Netflow
Download
1 / 4

NetFlow - PowerPoint PPT Presentation


  • 204 Views
  • Uploaded on

NetFlow. Very useful for traffic analysis Standard sampler: Cisco Netflow Juniper Traffic Sampling Parameters: Flow export timer (Determines when current flow info is written to disk) Sampling scheme (Deterministic, Stratified, Simple random) Sampling rate Available resources:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' NetFlow' - daria


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Netflow
NetFlow

  • Very useful for traffic analysis

  • Standard sampler:

    • Cisco Netflow

    • Juniper Traffic Sampling

  • Parameters:

    • Flow export timer (Determines when current flow info is written to disk)

    • Sampling scheme (Deterministic, Stratified, Simple random)

    • Sampling rate

  • Available resources:

    • GEANT network routers in Europe 1/1000 deterministic + Unanonymized

    • Abilene (Internet2) routers in US 1/100 deterministic + Anonymized

    • GT ingress/egress (Dr.Russ Clark) Unsampled + Anonymized


Netflow contd
NetFlow (contd.)

  • Netflow format:

    • unix_secs, unix_nsecs, sysuptime, exaddr, dpkts, doctets, first, last, engine_type, engi ne_id, srcaddr, dstaddr, nexthop, input, output, srcport, dstport, prot, tos, tcp_flags, sr c_mask, dst_mask, src_as, dst_as

  • NetFlow data Example:1070236831,0,3175466240,198.32.11.5,1,1500,3175436989,3175436989,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,3,1884,3175408565,3175433201,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,628,3175448463,3175448463,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3855,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175442525,3175442525,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3864,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175451974,3175451974,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,6,3768,3175398562,3175449061,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,24,16,16,25656,52 1070236836,0,3175471250,198.32.11.5,1,92,3175454577,3175454577,0,0,130.18.248.0,202.28.48.0,198.32.11.4,18,35,0,0,1,0,0,16,24,10546,4621 1070236836,0,3175471250,198.32.11.5,1,92,3175414202,3175414202,0,0,130.18.248.0,165.132.224.0,198.32.11.4,18,35,0,0,1,0,0,16,16,10546,4665 1070236836,0,3175471250,198.32.11.5,1,92,3175433202,3175433202,0,0,130.18.248.0,210.103.24.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 1070236836,0,3175471250,198.32.11.5,1,92,3175403033,3175403033,0,0,130.18.248.0,211.248.144.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768

  • TCPDump data Example:1144154983.524877 IP 220.135.232.0.61606 > 130.207.208.0.32459: . ack 2904096123 win 655351144154983.524950 IP 140.247.56.0.443 > 199.77.128.0.39948: . 1448:2896(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>1144154983.524985 IP 216.77.184.0.37169 > 130.207.240.0.119: . 2920:4380(1460) ack 1 win 496401144154983.525037 IP 64.215.168.0.80 > 199.77.200.0.50643: . 747182892:747184340(1448) ack 742379073 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525039 IP 217.129.248.0.2585 > 130.207.160.0.443: . ack 4289220173 win 652011144154983.525064 IP 64.215.168.0.80 > 199.77.200.0.50643: . 1448:2896(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525066 IP 65.196.176.0.80 > 199.77.200.0.64548: R 0:0(0) ack 1 win 01144154983.525079 IP 140.247.56.0.443 > 199.77.128.0.39948: . 2896:4344(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>1144154983.525092 IP 64.215.168.0.80 > 199.77.200.0.50643: . 2896:4344(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525105 IP 64.215.168.0.80 > 199.77.200.0.50643: . 5792:7240(1448) ack


ns2

  • Important components:

    • Basic ns2 code downloaded from http://www.isi.edu/nsnam

    • TCL script to setup and simulate the test environment

    • Topology generator (Ex: GT-ITM)

  • Example TCL script:

