Experiences in Analyzing Network Traffic

Shou-Chuan Lai

National Tsing Hua UniversityComputer and Communication Center

Nov. 20, 2003

Houston, we have a problem!

What happened?

What can we do?

5

Problem Diagnose

Call for help Call our contracted support Ask an expert

Do it yourself Cable tester Network analyzer Network Management System

6

Possible Solution

Replace malfunction parts Adjust network configurations Expand network capacity

Network Traffic Analysis

8

Network Traffic Information

Link Host Service port Application User behavior

9

Analyze Tools

Device built-in functions LED status LCD messages

MRTG SNMP + MIB-II

NetFlow Cisco Routers w/ NetFlow export function Switch w/ mirror/SPAN + NetFlow generator

SNMP + MIB-II

11

SNMP + MIB-II

Simple Network Management Protocol RFC 1157

Management Information Base RFC 1213

12

MANAGER

AGENTS

SNMP

AGENTSAGENTS

SNMP SNMP

MIB

Simple Network Management Protocol Architecture

13SNMP Manager SNMP Agent

UDP port 161

UDP port 161

UDP port 161

GetRequest

GetNextRequest

SetRequest

GetResponse

GetResponse

GetResponse

TrapUDP port 162

SNMP Operations

14

MIB Object Names

itu(2)

root

iso(1)

org(3)

dod(6)

internet(1)

directory(1) mgmt(2) experiment(3) private(4)

enterprise(1)mib(1)

system(1) interface(2) at(3) ip(4) icmp(5) tcp(6) udp(7)

15

MIB-II

Common Operational Statistics (RFC 1857) ifInUcastPkts (unicast packets in) ifOutUcastPkts (unicast packets out) ifInNUcastPkts (non-unicast packets in) ifOutNUcastPkts (non-unicast packets out) ifInOctets (octets in) ifOutOctets (octets out)

MRTG

17

MRTG (Multi Router Traffic Grapher)

A tool to monitor the traffic load on network-links.

Generates HTML pages containing graphical images which provide a LIVE visual representation of this traffic.

Based on Perl and C and works under UNIX and Windows NT.

18

MRTG (I) – An Example

Packet per Second

Byte per Second

19

MRTG (II) – A Suspicious Case

Excess Outgoing Packets

20

MRTG (III) – Other Applications

Mail Server Queue Length

Router CPU Utilization

21

MRTG Track Back

Deploy MRTG on each switch w/ SNMP support

In case of abnormal traffic behavior, with each link information, we may be able to trace back to the switch port which nearest the problem node.

With SNMP SET, we may disable that port as a temporal solution.

NetFlow

23

Why NetFlow ?

NetFlow statistics empowers users with the ability to characterize their IP data flows

The who, what, where, when, and how much IP traffic questions are answered

Offers a rich data set to be mined for network management, traffic engineering, and value-added service offerings (i.e. marketing data, personal NMS data)

24

What is a Flow?

Defined by 7 unique keys Source IP address Destination IP address Source port Destination port Layer 3 protocol type TOS byte (DSCP) Input logical interface (ifIndex)

25

• Source IP Address• Destination IP Address

• Input ifIndex• Output ifIndex

• Type of Service• TCP Flags• Protocol

• Start sysUpTime• End sysUpTime

• Source TCP/UDP Port• Destination TCP/UDP Port

• Next Hop Address• Source AS Number• Dest. AS Number• Source Prefix Mask• Dest. Prefix Mask

• Source IP Address• Destination IP Address From/To

Application

Routing and Peering

Usage

Time of

Day

PortUtilization

Quality of

Service

• Packet Count• Byte Count

NetFlow Version 5 Format

26

NetFlow Collection

Campus Network

Department Network

InternetInternet

NetFlow Collector

NetFlow

27

NetFlow Example I

Date In (GB) Out (GB)

Mon Nov 17 2003 924 1730

Sun Nov 16 2003 665 1506

Sat Nov 15 2003 847 1780

Fri Nov 14 2003 893 1623

Thu Nov 13 2003 891 1627

Wed Nov 12 2003 926 1607

Tue Nov 11 2003 825 1425

28

NetFlow Example II

Out-going Traffic (SRC IP)

No FQDN IP AddressOctets(MB)

% Note

1 140.--.--.158 49619 2.80 AB

2 140.--.--.34 46253 2.61 Dept

3 140.--.--.27 27024 1.53 Dept

4 140.--.--.92 24608 1.39 AB

5 140.--.--.157 19396 1.09 AB

29

NetFlow Example III

Destination Hosts: 100

No FQDN IP Address Octets(KB)

% Packets

(K) PacketSize

Note

1 140.---.119.41 12378667 24.36 8814 1404 450

2 163.25.---.37 3877362 7.63 2761 1404 178

3 163.25.---.39 2620457 5.16 1867 1403 190

4 ---.203.138.86 2359499 4.64 1680 1404 93

5 ---.66.245.245 2343650 4.61 1669 1404 131

30

NetFlow Example IV

SRC PORT: TCP#=1849 UDP#=1

No Prot. Port# Con# Octets(KB)

% Packets PacketSize

Note

1 TCP 32120 843 8569782 16.87 9055670 969 914

2 TCP 32121 771 2686 0.01 36580 75 1526

3 UDP 137 12 2 0.00 16 123 16

4 TCP 6112 9 7223 0.01 57300 129 14

5 TCP 139 4 1 0.00 14 44 4

31

Internet Worm Problem

Network Security Responding System

NetFlowAnalyzer

Blocking System

Notifying System

Manual Control

Web Pages

InternetInternet

IP

NetFlow

32

Open Mail Relay Problem

NetFlow Analyzer

Blocking System

Notifying System

IP:Port

NetFlow

IP

Open Relay

Analyzer

Feature Works

34

The Issues

Octets vs. Contents Service port vs. Application Quantity vs. Quality Network Security Personal Privacy

35

Reference

University of Twente, Netherlands, “SimpleWeb,” http://www.simpleweb.org/

Tobias Oetiker, Dave Rand, “MRTG,” http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

Tobi Oetiker, “RRDtool,” http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

Cisco Systems, Inc., “Cisco IOS NetFlow,” http://www.cisco.com/go/netflow

Mark Fullmer, “flow-tools,” http://www.splintered.net/sw/flow-tools/

ntop.org, “ntop,” http://www.ntop.org/ Slava Astashonok, “fprobe,”

http://sourceforge.net/projects/fprobe

Thank You!

Q & A