web-based internet traffic analysis using flows

6th Open Workshop for High Speed Networks, Stuttgart, October 1997

Web-based Internet Traffic Analysis Using Flows

Siegfried Löffler

Paul Christ

Martin Lorang

[email protected]

[email protected]

[email protected]

Rechenzentrum der Universität Stuttgart - Communication Systems / BelWue Development

Outline

Existing Traffic Analysis Tools

Traditional Solutions

Web-Based Products

Using Flows for Traffic Analysis

The IETF Realtime Traffic Flow Measurement (RTFM)

Architecture

Writing Web based Applications

Implementation of a RTFM analysis application in Java

Conclusions


Traditional Traffic Analysis- tcpdump:

- Put Network Adapter Driver into „Promiscuous“ Mode. High CPU and Bus Load.

- „libpcap“ Packet Capturing Library- ASCII / Hex dump of all Packets - High Volume Output

- SNMP Counters: - Several Products (HP OpenView, ...) for Graphical Display.

- RMON/RMON2: Probes can be placed in interesting points

Problems: Hard to find „interesting“ packets with tools like tcpdump. Not enough Information with tools showing only counters. No Web Interface


Existing Web-based Developments

Trend: Network Management-Tools use the WWW as User Interface

mrtg - Multi Router Traffic Grapher

Many Projects - Usually limited to the (static) display of SNMP counters.


Existing Web-based Developments Java-based Network Management Products - Adventnet, IBM

and some others.

AdventNet “NetMonitor”: Toolkit to create own SNMP Java Applets with a visual builder (Generates Java Code)

SNMPv2c Class Libraries


Flows Claffy, Braun and Polyzos “A parametrizable methodology for

Internet traffic flow profiling” Try to identify sequences of packets as one flow, avoiding the

necessity to check for connection establishment/end packets. Data packets have to match criteria that have been chosen for the

flow („Flow Specification“)

Checkpoints

Packet Arrivals

BeginFlow 1

LastPacket

Timeout:End Flow 1

Time

Packet matches Flow Specification for Flow 1

Duration Flow 1


Flows & Traffic Analysis Cisco: NetFlow Data Export

OC3MON: Flow Measurement at 150 Mbit/s ATM OC-3(NLANR, MCI)

Hardware

Modified FORE Firmware

Software: DOS; telnet; ASCII

OC12MON

IETF RTFM Architecture

Fore PCA200-PCI

Fore PCA200-PCI

EthernetNetwork Card

OC3MON PC

Opticalsplitters


The IETF RTFM Architecture Architecture: RFC 2063 Initally aimed at Accounting

(RFC 1272) Experiences with NeTraMet

(RFC 2123) by Nevil Brownlee, Univ. Auckland, New Zealand Free UNIX, DOS Configurable OC3MON Version

Meter

Meter Reader

Manager

Analysis Application


Programming for the Web Programming for

the Web: CGI, JavaScript, Java.

CGI programs runs on Web Server and produce HTML output (static).

Java Programs allow non-static interaction.

Java is Platform independent

ClientMachine

ServerMachine

CGIInternet

ServerMachine

WebServer

ClientMachine

InternetJavaVM

CGI Progams run on Web Server:

Java Programs run in Client Web Browser:

Program I/OPath over which the Program is Loaded


Java Security Socket Connections are only allowed to Web Server (where Code has been loaded from) or

to local machine. Solution: Secure Applet Server (SAS) runs on Web Server and redirects SNMP traffic.

ServerMachine

WebServer

Client Machine

Internet Java VM

SNMPAPPLET

Java VM

SASSERVER

SNMP Agent

SNMP Traffic


Analysis Application in Java Display of the current Traffic

on the Network in “Real Time” inside of a Web Browser.

Netscape on Pent 166:Reads about 300 flow records in 10 seconds

Object-Oriented Code should allow integration into a web-based management environment.

Displayed Information:X-Axis: Flow DurationY-Axis: PDU CountSymbol: Flow Kind


FLuid / Flow Information Child window for each

flow, updated after each query.

Currently those windows can just display counters for the selected flows.It would be interesting to allow creation of graphs etc.

N. Brownlee is working on adding “distributions” to the Architecture - could then add distribution analysis for each flow.


Conclusions / Outlook Possible to write RTFM applications / applets in Java -

Security Restrictions can be resolved, Java is fast enough to transfer the packaged flow table in a reasonable time.

Implementation works, more functionality has to be added. (Currently no additional functionality compared to the NeTraMet Analysis Applications)

Object Oriented Effort useful (Code Reuse) - Network Management Applications usually have to be customized to fulfill the local requirements.

Interesting to work on Flows for Traffic Measurement and Analysis in order to make the Flow paradigm eventually applicable to Resource Reservation and Switching


More Information Our Work:

http://ksoc3mon2.rus.uni-stuttgart.de/diplomhttp://www.mathematik.uni-stuttgart.de/~floeff

IETF RTFM WG:http://www.ietf.org/html.charters/rtfm-charter.html

NeTraMet:ftp://ftp.auckland.ac.nz/pub/iawg/NeTraMet

OC3MON/OC12MON:http://www.nlanr.net/NA

AdventNet Java & SNMP: http://www.adventnet.com

web-based internet traffic analysis using flows

Documents