Rorschach Plots and Network Performance Analysis

Similar documents

From Fieldbus to toreal Time Ethernet

Performance Test Methodology for EtherNet/IP Devices

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Course Title: Penetration Testing: Security Analysis

CT LANforge-FIRE VoIP Call Generator

Welcome. People Power Partnership PROFIdag 2013 Peter Van Passen Sales & Business Development Manager HARTING Electric 1/44

OF 1.3 Testing and Challenges

Troubleshooting LANs with Network Statistics Analysis

Performance Analysis of Time-Triggered Ether-Networks Using Off-The-Shelf-Components

Holistic View of Industrial Control Cyber Security

Lab Conducting a Network Capture with Wireshark

TEST AUTOMATION FRAMEWORK

Wide Area Monitoring, Control, and Protection

Network Traffic Analysis

Introduction. Interoperability & Tools Group. Existing Network Packet Capture Tools. Challenges for existing tools. Microsoft Message Analyzer

Analysis of Industrial PROFINET in the Task of Controlling a Dynamic System**

Packet Sniffer Detection with AntiSniff

Protecting and controlling Virtual LANs by Linux router-firewall

The intelligent Protocol Converter

Quality of Service in Industrial Ethernet Networks

PRESTA 10G Platform for High-accuracy 10-Gb/s Network Monitoring

Virtual Private LAN Service (VPLS) Conformance and Performance Testing Sample Test Plans

Practical Network Forensics

Figure 1. Wireshark Menu Bar

How To Analyze Bacnet (Bacnet) On A Microsoft Computer (Barcnet) (Bcfnet) And Get A Better Understanding Of The Protocol (Bafnet) From A Microsatellite) (Malware)

Networks - EtherNet IP Course (Version 5.1)

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

SSVP SIP School VoIP Professional Certification

Installation Guide for Basler pylon 2.3.x for Linux

IPSec Virtual Private Networks Conformance and Performance Testing Sample Test Plans

Distributed Monitoring Pervasive Visibility & Monitoring, Selective Drill-Down

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

H0/H2/H4 -ECOM100 DHCP & HTML Configuration. H0/H2/H4--ECOM100 DHCP Disabling DHCP and Assigning a Static IP Address Using HTML Configuration

Configuring PROFINET

Industrial Communication Whitepaper. Principles of EtherNet/IP Communication

Using WhatsUp IP Address Manager 1.0

VLAN for DekTec Network Adapters

Network Configuration Example

Introduction to Passive Network Traffic Monitoring

CS197U: A Hands on Introduction to Unix

How To Switch A Layer 1 Matrix Switch On A Network On A Cloud (Network) On A Microsoft Network (Network On A Server) On An Openflow (Network-1) On The Network (Netscout) On Your Network (

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Using IPM to Measure Network Performance

Troubleshooting Tools to Diagnose or Report a Problem February 23, 2012

Securing EtherNet/IP Using DPI Firewall Technology

Quick Start for Vendors Handbook

XMVAE Gigabit Ethernet Modules

CT LANforge WiFIRE Chromebook a/b/g/n WiFi Traffic Generator with 128 Virtual STA Interfaces

CMA5000 SPECIFICATIONS Gigabit Ethernet Module

Evaluating 1588v2 Performance Rev 2

19 Comparison of Ethernet Systems

The Case Against Jumbo Frames. Richard A Steenbergen <ras@gtt.net> GTT Communications, Inc.

CT LANforge-FIRE VoIP Call Generator

Project 4: SDNs Due: 11:59 PM, Dec 11, 2014

Automation of Smartphone Traffic Generation in a Virtualized Environment. Tanya Jha Rashmi Shetty

Modbus and ION Technology

SSVVP SIP School VVoIP Professional Certification

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Configure A VoIP Network

Network Security Monitoring

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CiscoWorks Internetwork Performance Monitor 4.0

WhatsUpGold. v3.0. WhatsConnected User Guide

Firewall. User Manual

Overview and Applications of PROFINET. Andy Verwer Verwer Training & Consultancy Ltd

What is SDN? And Why Should I Care? Jim Metzler Vice President Ashton Metzler & Associates

