Post on 24-Dec-2015
transcript
Experiences in Analyzing Network Traffic
Shou-Chuan Lai
National Tsing Hua UniversityComputer and Communication Center
Nov. 20, 2003
5
Problem Diagnose
Call for help Call our contracted support Ask an expert
Do it yourself Cable tester Network analyzer Network Management System
9
Analyze Tools
Device built-in functions LED status LCD messages
MRTG SNMP + MIB-II
NetFlow Cisco Routers w/ NetFlow export function Switch w/ mirror/SPAN + NetFlow generator
13SNMP Manager SNMP Agent
UDP port 161
UDP port 161
UDP port 161
GetRequest
GetNextRequest
SetRequest
GetResponse
GetResponse
GetResponse
TrapUDP port 162
SNMP Operations
14
MIB Object Names
itu(2)
root
iso(1)
org(3)
dod(6)
internet(1)
directory(1) mgmt(2) experiment(3) private(4)
enterprise(1)mib(1)
system(1) interface(2) at(3) ip(4) icmp(5) tcp(6) udp(7)
15
MIB-II
Common Operational Statistics (RFC 1857) ifInUcastPkts (unicast packets in) ifOutUcastPkts (unicast packets out) ifInNUcastPkts (non-unicast packets in) ifOutNUcastPkts (non-unicast packets out) ifInOctets (octets in) ifOutOctets (octets out)
17
MRTG (Multi Router Traffic Grapher)
A tool to monitor the traffic load on network-links.
Generates HTML pages containing graphical images which provide a LIVE visual representation of this traffic.
Based on Perl and C and works under UNIX and Windows NT.
21
MRTG Track Back
Deploy MRTG on each switch w/ SNMP support
In case of abnormal traffic behavior, with each link information, we may be able to trace back to the switch port which nearest the problem node.
With SNMP SET, we may disable that port as a temporal solution.
23
Why NetFlow ?
NetFlow statistics empowers users with the ability to characterize their IP data flows
The who, what, where, when, and how much IP traffic questions are answered
Offers a rich data set to be mined for network management, traffic engineering, and value-added service offerings (i.e. marketing data, personal NMS data)
24
What is a Flow?
Defined by 7 unique keys Source IP address Destination IP address Source port Destination port Layer 3 protocol type TOS byte (DSCP) Input logical interface (ifIndex)
25
• Source IP Address• Destination IP Address
• Input ifIndex• Output ifIndex
• Type of Service• TCP Flags• Protocol
• Start sysUpTime• End sysUpTime
• Source TCP/UDP Port• Destination TCP/UDP Port
• Next Hop Address• Source AS Number• Dest. AS Number• Source Prefix Mask• Dest. Prefix Mask
• Source IP Address• Destination IP Address From/To
Application
Routing and Peering
Usage
Time of
Day
PortUtilization
Quality of
Service
• Packet Count• Byte Count
NetFlow Version 5 Format
27
NetFlow Example I
Date In (GB) Out (GB)
Mon Nov 17 2003 924 1730
Sun Nov 16 2003 665 1506
Sat Nov 15 2003 847 1780
Fri Nov 14 2003 893 1623
Thu Nov 13 2003 891 1627
Wed Nov 12 2003 926 1607
Tue Nov 11 2003 825 1425
28
NetFlow Example II
Out-going Traffic (SRC IP)
No FQDN IP AddressOctets(MB)
% Note
1 140.--.--.158 49619 2.80 AB
2 140.--.--.34 46253 2.61 Dept
3 140.--.--.27 27024 1.53 Dept
4 140.--.--.92 24608 1.39 AB
5 140.--.--.157 19396 1.09 AB
29
NetFlow Example III
Destination Hosts: 100
No FQDN IP Address Octets(KB)
% Packets
(K) PacketSize
Note
1 140.---.119.41 12378667 24.36 8814 1404 450
2 163.25.---.37 3877362 7.63 2761 1404 178
3 163.25.---.39 2620457 5.16 1867 1403 190
4 ---.203.138.86 2359499 4.64 1680 1404 93
5 ---.66.245.245 2343650 4.61 1669 1404 131
30
NetFlow Example IV
SRC PORT: TCP#=1849 UDP#=1
No Prot. Port# Con# Octets(KB)
% Packets PacketSize
Note
1 TCP 32120 843 8569782 16.87 9055670 969 914
2 TCP 32121 771 2686 0.01 36580 75 1526
3 UDP 137 12 2 0.00 16 123 16
4 TCP 6112 9 7223 0.01 57300 129 14
5 TCP 139 4 1 0.00 14 44 4
31
Internet Worm Problem
Network Security Responding System
NetFlowAnalyzer
Blocking System
Notifying System
Manual Control
Web Pages
InternetInternet
IP
NetFlow
32
Open Mail Relay Problem
NetFlow Analyzer
Blocking System
Notifying System
IP:Port
NetFlow
IP
Open Relay
Analyzer
34
The Issues
Octets vs. Contents Service port vs. Application Quantity vs. Quality Network Security Personal Privacy
35
Reference
University of Twente, Netherlands, “SimpleWeb,” http://www.simpleweb.org/
Tobias Oetiker, Dave Rand, “MRTG,” http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Tobi Oetiker, “RRDtool,” http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
Cisco Systems, Inc., “Cisco IOS NetFlow,” http://www.cisco.com/go/netflow
Mark Fullmer, “flow-tools,” http://www.splintered.net/sw/flow-tools/
ntop.org, “ntop,” http://www.ntop.org/ Slava Astashonok, “fprobe,”
http://sourceforge.net/projects/fprobe