1 / 4

NetFlow

NetFlow. Very useful for traffic analysis Standard sampler: Cisco Netflow Juniper Traffic Sampling Parameters: Flow export timer (Determines when current flow info is written to disk) Sampling scheme (Deterministic, Stratified, Simple random) Sampling rate Available resources:

daria
Download Presentation

NetFlow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NetFlow • Very useful for traffic analysis • Standard sampler: • Cisco Netflow • Juniper Traffic Sampling • Parameters: • Flow export timer (Determines when current flow info is written to disk) • Sampling scheme (Deterministic, Stratified, Simple random) • Sampling rate • Available resources: • GEANT network routers in Europe 1/1000 deterministic + Unanonymized • Abilene (Internet2) routers in US 1/100 deterministic + Anonymized • GT ingress/egress (Dr.Russ Clark) Unsampled + Anonymized

  2. NetFlow (contd.) • Netflow format: • unix_secs, unix_nsecs, sysuptime, exaddr, dpkts, doctets, first, last, engine_type, engi ne_id, srcaddr, dstaddr, nexthop, input, output, srcport, dstport, prot, tos, tcp_flags, sr c_mask, dst_mask, src_as, dst_as • NetFlow data Example:1070236831,0,3175466240,198.32.11.5,1,1500,3175436989,3175436989,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,3,1884,3175408565,3175433201,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,628,3175448463,3175448463,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3855,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175442525,3175442525,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3864,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175451974,3175451974,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,6,3768,3175398562,3175449061,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,24,16,16,25656,52 1070236836,0,3175471250,198.32.11.5,1,92,3175454577,3175454577,0,0,130.18.248.0,202.28.48.0,198.32.11.4,18,35,0,0,1,0,0,16,24,10546,4621 1070236836,0,3175471250,198.32.11.5,1,92,3175414202,3175414202,0,0,130.18.248.0,165.132.224.0,198.32.11.4,18,35,0,0,1,0,0,16,16,10546,4665 1070236836,0,3175471250,198.32.11.5,1,92,3175433202,3175433202,0,0,130.18.248.0,210.103.24.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 1070236836,0,3175471250,198.32.11.5,1,92,3175403033,3175403033,0,0,130.18.248.0,211.248.144.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 • TCPDump data Example:1144154983.524877 IP 220.135.232.0.61606 > 130.207.208.0.32459: . ack 2904096123 win 655351144154983.524950 IP 140.247.56.0.443 > 199.77.128.0.39948: . 1448:2896(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>1144154983.524985 IP 216.77.184.0.37169 > 130.207.240.0.119: . 2920:4380(1460) ack 1 win 496401144154983.525037 IP 64.215.168.0.80 > 199.77.200.0.50643: . 747182892:747184340(1448) ack 742379073 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525039 IP 217.129.248.0.2585 > 130.207.160.0.443: . ack 4289220173 win 652011144154983.525064 IP 64.215.168.0.80 > 199.77.200.0.50643: . 1448:2896(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525066 IP 65.196.176.0.80 > 199.77.200.0.64548: R 0:0(0) ack 1 win 01144154983.525079 IP 140.247.56.0.443 > 199.77.128.0.39948: . 2896:4344(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>1144154983.525092 IP 64.215.168.0.80 > 199.77.200.0.50643: . 2896:4344(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525105 IP 64.215.168.0.80 > 199.77.200.0.50643: . 5792:7240(1448) ack

  3. ns2 • Important components: • Basic ns2 code downloaded from http://www.isi.edu/nsnam • TCL script to setup and simulate the test environment • Topology generator (Ex: GT-ITM) • Example TCL script: • #Create links between the nodes • $ns duplex-link $n0 $n2 1Mb 10ms DropTail • $ns duplex-link $n1 $n2 1Mb 10ms DropTail • $ns duplex-link $n3 $n2 1Mb 10ms SFQ • $ns duplex-link-op $n0 $n2 orient right-down • $ns duplex-link-op $n1 $n2 orient right-up • $ns duplex-link-op $n2 $n3 orient right • #Monitor the queue for link between node 2 and 3 • $ns duplex-link-op $n2 $n3 queuePos 0.5 • #Create a UDP agent and attach it to node n0 • set udp0 [new Agent/UDP] • $udp0 set class_ 1 • $ns attach-agent $n0 $udp0 • # Create a CBR traffic source and attach it to udp0 • set cbr0 [new Application/Traffic/CBR] • $cbr0 set packetSize_ 500 • $cbr0 set interval_ 0.005 • $cbr0 attach-agent $udp0 • #Create a UDP agent and attach it to node n1 • set udp1 [new Agent/UDP] • $udp1 set class_ 2 • $ns attach-agent $n1 $udp1 • # Create a CBR traffic source and • # attach it to udp1 • set cbr1 [new Application/Traffic/CBR] • $cbr1 set packetSize_ 500 • $cbr1 set interval_ 0.005 • $cbr1 attach-agent $udp1 • #Create a Null agent (a traffic sink) • # and attach it to node n3 • set null0 [new Agent/Null] • $ns attach-agent $n3 $null0 • #Connect the traffic sources with • # the traffic sink • $ns connect $udp0 $null0 • $ns connect $udp1 $null0 • # Schedule events for the CBR agents • $ns at 0.5 "$cbr0 start" • $ns at 1.0 "$cbr1 start" • $ns at 4.0 "$cbr1 stop" • $ns at 4.5 "$cbr0 stop" • #Call the finish procedure after • # 5 seconds of simulation time • $ns at 5.0 "finish" • #Run the simulation • $ns run • #Create a simulator object • set ns [new Simulator] • #Define different colors for flows • $ns color 1 Blue • $ns color 2 Red • #Open the nam trace file • set nf [open out.nam w] • $ns namtrace-all $nf • #Define a 'finish' procedure • proc finish {} { • global ns nf • $ns flush-trace • #Close the trace file • close $nf • exit 0 • } • #Create four nodes • set n0 [$ns node] • set n1 [$ns node] • set n2 [$ns node] • set n3 [$ns node]

  4. ns2 (contd.) • Topology • Create Spec file (“Geo” is used for Intra-domain topologies. Use “ts” for inter-domain transit-stub topologies): ## Comments :## <#method keyword> <#number of graphs> [<#initial seed>] ## <#stubs/xit> <#t-s edges> <#s-s edges>## <#n> <#scale> <#edgemethod> <#alpha> [<#beta>] [<#gamma>]## number of nodes = 1*8* (1 + 4*6) = 200 geo 5 100 10 3 0.5 • Execute command: itm <spec file> • Generates topology in Stanford Graph Base format * GraphBase graph (util_types ZZZIIZIZIZZZZZ,9V,102A) "geo(0,{5,10,3,1.000,0.000,0.000})",5,20,10 * Vertices "0",A6,3,2 "1",A12,9,9 "2",A16,2,4 "3",A18,8,4 "4",A19,2,1 "",0,0,0 "",0,0,0 "",0,0,0 "",0,0,0 • Convert SGB to NS format using sgb2ns command • * Arcs • V1,0,9,0 • V0,0,9,0 • V2,A0,2,0 • V0,0,2,0 • V3,A2,5,0 • V0,0,5,0 • V4,A4,1,0 • V0,0,1,0 • V2,A1,9,0 • V1,A3,9,0

More Related