more general, however, in that it also speci es exactly what information is to be recorded for each ow of interest. As an example, we might regard all packets from network A as a single ow, but (at the same time) want to have separate ows for each subnet of network B, and so on. Essentially, one may regard a rule set as a program for recognizing the ows of interest and doing preliminary reduction of their data. Implementation Experience The rst implementation of the RTFM Architecture was NeTraMet, which was rst released (as free software) in October 1993 [6]. It has a combined manager and meter reader (NeMaC) and a meter (NeTraMet) which runs as a process on a Unix system, or stand-alone on a DOS PC. NeTraMet is in widespread use in many countries. It is most commonly used to collect ow data from 10BaseT Ethernet network segments, but it can also be used with FDDI and 100BaseT Ethernet. Work is well advanced on porting it to run as a `statistics gathering module within the OC3MON platform [7]. (OC3MON is a PC-based system for monitoring traf c ows on ATM links.) The NeTraMet distribution includes a few simple analysis applications, including `nifty, an X/ Motif realtime ow analyzer which uses data from a NeTraMet meter to pinpoint `unusual ows. A second, independent, implementation has been produced within IBM Research (Hawthorne, New York); this version runs in an AIX-based network management environment. RMON AND RTFM Remote network monitoring (RMON) capability has become widely available in recent years, via stand-alone RMON probes and RMON agents built into network devices. RMON provides a good way to determine traf c levels in network segments, total traf c loads to/ from busy hosts and (with RMON2) traf c loads between host pairs, for different protocols, and so on. Overall, RMON is an effective day-to-day network monitoring tool. RMON does not, however, provide a general way to specify traf c ows, and it has no notion of bi-directional ows. For example, it would be very dif- cult to specify ow end-points as lists of networks in RMON. Furthermore, RMON probes have limited ability to pre-process the traf c data they collect; this is left to the management systems which oversee them. In situations where detailed information about the ne structure of traf c

Network Management and Realtime Traf c Flow Measurement 227 ows is needed (e.g., for usage logging), RTFM should provide a more effective approach. This is particularly so where good time resolution is neededð an RTFM meter records ow start and stop times in centiseconds, allowing very short-lived ows to be observed even when ow data is only read from the meter at long (10 minutes or more) intervals. CONCLUSIONS The RTFM Architecture provides a simple, consistent scheme for describing network traf c ows and for collecting ow data. The RTFM Working Group is advancing it on the Internet Standards Track. As it becomes more widely used, vendors will be able to implement it in network devices, making it possible to measure ows in switched networks. One common approach to ow analysis is to collect (perhaps by using an RMON probe) traces of all packets of interest, then analyze them off-line. This approach can quickly generate very large amounts of data, and off-line analysis does not lend itself to real-time network management. RTFM, in contrast, provides a very general way to specify the ows of interest and the amount of detail required for each ow. It effectively uses RTFM meters to do preliminary reduction of the data before it is collected and stored in ow data les. This can dramatically reduce the volume of data to be retrieved across the network. Furthermore, the reduced ow data is available as it is collected, making it possible to develop near-real-time analysis applications. Another strength of the architecture is that it can easily be extended by adding new attributes. The RTFM Working Group is working on new attributes, and is particularly interested in measurements relating to packet arrival times, such as the delay and jitter of packets within a ow. REFERENCES 1. C. Mills, G. Hirsch, and G. Ruth, Internet accounting background, RFC 1272, Bolt Beranek and Newman Inc., Meridian Technology Corporation, November 1991. 2. N. Brownlee, C. Mills, and G. Ruth, Traf c ow measurement: Architecture, RFC 2063, The University of Auckland, Bolt Beranek and Newman, Inc., GTE Laboratories, Inc, January 1997. 3. N. Brownlee, Traf c ow measurement: Meter MIB, RFC 2064, The University of Auckland, January 1997. 4. N. Brownlee, Traf c ow measurement: Experiences with NeTraMet, RFC 2123, The University of Auckland, March 1997. 5. Realtime Traf c ow measurement working group home page, http: / / www.auckland.ac.nz / net / Internet/ rtfm 6. NeTraMet home page, http:/ / www.auckland.ac.nz / net / NetraMet 7. OC3MON: Flexible, affordable, high performance statistics collection, http:/ / www.nlanr.net / NA/ Oc3mon

228 Brownlee Nevil Brownlee is responsible for The University of Auckland s campus network (which has about 6,500 connected hosts), and is manager of Kawaihiko, the New Zealand Universities network. He has been active in the IETF since 1992, and is currently co-chair of the Realtime Traf c Flow Measurement Working Group.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information