網路流量監測與管理

1. 網路流量監測與管理 台灣大學計資中心 邵喻美 madeline@ntu.edu.tw

2. 大綱 • 網路基礎 • Network Traffic Accounting - NetFlow • MRTG

3. Part I 網路基礎

4. 網路基礎 • OSI參考模型 • SNMP介紹

5. OSI參考模型(Open System Interconnection) • 應用層（Application Layer） • 表達層（Presentation Layer） • 會談層（Session Layer） • 傳輸層（Transport Layer） • 網路層（Network Layer） • 資料鏈結層（Datalink Layer） • 實體層（Physical Layer）

8. SNMP • 簡單網路管理協定（Simple Network Management Protocol） • 「要求/回應」協定：GET，SET • 遠端管理TCP/IP網路上的設備 • 對不同網路節點進行讀取及寫入狀態資訊 • 在UDP上執行 • Port 161 : sending and receiving requests • Port 162: receiving traps from managed devices

9. SNMP工作原理 • SNMP Manager與Agent之間的通訊形式 • Get-request • Get-next-request • Set-request • Get-response • Trap

10. SNMP Manager: a server running some kind of software system that can handle management tasks for a network SNMP Agent: a piece of software that runs on the network devices you are managing SNMP community: a logical relationship between an SNMP agent and one or more SNMP managers.

11. MIB – Management Information Base • 定義網路設備各種資訊的儲存結構 • Name (OID) • Type and syntax • encoding • MIB-II • 所有網路設備皆提供的MIB標準 • 各家廠商也會提供proprietary MIB • 其他MIB standards • ATM MIB (RFC 2515) • Frame Relay DTE Interface Type MIB (RFC 2115) • BGP Version 4 MIB (RFC 1657) • RADIUS Authentication Server MIB (RFC 2619) • Mail Monitoring MIB (RFC 2249) • DNS Server MIB (RFC 1611)

12. OID : .iso.org.dod.internet.mgmt.mib-2.interface.ifNumber.0 .1.3.6.1.2.1.2.1.0

13. SNMP & MIB 相關工具 • MRTG （Multi Router Traffic Grapher） • Getif – window-based MIB browser • net-snmp套裝軟體 • snmpget (get) • snmpwalk (get-next) • snmpset (set) • snmptrap (trap)

17. su-2.05# snmpget -Cf -c public 140.112.1.1 sysDescr.0 SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 6 Model 5 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free) su-2.05# snmpwalk -c public 140.112.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 6 Model 5 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free) SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.2 SNMPv2-MIB::sysUpTime.0 = Timeticks: (2306518) 6:24:25.18 SNMPv2-MIB::sysContact.0 = STRING: SNMPv2-MIB::sysName.0 = STRING: NTUCC-MADELINE SNMPv2-MIB::sysLocation.0 = STRING: SNMPv2-MIB::sysServices.0 = INTEGER: 76 IF-MIB::ifNumber.0 = INTEGER: 3 IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifIndex.3 = INTEGER: 3 IF-MIB::ifDescr.1 = STRING: MS TCP Loopback interface IF-MIB::ifDescr.2 = STRING: 3Com EtherLink PCI

18. 網管系統 • 網路管理 • 掌握網路主機狀況 • 加速故障排除 • 減少網管人員的負擔 • 網管系統 • 商業軟體系統 • 整合型系統：收集MIB資料，統計分析，繪圖，事件通知 • 功能多樣化，價格昂貴 • 免費軟體 • 網管系統的一部份功能

19. Part II Network Traffic Accounting

20. Network Traffic Accounting • NetFlow簡介 • 執行NetFlow • NetFlow資料統計程式

21. Network Traffic Accounting • The needs: • To characterize the traffic and account for how and where it flows • Usage-based billing • Traffic engineering • Products • Cisco – NetFlow • Provides L3 network traffic flow information • Foundry – sFlow • RFC 3176:Statistically sampling technology • Provides L2-L4 network-wide traffic flow information • Juniper – • Class-based accounting: filter-based, MPLS-based, Destination class uage accounting

22. Cisco - NetFlow • Captures data from each incoming packet • NetFlow flow • a unidirectional stream of IP packet with the following common fields: • Source and destination IP addresses • Source and destination port numbers • Layer 3 protocol type • Type of service (ToS) byte • Input interface (ifIndex) • Exported in UDP datagrams in one of four formats: • v1, v5, v7, v8

23. NetFlow • NetFlow is a three-part solution: • Exporter • Mediation devices • Cisco NetFlow FlowCollector • Public-domain tools : flow-tool • Traffic Analysis Tools • Cisco Network Data Analyzer • 統計分析程式 : netflow.pl

24. 執行NetFlow • 設定路由器 • 統計分析流程 • 收集並儲存從網路設備輸出的flow data • 分析收集到的flow data，並產生報表

25. 執行NetFlow – 設定路由器 • 指令 • Global • ip flow-export destination <IP> <port> • Interface • Ip route-cache flow Router(config) # ip flow-export destination 140.112.1.1 9991 Router(config) # int fa1/1/0 Router(config-if) # ip route-cache flow

