6th Open Workshop for High Speed Networks, Stuttgart, October 1997
Web-based Internet Traffic Analysis Using Flows
Siegfried Löffler
Paul Christ
Martin Lorang
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Outline
Existing Traffic Analysis Tools
Traditional Solutions
Web-Based Products
Using Flows for Traffic Analysis
The IETF Realtime Traffic Flow Measurement (RTFM)
Architecture
Writing Web based Applications
Implementation of a RTFM analysis application in Java
Conclusions
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Traditional Traffic Analysis- tcpdump:
- Put Network Adapter Driver into „Promiscuous“ Mode. High CPU and Bus Load.
- „libpcap“ Packet Capturing Library- ASCII / Hex dump of all Packets - High Volume Output
- SNMP Counters: - Several Products (HP OpenView, ...) for Graphical Display.
- RMON/RMON2: Probes can be placed in interesting points
Problems: Hard to find „interesting“ packets with tools like tcpdump. Not enough Information with tools showing only counters. No Web Interface
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Existing Web-based Developments
Trend: Network Management-Tools use the WWW as User Interface
mrtg - Multi Router Traffic Grapher
Many Projects - Usually limited to the (static) display of SNMP counters.
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Existing Web-based Developments Java-based Network Management Products - Adventnet, IBM
and some others.
AdventNet “NetMonitor”: Toolkit to create own SNMP Java Applets with a visual builder (Generates Java Code)
SNMPv2c Class Libraries
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Flows Claffy, Braun and Polyzos “A parametrizable methodology for
Internet traffic flow profiling” Try to identify sequences of packets as one flow, avoiding the
necessity to check for connection establishment/end packets. Data packets have to match criteria that have been chosen for the
flow („Flow Specification“)
Checkpoints
Packet Arrivals
BeginFlow 1
LastPacket
Timeout:End Flow 1
Time
Packet matches Flow Specification for Flow 1
Duration Flow 1
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Flows & Traffic Analysis Cisco: NetFlow Data Export
OC3MON: Flow Measurement at 150 Mbit/s ATM OC-3(NLANR, MCI)
Hardware
Modified FORE Firmware
Software: DOS; telnet; ASCII
OC12MON
IETF RTFM Architecture
Fore PCA200-PCI
Fore PCA200-PCI
EthernetNetwork Card
OC3MON PC
Opticalsplitters
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
The IETF RTFM Architecture Architecture: RFC 2063 Initally aimed at Accounting
(RFC 1272) Experiences with NeTraMet
(RFC 2123) by Nevil Brownlee, Univ. Auckland, New Zealand Free UNIX, DOS Configurable OC3MON Version
Meter
Meter Reader
Manager
Analysis Application
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Programming for the Web Programming for
the Web: CGI, JavaScript, Java.
CGI programs runs on Web Server and produce HTML output (static).
Java Programs allow non-static interaction.
Java is Platform independent
ClientMachine
ServerMachine
CGIInternet
ServerMachine
WebServer
ClientMachine
InternetJavaVM
CGI Progams run on Web Server:
Java Programs run in Client Web Browser:
Program I/OPath over which the Program is Loaded
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Java Security Socket Connections are only allowed to Web Server (where Code has been loaded from) or
to local machine. Solution: Secure Applet Server (SAS) runs on Web Server and redirects SNMP traffic.
ServerMachine
WebServer
Client Machine
Internet Java VM
SNMPAPPLET
Java VM
SASSERVER
SNMP Agent
SNMP Traffic
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Analysis Application in Java Display of the current Traffic
on the Network in “Real Time” inside of a Web Browser.
Netscape on Pent 166:Reads about 300 flow records in 10 seconds
Object-Oriented Code should allow integration into a web-based management environment.
Displayed Information:X-Axis: Flow DurationY-Axis: PDU CountSymbol: Flow Kind
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
FLuid / Flow Information Child window for each
flow, updated after each query.
Currently those windows can just display counters for the selected flows.It would be interesting to allow creation of graphs etc.
N. Brownlee is working on adding “distributions” to the Architecture - could then add distribution analysis for each flow.
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
Conclusions / Outlook Possible to write RTFM applications / applets in Java -
Security Restrictions can be resolved, Java is fast enough to transfer the packaged flow table in a reasonable time.
Implementation works, more functionality has to be added. (Currently no additional functionality compared to the NeTraMet Analysis Applications)
Object Oriented Effort useful (Code Reuse) - Network Management Applications usually have to be customized to fulfill the local requirements.
Interesting to work on Flows for Traffic Measurement and Analysis in order to make the Flow paradigm eventually applicable to Resource Reservation and Switching
Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development
More Information Our Work:
http://ksoc3mon2.rus.uni-stuttgart.de/diplomhttp://www.mathematik.uni-stuttgart.de/~floeff
IETF RTFM WG:http://www.ietf.org/html.charters/rtfm-charter.html
NeTraMet:ftp://ftp.auckland.ac.nz/pub/iawg/NeTraMet
OC3MON/OC12MON:http://www.nlanr.net/NA
AdventNet Java & SNMP: http://www.adventnet.com