Hirschmann Networking Interoperability in a

QualNet 4.5 Network Emulation Interface Model Library

SLA para aplicaciones en redes WAN. Alvaro Cayo Urrutia

Computer Networks/DV2 Lab

A New Approach to Developing High-Availability Server

EDSA-300. ISA Security Compliance Institute Embedded Device Security Assurance ISASecure certification requirements

Advanced Internetworking

Universal network-enabled automation interface for home automation, commercial control, and monitoring applications

Security Technology White Paper

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Networking 4 Voice and Video over IP (VVoIP)

CGI-based applications for distributed embedded systems for monitoring temperature and humidity

ntopng: Realtime Network Traffic View

Linux Virtual Server Tutorial

Real-time Ethernet with TwinCAT network variables

Introducing the Adafruit Bluefruit LE Sniffer

Application Note. EtherCAT Master Architecture. Applicable Products: Yaskawa Servodrives with CANopen over EtherCAT

10Gb Ethernet: The Foundation for Low-Latency, Real-Time Financial Services Applications and Other, Latency-Sensitive Applications

Network Agent Quick Start

COMPUTER NETWORK TECHNOLOGY (300)

OPART: Towards an Open Platform for Abstraction of Real-Time Communication in Cross-Domain Applications

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

How To Manage A Virtualization Server

and Outline Coordinator: .com University

Evaluating Wireless Broadband Gateways for Deployment by Service Provider Customers

Open-Source Software Toolkit for Network Simulation and Modeling

Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University

Secure Networks for Process Control

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

Transcription:

Rorschach Plots and Network Performance Analysis Jim Gilsinn Kenexis Consulting Corporation October 19-20, 2013 BSidesDC 2013 1

Rorschach? October 19-20, 2013 BSidesDC 2013 2

Rorschach Plots October 19-20, 2013 BSidesDC 2013 3

Rorschach Plots October 19-20, 2013 BSidesDC 2013 4

Rorschach Plots October 19-20, 2013 BSidesDC 2013 5

ICS Environment October 19-20, 2013 BSidesDC 2013 6

ICS Environment October 19-20, 2013 BSidesDC 2013 7

ICS Systems October 19-20, 2013 BSidesDC 2013 8

What s This All About? I used to work at NIST I left about a year ago I worked on ICS network performance metrics, tests, and tools The test tools I developed have been dormant since leaving The vendors I worked with while at NIST want to tool My new employer won t support open-source development I m here to beg for help! October 19-20, 2013 BSidesDC 2013 9

Performance Testing Methodology: Performance Metrics Publish/subscribe or peer-to-peer communications Main performance metric: Cyclic frequency variability/jitter Real-time EtherNet/IP uses publish/subscribe Requested/Accepted Packet Interval (RPI/API) Measured Packet Interval (MPI) October 19-20, 2013 BSidesDC 2013 10

Performance Testing Methodology: Performance Metrics Command/response or master/slave communications Main performance metric: Latency Large numbers of protocols use this Most (All?) PC-based server/client protocols HTTP(S), (S)FTP, etc. Most industrial protocols Modbus/TCP, Profinet, Ethercat, etc. October 19-20, 2013 BSidesDC 2013 11

IENetP Test Tool Industrial Ethernet Network Performance (IENetP) http://sourceforge.net/projects/ienetp/ Current Version = 1.1.2, Released 2011-02-11 Software Features Analyze existing Wireshark captures Allows user to override default EtherNet/IP filter Isolates individual traffic streams Determine cyclic jitter of those streams Generates HTML report Generates time-space & histogram graphs Graphs allow zooming October 19-20, 2013 BSidesDC 2013 12

NIST Performance Test Tool Industrial Ethernet Network Performance (IENetP) Test Tool Factory Equipment Network Testing (FENT) Framework

FENT Framework Universal Client Application Testing Module Testing Module Testing Module Testing Module Analysis Engine Analysis Engine Reporting Engine Universal Client Application API Personality Module Personality Module Personality Module Sensor Gateway Ethernet Fieldbus Internet October 19-20, 2013 BSidesDC 2013 14

