Network Data Monitoring and Analysis

Computer Networks Lecture's Seminar

Lecturer:Assoc.Prof.Turgay ĠBRĠKÇĠ

Prepared by Çağla TERLĠKCĠOĞULLARI

1

2

Presentation Contents

What Is Network Monitoring?

Importance of Network Monitoring and Analysis

Monitoring and Analysis Techniques

Router Based Monitoring Techniques

I. Simple Network Monitoring Protocol (SNMP) RFC 1157

II. Remote Monitoring (RMON) RFC 1757

III. Netflow RFC 3954

3

Continues on Presentation Contents

Non-Router Based MonitoringTechniques

I. Active Monitoring

II. Passive Monitoring

Windows Management Protocols

Passive Tool Network Monitoring Application

4

What Is Network Monitoring

Monitoring an active communications network in order to

diagnose problems and gather statistics for administration and

fine tuning

The term network monitoring describes the use of a system

that constantly monitors a computer network for slow or

failing components and that notifies the network administrator

in case of outages via email, pager or other alarms. It is a

subset of the functions involved in network management.

5

Network Management

Network Management System allow Network Administrators to

automate configuration tasks and monitor network health ,giving

Network Administrators the visibility need to proactively manage

network

The International Organization for Standardization (ISO) Network

Management Forum divided network management into five functional

areas:

– Fault Management

– Configuration Management

– Security Management

– Performance Management

– Accounting Management

6

Network Management Platform

• Basic features for any platform to include are:

Graphical User Interface (GUI)

Network Map

Database Management System (DBMS)

Standard Method to Query Devices

Customizable Menu System

Event Log

7

8

Three basic goals of network monitoring is:

Performance Monitoring

Fault Monitoring

Account Monitoring

9

Network Management System Functional Areas

10

Network Ticketing System

11

Importance of Network Monitoring and Analysis

Network management systems allow us to

research:

i. Traffic Measurements and Analysis

ii. Network Anomaly Detection

iii. Performance Evaluation of Networked Systems

iv. Security,Reliability and Resiliciency

v. QoS in Heterogeneous Network

vi. Analysis and Detection of Network Outages 12

Architectural Overview

13

Monitoring and Analysis Techniques

Two Monitoring Techniques are discussed in the my presentation:

i. Router Based Monitoring Techniques

ii. Non-Router Based Monitoring Techniques

Some key terms you shuld know through over presentaion is:

Fault:when something is down or unavailable

Avaliability:percentage of time stuff is not down and is working

NMS:Network Management System

Baseline:A measurement of current performance

MIB:A virtual database of management information avaliable on a

network device that can be queried using SNMP to retrive device 14

Router Based Monitoring Techniques

I-Simple Network Monitoring Protocol (SNMP)

SNMP is an application layer protocol that is part of the TCP/IP

protocol suite.

It allows Network Administrators to manage;

network performance,

detecting and solving network problems,

plan for network growth.

It gathers traffic statistics through passive sensors that are

implemented from router to end host. 15

What Is SNMP

SNMP is a tool (protocol) that allows for remote and local

management of items on the network including servers,

workstations, routers, switches and other managed devices.

Comprised of agents and managers

Agent :process running on each managed node collecting

information about the device it is running on.

Manager :process running on a management workstation that

requests information about devices on the network

16

SNMP Architectural View

System Components Of SNMP

Simple Network Management Protocol-polls the

Management Information Base(MIB) of network

devices

An SNMP trap allows a network device to notify a

NMS system of an event through an SNMP

message

17

Three Parts Of SNMP

SNMP protocol

Defines format of messages exchanged by

management systems and agents.

Specifies the Get, GetNext, Set, and Trap operations

Structure of Management Information(SMI)

Defines format of messages exchanged by

management systems and agents.

Specifies the Get, GetNext, Set, and Trap operations

Management Information Base (MIB)

A map of the hierarchical order of all managed

objects and how they are accessed

18

SNMP Message SNMP uses User Datagram Protocol (UDP) as the transport mechanism for

SNMP messages.

Four Basic Operation made by SNMP protocol:

GET:Retrieves the value of a MIB variable stored on the agent

machine(integer, string, or address of another MIB variable)

GETNEXT:Retrieves the next value of the next lexical MIB variable

SET:Changes the value of a MIB variable

TRAP:An unsolicited notification sent by an agent to a management a

notiapplication (typically fication of something unexpected, like an error)

19

SNMP Configuration

20

Distrubuted Network Management Configuration

Object Identifier

21

Management Overview of SNMP

22

II- Remote Monitoring (RMON)

Basic Concepts RMON enables various network monitors and console systems to

exchange network-monitoring data.