26. 記錄及儲存flow data • flow-tool套裝程式 • Collection of programs to post-process Cisco netflow compatible flows • Written in C, designed to be fast • Installation • configure;make;make install • on most platforms (FreeBSD,Linux, Solaris, BSDi, NetBSD) • 下載程式： • http://www.splintered.net/sw/flow-tools/

27. Flow-tool安裝程序（以Linux系統為例） • 解壓縮：zcat flow-tools-0.58.tar.gz | tar xvf – • 必須先安裝下列軟體： • zlib • gnu make • 安裝： • ./configure • gmake • gmake install

28. flow-tool • flow-capture： • Collect NetFlow exports and stores to disk. • Built in compression. • Manages disk space by expiring older flow files at configurable limits. • Detects lost flows by missing sequence numbers.

29. flow-capture –z Z –n N –e E –p P –w W • Z：壓縮比例 • N：每日留存份數 • E：共留存幾份在硬碟中 • P：埠號 • W：存放路徑 Ex: flow-capture –z 6 –n 143 –e 1500 –p 9991 –w /netflow

30. 測試 • flow-receive 0/0/9991 | flow-print • tcpdump –n udp port 9991 tcpdump: listening on fxp0 14:17:39.491510 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.492820 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.493786 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.495057 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.496298 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.496863 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.496967 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.497068 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.497176 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.497279 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.497381 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.497486 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.497589 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168 14:17:39.497694 140.112.3.76.1024 > 140.112.3.88.9991: udp 1168

31. Newflow資料格式：flow-print –f0 < logfile Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets 0000 195.254.117.168 0000 140.131.7.3 01 0 0 9 504 0000 205.188.248.89 0000 163.28.16.2 06 50 fdb6 5 589 0000 61.229.48.83 0000 192.192.120.18 06 454 17 12 493 0000 207.218.223.162 0000 192.83.193.2 11 35 8000 1 156 0000 207.159.149.84 0000 140.131.1.188 01 0 0 10 560 0000 202.178.164.169 0000 203.64.48.107 06 71 9e6 1 40 0000 168.95.1.1 0000 203.71.92.1 11 35 a82c 1 187 0000 210.224.163.3 0000 210.71.107.3 11 3bce 35 1 71 0000 66.207.130.76 0000 163.28.16.2 06 50 fdde 6 782 0000 168.95.1.1 0000 203.71.92.1 11 35 a809 1 60 0000 64.12.24.30 0000 163.28.16.9 06 1bb 76b5 3 120 0000 163.31.102.156 0000 192.192.122.144 06 b3c 50 5 212 0000 163.31.102.156 0000 192.192.122.144 06 1283 50 3 156 0000 211.141.113.77 0000 203.71.88.240 11 fbf fa4 1 295 0000 140.117.11.100 0000 203.72.39.34 06 c38 e25d 7 3893 0000 61.139.8.11 0000 163.28.16.2 06 50 bb03 1 41 0000 140.117.11.100 0000 203.72.39.34 06 c38 e256 6 1229 0000 210.85.124.196 0000 203.64.48.107 06 28da 17 1 43 0000 140.117.11.100 0000 203.72.39.34 06 c38 e261 13 4909

32. 統計分析程式 • 將收集並儲存下來的netflow資料予以統計分析產生報表 • 可從網路下載程式 • http://netflow.nctu.edu.tw/netflow.html • 以perl撰寫 • netflow.pl • daily.pl • 可針對網段、協定、流入/流出之IP網段進行合計或TOP統計 • 台大NetFlow統計網頁

33. # daily.pl # Modify the following to meet your configuration. # # $dir is where you put your program and config files # $rawdir is where the raw log files kept # $outputdir is where the output files should be # $dir = "/usr/NetFlow/analysis"; $rawdir = "/usr/NetFlow/raw"; $flowprint = "/usr/NetFlow/bin/flow-print"; $outputdir = "/usr/local/www/data/netflow/daily"; $htmldir = sprintf ("%s/html/%02d%02d%02d", $outputdir, $year, $mon, $mday); $rawoutput = sprintf ("%s/raw", $outputdir); $TopN = 100; @NET = ("NTUProxy", "NTUGeneral"); $protfile = "$dir/protocols"; $servfile = "$dir/services"; $intranet = "$dir/intranet"; $DEBUG = 0; # debug info flag $SLEEP_TIME = 0; #debug $COUNT_THRESHOLD = 50; #debug

34. Part III MRTG

35. MRTG • MRTG簡介 • MRTG使用方式 • 利用MRTG監看其他系統資源

36. Multi Router Traffic Grapher • 用來監測網路連結上之流量的工具 • 運作原理 • 利用SNMP收集網路設備的流量或其他狀態數據 • 將收集到的資料產生網頁，以圖形呈現 • 提供每日，過去七天，過去四週，以及過去12個月的紀錄 • 可接受從外部程式收集的資料，予以統計繪圖

37. MRTG使用方式 • 取得程式 • http://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub • 目前最新版是mrtg-2.9.18 • 編譯MRTG程式 • 產生MRTG設定檔 • 修改MRTG設定檔 • 測試MRTG輸出 • 自動執行MRTG程式