  • #Create links between the nodes

  • $ns duplex-link $n0 $n2 1Mb 10ms DropTail

  • $ns duplex-link $n1 $n2 1Mb 10ms DropTail

  • $ns duplex-link $n3 $n2 1Mb 10ms SFQ

  • $ns duplex-link-op $n0 $n2 orient right-down

  • $ns duplex-link-op $n1 $n2 orient right-up

  • $ns duplex-link-op $n2 $n3 orient right

  • #Monitor the queue for link between node 2 and 3

  • $ns duplex-link-op $n2 $n3 queuePos 0.5

  • #Create a UDP agent and attach it to node n0

  • set udp0 [new Agent/UDP]

  • $udp0 set class_ 1

  • $ns attach-agent $n0 $udp0

  • # Create a CBR traffic source and attach it to udp0

  • set cbr0 [new Application/Traffic/CBR]

  • $cbr0 set packetSize_ 500

  • $cbr0 set interval_ 0.005

  • $cbr0 attach-agent $udp0

  • #Create a UDP agent and attach it to node n1

  • set udp1 [new Agent/UDP]

  • $udp1 set class_ 2

  • $ns attach-agent $n1 $udp1

  • # Create a CBR traffic source and

  • # attach it to udp1

  • set cbr1 [new Application/Traffic/CBR]

  • $cbr1 set packetSize_ 500

  • $cbr1 set interval_ 0.005

  • $cbr1 attach-agent $udp1

  • #Create a Null agent (a traffic sink)

  • # and attach it to node n3

  • set null0 [new Agent/Null]

  • $ns attach-agent $n3 $null0

  • #Connect the traffic sources with

  • # the traffic sink

  • $ns connect $udp0 $null0

  • $ns connect $udp1 $null0

  • # Schedule events for the CBR agents

  • $ns at 0.5 "$cbr0 start"

  • $ns at 1.0 "$cbr1 start"

  • $ns at 4.0 "$cbr1 stop"

  • $ns at 4.5 "$cbr0 stop"

  • #Call the finish procedure after

  • # 5 seconds of simulation time

  • $ns at 5.0 "finish"

  • #Run the simulation

  • $ns run

  • #Create a simulator object

  • set ns [new Simulator]

  • #Define different colors for flows

  • $ns color 1 Blue

  • $ns color 2 Red

  • #Open the nam trace file

  • set nf [open out.nam w]

  • $ns namtrace-all $nf

  • #Define a 'finish' procedure

  • proc finish {} {

  • global ns nf

  • $ns flush-trace

  • #Close the trace file

  • close $nf

  • exit 0

  • }

  • #Create four nodes

  • set n0 [$ns node]

  • set n1 [$ns node]

  • set n2 [$ns node]

  • set n3 [$ns node]


Ns2 contd
ns2 (contd.)

  • Topology

    • Create Spec file (“Geo” is used for Intra-domain topologies. Use “ts” for inter-domain transit-stub topologies):

      ## Comments :## <#method keyword> <#number of graphs> [<#initial seed>]

      ## <#stubs/xit> <#t-s edges> <#s-s edges>## <#n> <#scale> <#edgemethod> <#alpha> [<#beta>] [<#gamma>]## number of nodes = 1*8* (1 + 4*6) = 200 geo 5 100 10 3 0.5

    • Execute command: itm <spec file>

    • Generates topology in Stanford Graph Base format

      * GraphBase graph (util_types ZZZIIZIZIZZZZZ,9V,102A)

      "geo(0,{5,10,3,1.000,0.000,0.000})",5,20,10

      * Vertices

      "0",A6,3,2

      "1",A12,9,9

      "2",A16,2,4

      "3",A18,8,4

      "4",A19,2,1

      "",0,0,0

      "",0,0,0

      "",0,0,0

      "",0,0,0

    • Convert SGB to NS format using sgb2ns command

  • * Arcs

  • V1,0,9,0

  • V0,0,9,0

  • V2,A0,2,0

  • V0,0,2,0

  • V3,A2,5,0

  • V0,0,5,0

  • V4,A4,1,0

  • V0,0,1,0

  • V2,A1,9,0

  • V1,A3,9,0


ad