Upload File

large scale pcap analysis using apache hadoop · wolfgang nagele, november 2011 we do big data …...

  • Home
  • Documents
  • Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that
16
Large scale PCAP Analysis using Apache Hadoop Wolfgang Nagele Global Information Infrastructure Manager

Upload: others

Post on 20-May-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Large scale PCAP Analysis using Apache Hadoop Wolfgang Nagele Global Information Infrastructure Manager

Page 2: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

We do big data …

•  K-root (15.000 qps) – 1.5TB of compressed PCAP data every month

– And that is only queries

•  F-reverse (6.000 qps)

•  AS112 (2.000 qps)

•  Auth DNS (26.000 qps)

•  RIS (BGP updates from back in 2000 onwards)

•  You get the idea …

2

Page 3: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Why not libtrace, PacketQ, <you name it>

•  Vertical scaling does not work for terabytes of data

•  Running those tools in parallel is hard – This is what Hadoop is good at

3

Page 4: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

What is HDFS?

•  Open-source implementation of Google Filesystem (GFS) as detailed in a whitepaper – http://labs.google.com/papers/gfs-sosp2003.pdf

•  Hadoop Distributed Filesystem (HDFS) – Namenode holding filesystem registry

– Datanodes holding filesystem blocks

4

Page 5: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

What is MapReduce?

•  Another whitepaper from Google: – http://labs.google.com/papers/mapreduce-osdi04.pdf

•  Essentially: A programming pattern – Allows distribution of large computational tasks

5

Page 6: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Start with a good read …

6

Page 7: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Native PCAP reading in Java

•  Open source under the LGPL

•  Available at:"http://github.com/RIPE-NCC/hadoop-pcap

7

Page 8: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Live Demo: The data

8

590GB total

Page 9: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Live Demo: Create table

9

Page 10: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Live Demo: Add partitions

10

Page 11: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Live Demo: Run query

11

See if we received target traffic at Reykjavík instance

Page 12: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Live Demo: Query in progress

12

Page 13: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Live Demo: Result

13

No target traffic at ISNIC instance

Page 14: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Live Demo: Conclusions

•  Works well at scale – 100+ CPU cores

•  High processing overhead – Example took 200 seconds total

– Only 50% of it spent on actual computation

– Small input files (only 500MB total)

– See Screencast – 80GB in 3 minutes

14

Page 15: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Wolfgang Nagele, November 2011

Step by Step Screencast

•  Zero setup using Amazon EC2

15

http://goo.gl/8uvlX

Page 16: Large scale PCAP Analysis using Apache Hadoop · Wolfgang Nagele, November 2011 We do big data … • K-root (15.000 qps) – 1.5TB of compressed PCAP data every month – And that

Questions? [email protected]


PCAP UART Open Source Linux Driver Documentationww1.microchip.com/downloads/en/DeviceDoc/PCAP-LINUX-UART.pdf · PCAP UART Open Source Linux Driver Documentation Document #: AD-110027-001

Packet Capture (PCAP) Trace - cisco.com Capture (PCAP) Trace • FeatureInformation,page1 • FeatureDescription,page2 • ConfiguringPCAPTrace,page2 • MonitoringandTroubleshootingPCAPTrace,page8

PCAP Updates

Final case study PCAP..docx

Packet Capture (PCAP) Trace · Packet Capture (PCAP) Trace • FeatureInformation,page1 • FeatureDescription,page2 • ConfiguringPCAPTrace,page2 • MonitoringandTroubleshootingPCAPTrace,page8

NAGELE, UN CONTINUO LABORATORIO URBANO Reinterpretando el

PCAP: Programming Essentials in Python

Outdoor PCAP Freestanding Multi Touch Screen Posters · Outdoor PCAP Freestanding Multi Touch Screen Posters. 10 Point PCAP Touch Technology Using the most ... Brightness is paramount

PCAP 08 13 08

22” PCAP Touch Screens with Dual OS Inch PCAP Touch... · 2020-08-06 · 22” PCAP Touch Screens with Dual OS Dual OS - Windows & Android 10 Point PCAP Touch 450cd/m 2 IPS Panel

PCAP Primary Care Access Program › sites › vhpn › pcap › Documents... · • PCAP is a health coverage program for low-income, uninsured adults living in Santa Clara County

Natalie Nagele Wildbit Feeding the Beast

PAKISTAN CLEAN AIR PROGRAM (PCAP) PAKISTAN CLEAN AIR PROGRAM (PCAP)

PCAP Touch Screen Displays

Intro to PCAP

Pcap Pps 2012

8th - pcap-sk.org

Intro&to&PCAP&web.cse.msstate.edu/~hamilton/Forensics/resources/intro-to-pcap-p… · Intro&to&PCAP& Reid&Gilman& Approved&for&Public&Release:&13

tcconline.utp.brtcconline.utp.br/wp-content/uploads/2009/10/FACET_CC_2002... · von)pcap CHAR U . row [VT pcap 'AP 'p) pcap_ma/or pcap minor 7' CHAR T' ... NCP — Network Control

Pcap can domenec_jgl_12-05_2010_diligenciado

Anatomy and Physiology of PCAP

D park Nagele

Analysis of Cloud-to-Ground Lightning Within 16 Landfalling Hurricanes Danielle Nagele

PCaP Data/Specimen Guide PCaP Data/Specimen Guide Last updated September 13, 2012 North Carolina – Louisiana Prostate Cancer Project (PCaP) Funded by the Department of Defense contract

Philipp Nagele Social Media Wikitude

Pcap Headers Description

RIPE NCC DNS Update...RIPE NCC DNS Update Wolfgang Nagele DNS Services Manager. Wolfgang Nagele, 4 May 2011 ... – ARIN, APNIC, AfriNIC, LACNIC, RIPE NCC, ICANN 4. Wolfgang Nagele,

Mathematics Assessment Framework - CMEC · Introduction . What is PCAP? The Pan-Canadian Assessment Program (PCAP) ... content strands (referred to as subdomains in the PCAP Mathematics

PORTSMOUTH CHRISTIAN ACADEMY PRESCHOOL (PCAP)

2016 Alberta PCAP Supervisor Mentor Days! Day One ...alberta-pcap.ca/wp-content/uploads/2014/06/Alberta-PCAP-Newsletter...Alberta PCAP Council Newsletter –May 2016 ... Day One!!!

Capturing Packet by using PCAP

Under PCAP Polarity Reject Signal1 - Keysight Automated X-ray Inspection Understanding the PCAP Polarity Reject Signal Software Revisions: 5.x – 8.x The PCAP misalignment algorithm

Philipp Nagele (Wikitude) Wikitude SDK Tutorial

Semester 1 Semester 2 PCAP 501 PCAP 503 PCAP 502 PCAP … · a minimum of C. Professional recognition ↓ Introduction: ... Semester 1 Semester 2 PCAP 501: Reflective Practice (3,0,3)

PCAP Final