38. Compile MRTG • 必須先確定已安裝下列軟體 • gd • libpng • zlib • 安裝程序 • gunzip –c mrtg-2.9.18.tar.gz | tar xvf – • cd mrtg-2.9.18 • ./configure –prefix=/usr/local/mrtg-2 • make • make install

39. 產生MRTG設定檔 • 設定檔中必須定義 • 欲收集資料的網路設備IP或名稱 • 欲收集之資料種類 • 收集到之資料的存放路徑 • 輸出圖形及網頁的特定格式 cfgmaker --global ‘WorkDir: /home/httpd/mrtg’ \ --global ‘Options[_]: bits,growright’ \ --output /home/mrtg/cfg/mrtg.cfg \ community@router.ntu.edu.tw

40. MRTG設定檔語法 • Global • WorkDir • HtmlDir • ImageDir • LogDir • Refresh • Interval • LoadMIBs

41. MRTG設定檔語法 • Target –指定欲監測哪一台機器 • target[name]: port:community@router.domain.name • target[name]: oid_1&oid_2:community@router.domain.name • target[name]: snmp_name1&snmp_name2:community@router • target[name]: 1:community@routerA+2:community@routerA • target[name]: ‘/usr/local/ping-probe/mrtg-ping-probe www.above.net’ • 第一個參數 • 第二個參數 • 系統uptime • 表示Target名稱的字串

42. MRTG設定檔語法 • Target選項 • MaxBytes : The maximum value either of the two variables monitored are allowed to reach • MaxBytes1 : maxbytes for variable 1 • MaxBytes2 : maxbytes for variable 2 • Title : title for the HTML page which gets generated for the graph • PageTop :Things to add to the top of the generated HTML page

43. MRTG設定檔語法 • Options • growright • bits • gauge • absolute • nopercent • Special target name • Target[^] • Target[$] • Target[_]

44.  最基本的 mrtg.cfg WorkDir: /usr/tardis/pub/www/stats/mrtg Target[r1]: 2:public@myrouter.somplace.edu MaxBytes[r1]: 8000 Title[r1]: Traffic Analysis ISDN PageTop[r1]: <H1>Stats for our ISDN Line</H1>

45.  包含數個router的mrtg.cfg WorkDir: /usr/tardis/pub/www/stats/mrtg Title[^]: Traffic Analysis for PageTop[^]: <H1>Stats for PageTop[$]: Contact The Chief if you notice anybody<HR> MaxBytes[_]: 8000 Options[_]: growright Title[isdn]: our ISDN Line PageTop[isdn]: our ISDN Line</H1> Target[isdn]: 2:public@router.somplace.edu Title[backb]: our Campus Backbone PageTop[backb]: our Campus Backbone</H1> Target[backb]: 1:public@router.somplace.edu MaxBytes[backb]: 1250000 # the following line removes the default prepend value # defined above Title[^]: Title[isdn2]: Traffic for the Backup ISDN Line PageTop[isdn2]: our ISDN Line</H1> Target[isdn2]: 3:public@router.somplace.edu

46. 自動執行MRTG程式 • 利用MRTG觀察長期趨勢 • 將MRTG程式設定為定期執行 • 在crontab中加入設定 crontab –e 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /mrtg/bin/mrtg /mrtg/conf/mrtg.cfg

47. 利用MRTG監看其他數據 • MRTG統計數據來源 • 透過SNMP向遠端網路設備取得數據 • 透過外部程式產生數據 • 設定方式 • 在Target選項中設定外部程式執行路徑

48. 網路狀況 – round-trip time & packet loss • mrtg-ping-probe • monitor the round-trip time and packet loss to another networked host • 從網路下載： • ftp://ftp.pwo.de/pub/pwo/mrtg/mrtg-ping-probe/ • mrtg-ping-probe用法 mrtg-ping-probe [-hsvV] [-d deadtime] [-k count] [-l length] [-o ping_options] [-p [factor*] {min|max|avg|loss|integer} / [factor*]{min|max|avg|loss|integer}] [-r [rsh:][user@]host[:osname]] [-t timeout] host • Target[yahoo.com]: ‘/usr/local/mrtg/mrtg-ping-probe www.yahoo.com’ • Target[yahoo.com]: ‘/usr/local/mrtg/mrtg-ping-probe –p lost/lost www.yahoo.com’

49. [root@scorpio]5:33pm</#/usr/local/ping-probe/mrtg-ping-probe www.above.net 190 189 [root@scorpio]5:35pm</f#/usr/local/ping-probe/mrtg-ping-probe -t 42 -p loss/loss www.above.net 0 0

50. 系統CPU Load • Sysstat • 收集系統CPU utilization data • http://perso.wanadoo.fr/sebastien.godard/ • 運作方式 • 在crontab中設定定期執行Unix系統的sa1指令，將系統相關資訊收集並儲存在/var/adm/sa/sadd (dd表示目前日期） • 利用perl程式將儲存在sadd檔案中的系統資訊取出，並輸出為MRTG能夠接受的格式