• Extends the SNMP functionality without changing the protocol

• Allows the monitoring of remote networks (internetwork management)

• MAC-layer (layer 2 in OSI) monitoring

• Defines a Remote MONitoring (RMON) MIB that supplements MIB-II

• with MIB-II, the manager can obtain information on individual devices only

• with RMON MIB, the manager can obtain information on the LAN as a whole

23

DataAnalyzer

RMONProbe

BACKBONENETWORK

SNMPTraffic

SNMPTraffic

LAN

RouterRouter RMON Components

Networks with RMON

24

RMON MIB

rmonConformance (20)

probeConfig (19)

usrHistory (18)

rmon (mib-2 16)

statistics (1)

history (2)

alarm (3)

host (4)

hostTopN (5)

matrix (6)

filter (7)

capture (8)

event (9)

Figure 8.2 RMON Group

a1Matrix (17)

a1Host (16)

n1Matrix (15)

n1Host (14)

addressMap (13)

protocolDist (12)

protocolDir (11)

Token Ring (10)

RMON1 Extension

RMO

N1

RMO

N2

25

RMON Groups and Tables

26

III-Netflow

Netflow is a feature that was

introduced on Cisco routers

that give the ability to collect IP

network traffic as it enters an

interface. Netflow consists of

three components:

a. Flow caching,

b. FlowCollector,

c. Data Analyzer. Seven unique fields define a flow

27

How Does NETFLOW Works?

Traffic passes through

routing/switching device

interface

Flow created (remember the 7

fields) and stored in NetFlow

cache

Flows grouped and exported in

UDP packets to collector based

on active and inactive flow

timeout

28

NETFLOW Cache Example

29

NETFLOW Processing Order

30

Non-Router Based Monitoring Techniques

Traffic Monitoring

Network Monitoring Metrics 31

I-Active Monitoring

Internet Control Message Protocol (ICMP) message used for

diagnostic or control purposes or generated in response to errors

in IP operations.

I. TTL field: ping & traceroute use it in attempt to reach a given

host computer or to trace a route to that host.

II. Traceroute intentionally sends a packet with a low TTL value so

that it will be discarded by each successive router in the

destination path.

III. The time between sending the packet and receiving back the

ICMP message that it was discarded is used to calculate each

successive hop travel time 32

TCP-UDP Based Active Monitoring

UDP based Active Monitoring TCP based Active

Monitoring

33

II-Passive Monitoring

Passive monitoring unlike active monitoring does not inject traffic

into the network or modify the traffic that is already

on the network. Also unlike active monitoring, passive monitoring

collects information about only one point in the network that is being

measured rather than between two endpoints as active monitoring

measures

Passive monitoring can be achieved with the assistance of any

packet sniffing program.

34

How Does Passive Monitoring Works

Packets can be captured using Port Mirroring or Network Splitter

(Tap)

35

Passive Monitoring tools

I. Microsoft Network Monitor

II. Wireshark

III. Tshark

IV. ssldump

V. Tcpflow

VI. dSniff

36

Windows Management Protocols

The Microsoft Windows Operating System(OS) leverages its

own suite of protocols for communications between Windows

servers and workstations

These protocols layer a top core TCP and UDP to enable server

and service communication across an IP network

Windows Management Protocols:

i. Remote Desktop Protocol(RDP)

ii. Windows Management Instrumentation(VMI)

iii. WS-Management

37

Network Data Analysis

38

TCP Server Listening Port Number

Distribution

Proportion Of The Internet Applications

THANK YOU FOR ATTENDING

39

REFERENCES:

A Summary of Network Traffic Monitoring and Analysis

Techniques,Alisha Cecil http://www.cse.wustl.edu/~jain/cse567-

06/ftp/net_monitoring.pdf

Introduction to Passive Network Traffic Monitoring

http://www.csd.uoc.gr/~hy459/front/passiveMonitoring_2015.pdf

The African Network Operator Groups(AfNOG) Workshops

SolarWinds Network Management Guide

Cisco Nettflow For Accounting Analysis and Attack

Simple Network Management Protocol, Chris Francois

TCP/IP Protocol Suite Behrouz A.Forouzan 40