Embed Size (px)
Citation preview
Network MonitoringNetwork Monitoring
School of Electronics and InformationKyung Hee University.Choong Seon HONG<[email protected]>
Selected from ICAT 2003 Material of James W. K. Hong
2
Introduction – MotivationIntroduction – Motivation
Needs of Service Providers Understand the behavior of their networks Provide fast, high-quality, reliable service to satisfy
customers and thus reduce churn rate Plan for network deployment and expansion SLA monitoring, network security
Needs of Customers Want to get their money’s worth Fast, reliable, high-quality, secure, virus-free
Internet access
3
Generic Monitoring MetricsGeneric Monitoring Metrics
Availability Connectivity Functionality
Loss One way loss Round trip loss
Delay One way delay Round trip delay Delay variance
Throughput Bandwidth Utilization
4
3. Monitoring Approaches3. Monitoring Approaches
Active Monitoring
Passive Monitoring
5
Network Monitoring Network Monitoring Active Approach
Performed by sending test traffic into network1) Generate Test packet periodically or on-demand2) Measure performance of test packet or response3) Take the statistics
Impose extra traffic on network and distort its behavior in the process
Used to monitor network performance
e.g., Availability, Delay, Loss
6
Network Monitoring (cont’d)Network Monitoring (cont’d) Passive Approach
Carried out by observing normal network traffic1) Collect network flow from device or generate it after
capturing2) Perform analysis for the purpose
Using high-performance computing device (harder as traffic rates increase)
Used to perform traffic characterization analysis Spatial, temporal and composition
NetworkLink
7
Comparison of Monitoring ApproachesComparison of Monitoring Approaches
Active monitoring
Passive monitoring
Configuration Multi-point Single or multi-point
Data size Small LargeNetwork overhead
Additional traffic - Device overhead
- No overhead if splitter is used
Purpose Delay, packet loss, availability
Throughput, traffic pattern
CPU Requirement
Low to Moderate High
8
Active Monitoring TechniquesActive Monitoring Techniques
ICMP-based method Diagnose network problems Availability / Round-trip delay / Round-trip packet
loss
TCP-based method One-way bandwidth / Round trip bandwidth Bulk transfer rate
UDP-based method One-way packet loss / Round trip bandwidth
9
Measurement Method Example via Measurement Method Example via PingPing
Ping (ICMP) – Availability, RT Loss, RTT Delay
MeasurementTest MachineMeasurementTest Machine
Gigabit Ethernet Backbone Network
RSM
RSMRSM
RSMRSM
RSM
RSM
Period : 10 min.Packet Size : 40 bytes
Packet Generator
(ICMP) Customer SLA DB
10
Measurement Method Example via Measurement Method Example via TCPTCPTCP – Throughput
MeasurementSource Machine
MeasurementSource Machine
MeasurementDestination Machine
MeasurementDestination Machine
NTP Synchronized hosts
TCP
local time : t1
local time : t2
t1
t2
Throughput (Mbps) = t2(㎲ ) – t1(㎲ )
105 x 8
100 KB
11
Measurement Method Example via Measurement Method Example via UDPUDPUDP – One Way Loss
MeasurementSource MachineMeasurement
Source Machine MeasurementDestination Machine
MeasurementDestination Machine
NTP Synchronized hosts
UDP
100 KB
100 KB
One way Loss = 100 - x 100 (%) Sent Packet Counts
Received Packet Counts
1 Packet (1000 Byte)
12
Passive Monitoring - Passive Monitoring - Packet CapturingPacket Capturing
Packets can be captured using Port Mirroring or Network Splitter (Tap)
Mirroring
Probe system
Splitting
Probe system
Port Mirroring Network Splitter (Tap)
How it works Copies all packets passing on a port to another port
Splits the signal and send a signal to original path and another to probe
Advantage No extra hardware required
No processing overhead on router/switch
Disadvantage Processing overhead on router/switch
Splitter hardware required
13
Passive Monitoring - Passive Monitoring - SamplingSampling If the rate is too high to capture all packets reliably,
there is no alternative but to sample the packetsSampling algorithms: every Nth packet or fixed
time interval1 2 3 4 5 6 7 8 9 10 11
(a) 2:1 sampling
(b) 1 msec sampling
0 msec 1 msec 2 msec 3 msec 4 msec
14
5. Passive Monitoring - 5. Passive Monitoring - Flow GenerationFlow Generation
Flow is a collection of packets with the same {SRC and DST IP address, SRC and DST port number, protocol number, TOS}
Flow data can be collected from routers directly, or standalone flow generator having packet capturing capability
Popular flow formats NetFlow (Cisco), sFlow (sFlow.org), IPFIX (IETF)
Issues in flow generation What information should be included in a flow data? How to generate flow data from raw packet information efficiently? How to save bulk flow data into DB or binary file in a collector? How long should the data be preserved?
flow 4flow 1 flow 2 flow 3
15
Passive Monitoring - Flow Technology: Passive Monitoring - Flow Technology: NetFlowNetFlow
Cisco IOS NetFlow technology is an integral part of Cisco IOS software that collects and me
asures data as it enters specific routers or switch interfaces enables to perform IP traffic flow analysis without custom pro
bes 3 key components in a NetFlow system
• Flow Exporter • Flow Collector• Network Data Analyzer (Flow Analyzer)
Routers supporting NetFlow – Cisco, Foundry routers Vendors providing NetFlow Data Analyzer
Cisco IFeelNet (www.ifeelnet.com) 20+ companies (www.inmon.com/netflowapps.htm)
16
Passive Monitoring - Flow Technology: Passive Monitoring - Flow Technology: sFlowsFlow
sFlow is described in RFC 3176: “InMon's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks”
sFlow is a monitoring technology that gives visibility into the use of networks, enabling performance optimization, accounting/billing for usage, and defense against security threats
sFlow provides a means of embedding traffic monitoring in high-speed switches and routers
sFlow samples packets using statistical sampling theory Devices Supporting sFlow
Foundry Networks • BigIron, FastIron, NetIron Series
InMon’s sFlow Probe
17
Passive Monitoring - Traffic AnalysisPassive Monitoring - Traffic Analysis
Spatial aspect The patterns of traffic flow relative to the network topology Important for proper network design and planning Identification of bottleneck & avoidance of congestion Example: Flow aggregation by src, dst IP address or AS number
Temporal aspect The stochastic behavior of a traffic flow, usually described in statisti
cal terms Important for resource management and traffic control Important for traffic shaping and caching policies Example: Packet or byte per hour, day, week, month
Composition of traffic A breakdown of traffic according to the contents, application, packet
length, flow duration Helps to explain its temporal and spatial characteristics Example: game, streaming media traffic for a week from peer ISP
18
Traffic Monitoring R&D, Standards ActivitiesTraffic Monitoring R&D, Standards Activities
R&D Groups NLANR CAIDA SLAC NMTF
Standard Activities IETF RTFM (Real Time Flow Measurement) IETF IPFIX (IP Flow Information Export) IETF RMONMIB (Remote Network Monitoring) IETF IPPM (IP Performance Metrics)
Conferences & Workshops Passive & Active Measurement Workshop (PAM)
• PAM2000, PAM2001, PAM 2002, PAM2003
Internet Measurement Workshop (IMW)• Sponsored by ACM SICCOMM• IMW2001, IMW2002, IMW2003
19
Questions ?Questions ?