FENT Features All Analysis Features From IENetP Analyze Wireshark capture files Build graphs and reports of results Added Features True multi-protocol support Real-time testing capability Extensible framework October 19-20, 2013 BSidesDC 2013 15

FENT Personality Modules Wrapper for Driver Application Implement a TCP-socket interface for UCA-API messaging Build a simple XML-based PM Descriptor file Features Describes Wireshark parameters Allows any protocol to be used Can be built/loaded at run-time UCA API Protocol PM PM Descriptor Driver App October 19-20, 2013 BSidesDC 2013 16

FENT Framework Run-Time Testing Module UCA API Protocol PM PM Descriptor Driver App UCA Analysis Engine Reporting Engine PSML File Wireshark 1. Testing Module! Protocol PM Grab protocol-specific Wireshark parameters via UCA-API 2. Testing Module! Wireshark Start capturing traffic 3. Testing Module! Protocol PM Command driver app to communicate with DUT 4. Testing Module! Wireshark Stop Capturing traffic, process capture file using desired protocol and user parameters, generate PSML file 5. Analysis Engine Read PSML file, analyze packets for desired metrics 6. Reporting Engine Report data to user DUT October 19-20, 2013 BSidesDC 2013 17

FENT UCA-API Schema October 19-20, 2013 BSidesDC 2013 18

FENT Framework Project Home: http://sourceforge.net/projects/fent/ What s Available: SVN repository & schema FENT software Conduct real-time testing Analyze results Build graphs on-screen NIST SensorSim PM, IEEE 1451 PM EtherNet/IP PlugFest Gold Standard Background Traffic October 19-20, 2013 BSidesDC 2013 19

FENT Framework Known Problems & Issues Doesn t work with Wireshark 1.9+ Tshark argument for getting fields changed Logic problems with using multi-protocol Wireshark headers Software doesn t use true database Testing automation not integrated No installer October 19-20, 2013 BSidesDC 2013 20

FENT Demo October 19-20, 2013 BSidesDC 2013 21

Gold Standard Background Traffic October 19-20, 2013 BSidesDC 2013 22

Gold Standard Background Traffic What Is It? A set of Wireshark captures, Linux scripts, and analysis results Based on EtherNet/IP PlugFest performance testing requirements High precision and accuracy Wireshark captures of PlugFest performance background traffic Linux scripts designed for use in BackTrack Linux ( http://www.backtrack-linux.org/) Analysis results show validation for use in PlugFest performance testing Where Can You Get It? http://ienetp.sourceforge.net/ethernet-ip_testing.zip or FENT SVN in Background_Traffic folder October 19-20, 2013 BSidesDC 2013 23

PlugFest Performance Traffic Traffic Type Rate (pps) Baseline Steady-State Managed Steady-State Unmanaged Burst Managed Burst Unmanaged ARP Request Broadcasts 180 Gratuitous ARP Broadcasts 180 DHCP Request Broadcasts 100 ICMP (ping) Request Broadcasts 100 NTP Multicasts 10 EtherNet/IP ListIdentity Request 10 EtherNet/IP Class 1 1800 ARP Burst Requests 240 pkts @ 4k Hz

Gold Standard Captures Built From Individual Traffic Streams Each traffic stream generated and captured using NIST Ixia system (a few microseconds jitter) Assembled using editcap and mergecap scripts Final captures are 60-seconds long Can t just loop continuously Longer test captures require rebuilding (not hard) Analyzed Using IENetP Analysis results are included in package Well within spec for PlugFest performance testing needs (<25% of desired packet intervals) October 19-20, 2013 BSidesDC 2013 25

Licensing? The project is Public Domain!!! There are NO LICENSING ISSUES!!! October 19-20, 2013 BSidesDC 2013 26

What s Next? Contact Me Jim Gilsinn 301-706-9985 jim.gilsinn@kenexis.com Twitter @JimGilsinn LinkedIn http://www.linkedin.com/in/jimgilsinn/ Review the FENT SourceForge Project http://sourceforge.net/projects/fent/ Fork the Project October 19-20, 2013 BSidesDC 2013 27