Network Monitoring

Download Report

Transcript Network Monitoring 

Network Monitoring
School of Electronics and Information
Kyung Hee University.
Choong Seon HONG
<[email protected]>
Selected from ICAT 2003 Material of James W. K. Hong
Introduction – Motivation
 Needs of Service Providers
Understand the behavior of their networks
Provide fast, high-quality, reliable service to satisfy
customers and thus reduce churn rate
Plan for network deployment and expansion
SLA monitoring, network security
 Needs of Customers
Want to get their money’s worth
Fast, reliable, high-quality, secure, virus-free
Internet access
2
Generic Monitoring Metrics
 Availability
 Connectivity
 Functionality
 Loss
 One way loss
 Round trip loss
 Delay
 One way delay
 Round trip delay
 Delay variance
 Throughput
 Bandwidth
 Utilization
3
3. Monitoring Approaches
Passive Monitoring
Active Monitoring
4
Network Monitoring
 Active Approach
 Performed by sending test traffic into network
1) Generate Test packet periodically or on-demand
2) Measure performance of test packet or response
3) Take the statistics
 Impose extra traffic on network and distort its behavior
in the process
 Used to monitor network performance
e.g., Availability, Delay, Loss
5
Network Monitoring (cont’d)
 Passive Approach
Network
Link
 Carried out by observing normal network traffic
1) Collect network flow from device or generate it after
capturing
2) Perform analysis for the purpose
 Using high-performance computing device (harder as
traffic rates increase)
 Used to perform traffic characterization analysis
 Spatial, temporal and composition
6
Comparison of Monitoring Approaches
Active
monitoring
Configuration
Data size
Network
overhead
Purpose
CPU
Requirement
Passive
monitoring
Multi-point
Single or multipoint
Small
Large
Additional traffic
- Device overhead
- No overhead if
splitter is used
Delay, packet loss, Throughput, traffic
availability
pattern
Low to Moderate
High
7
Active Monitoring Techniques
 ICMP-based method
 Diagnose network problems
 Availability / Round-trip delay / Round-trip packet
loss
 TCP-based method
 One-way bandwidth / Round trip bandwidth
 Bulk transfer rate
 UDP-based method
 One-way packet loss / Round trip bandwidth
8
Measurement Method Example via Ping
Ping (ICMP) – Availability, RT Loss, RTT Delay
Measurement
Test Machine
Packet
Generator
(ICMP)
Customer
SLA DB
Period : 10 min.
Packet Size : 40 bytes
RSM
RSM
RSM
RSM
RSM
RSM
RSM
Gigabit Ethernet Backbone Network
9
Measurement Method Example via TCP
TCP – Throughput
NTP Synchronized hosts
Measurement
Source Machine
Measurement
Destination Machine
TCP
local time : t1
t1
100 KB
Throughput (Mbps) =
t2
local time : t2
105 x 8
t2(㎲) – t1(㎲)
10
Measurement Method Example via UDP
UDP – One Way Loss
Measurement
Source Machine
NTP Synchronized hosts
Measurement
Destination Machine
UDP
1 Packet (1000 Byte)
100 KB
100 KB
One way Loss =
100 -
Received Packet Counts
x 100 (%)
Sent Packet Counts
11
Passive Monitoring - Packet Capturing
Probe system
Probe system
Mirroring
Splitting
 Packets can be captured using Port Mirroring or Network
Splitter (Tap)
How it works
Advantage
Disadvantage
Port Mirroring
Network Splitter (Tap)
Copies all packets
passing on a port to
another port
No extra hardware
required
Processing overhead on
router/switch
Splits the signal and send
a signal to original path
and another to probe
No processing overhead
on router/switch
Splitter hardware required
12
Passive Monitoring - Sampling
 If the rate is too high to capture all packets reliably,
there is no alternative but to sample the packets
 Sampling algorithms: every Nth packet or fixed
time interval
1
2
3
4
5
6
7
8
9
10
11
(a) 2:1 sampling
0 msec
1 msec
2 msec
3 msec
4 msec
(b) 1 msec sampling
13
5. Passive Monitoring - Flow Generation
flow 1
flow 2
flow 3
flow 4
 Flow is a collection of packets with the same {SRC and DST IP address,
SRC and DST port number, protocol number, TOS}
 Flow data can be collected from routers directly, or standalone flow
generator having packet capturing capability
 Popular flow formats
 NetFlow (Cisco), sFlow (sFlow.org), IPFIX (IETF)
 Issues in flow generation
 What information should be included in a flow data?
 How to generate flow data from raw packet information efficiently?
 How to save bulk flow data into DB or binary file in a collector?
 How long should the data be preserved?
14
 Passive Monitoring - Flow Technology: NetFlow
 Cisco IOS NetFlow technology
 is an integral part of Cisco IOS software that collects and
measures data as it enters specific routers or switch
interfaces
 enables to perform IP traffic flow analysis without custom
probes
 3 key components in a NetFlow system
• Flow Exporter
• Flow Collector
• Network Data Analyzer (Flow Analyzer)
 Routers supporting NetFlow – Cisco, Foundry routers
 Vendors providing NetFlow Data Analyzer
 Cisco
 IFeelNet (www.ifeelnet.com)
 20+ companies (www.inmon.com/netflowapps.htm)
15
Passive Monitoring - Flow Technology: sFlow
 sFlow is described in RFC 3176: “InMon's sFlow: A
Method for Monitoring Traffic in Switched and Routed
Networks”
 sFlow is a monitoring technology that gives visibility into
the use of networks, enabling performance optimization,
accounting/billing for usage, and defense against security
threats
 sFlow provides a means of embedding traffic monitoring in
high-speed switches and routers
 sFlow samples packets using statistical sampling theory
 Devices Supporting sFlow
Foundry Networks
• BigIron, FastIron, NetIron Series
InMon’s sFlow Probe
16
Passive Monitoring - Traffic Analysis
 Spatial aspect




The patterns of traffic flow relative to the network topology
Important for proper network design and planning
Identification of bottleneck & avoidance of congestion
Example: Flow aggregation by src, dst IP address or AS number
 Temporal aspect
 The stochastic behavior of a traffic flow, usually described in
statistical terms
 Important for resource management and traffic control
 Important for traffic shaping and caching policies
 Example: Packet or byte per hour, day, week, month
 Composition of traffic
 A breakdown of traffic according to the contents, application, packet
length, flow duration
 Helps to explain its temporal and spatial characteristics
 Example: game, streaming media traffic for a week from peer ISP
17
Traffic Monitoring R&D, Standards Activities
 R&D Groups
 NLANR
 CAIDA
 SLAC NMTF
 Standard Activities
 IETF RTFM (Real Time Flow Measurement)
 IETF IPFIX (IP Flow Information Export)
 IETF RMONMIB (Remote Network Monitoring)
 IETF IPPM (IP Performance Metrics)
 Conferences & Workshops
 Passive & Active Measurement Workshop (PAM)
• PAM2000, PAM2001, PAM 2002, PAM2003
 Internet Measurement Workshop (IMW)
• Sponsored by ACM SICCOMM
• IMW2001, IMW2002, IMW2003
18
Questions ?
19