Interpreting Network Traffic Flows

Bill Jensen, Paul Nazario and Perry Brunelli

Agenda

1. How did we get here

2. Network monitoring tools

3. Sample graphs

Shawn Fanning http://www.time.com/time/magazine/

articles/0,3266,55730,00.html

Napster

Taming Bandwidth Hogs . . . How can your campus do it?

Ana Preston, University of Tennessee

Linda Roos, University of Nebraska, Lincoln

Tuesday, 11:45, Marquis 4

www.funnytimes.com

A simple question

CIO requested that we estimate Internet transit requirements for the next 18 months

Sources

www.research.att.com/~amo/doc/networks.html

http://www.research.microsoft.com/~Gray/Moore_Law.html

What are current bandwidth requirements?

What do we receive from our provider?

A few words about UW Internet access

WiscNet is a state education-based ISP - founded with help from UW-Madison

Charter membership included 14 UW-System universities and 8 privates colleges

WiscNet now serves over 500 educational institutions - predominantly K-12

The WiscNet backbone

Comprised of OC-3 links connecting UW- Madison, UW-Milwaukee, the Chicago NAP and the Ameritech Advanced Data Service Center (AADS), also in Chicago.

WiscNet Services

Internet transport and transit Internet 2 transport Peering transport at AADS

Current bandwidth requirements continued... Inbound vs. outbound traffic Usage caps Prime time usage Peering and I2 traffic Effect of peer-to-peer networking and

future policy on usage/fair utilization

www.wiscnet.net

What is a flow?

Host-to-host conversation between that includes the IP address and port # for each host.

Representation of a series of packets traveling between two end-points.

A unidirectional series of IP packets of a given protocol, traveling between a source and destination within a certain period of time.

Flow as represented by log

Easy to think of it as we would a sniffer trace - bits and bytes seen traversing the wire

In actuality, the flows are the accounting record or log of activity as reported by the router

Measurement Tools - Flowscan

Flowscan - freely available perl scripts and modules that aggregate other freely available tools for representing flows

Analyzes and reports on NetFlow data collected by CAIDA’s clfowd

Stored using RRDtool - time series data Flowscan provides reporting capabilities

and visualization of flow data

Example

cflowd receives flow data from the router and writes it to disk.

Flowscan parses/messages data from cflowd and stores the results in RRD format.

RRDtool graph produces graphs from RRD files.

More on FlowScan

See http://net.doit.wisc.edu/~plonka/lisa/FlowScan/

plonka@doit.wisc.edu

http://mil.doit.wisc.edu/~plonka/

Dave ->

General Flowscan Graphs

Network Events Captured by FlowScan

New Development

wwwstats.net.wisc.edu/CampusIO/top/originAS.html

wwwstats.net.wisc.edu/CampusIO/top/128.104.16.0_22_top.html

“It’s easier to ride a horse in the direction it’s going”

Daniel Burrus

www.burrus.com