goProbe: A Scalable Distributed Network Monitoring Solution - - PowerPoint PPT Presentation

goprobe a scalable distributed network monitoring solution
SMART_READER_LITE
LIVE PREVIEW

goProbe: A Scalable Distributed Network Monitoring Solution - - PowerPoint PPT Presentation

Oct 11, 2022 94 likes •561 views

goProbe: A Scalable Distributed Network Monitoring Solution Christian Decker Lennart Elsen Fabian Kohn Roger Wattenhofer Goal Enable quick and efficient retrieval of key pieces of information about traffic patterns in global networks Goal

slide-1
SLIDE 1

goProbe: A Scalable Distributed Network Monitoring Solution

Christian Decker Lennart Elsen Fabian Kohn Roger Wattenhofer

slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4

Goal Enable quick and efficient retrieval of key pieces of information about traffic patterns in global networks

slide-5
SLIDE 5

Goal Enable quick and efficient retrieval of key pieces of information about traffic patterns in global networks Scalability

slide-6
SLIDE 6

Reporting Debugging/Operations ? ? ?

slide-7
SLIDE 7

Storage Packet Capture

Acquisition of Traffic Data

slide-8
SLIDE 8

Storage Packet Capture Grouping Information Reduction

Acquisition of Traffic Data

slide-9
SLIDE 9

NetFlow

Source IP Destination IP Next Layer Protocol IPv4/6 Next Hop … Source Port Destination Port … Packet Size Number of Packets Sampling Interval TTL Interface Name …

Field N Length Field N Type … … Field 2 Length Field 2 Type Field 1 Length Field 1 Type Count … System Uptime Sequence # NetFlow Version

Network Transport Meta Info

NetFlow Packet

Packet aggregation by set of shared attributes Network packet headers & packet counters Expiry time

slide-10
SLIDE 10

NetFlow

NetFlow Exporter NetFlow Exporter

Network A Network B

NetFlow Collector

Source IP Destination IP Next Layer Protocol IPv4/6 Next Hop … Source Port Destination Port … Packet Size Number of Packets Sampling Interval TTL Interface Name …

Field N Length Field N Type … … Field 2 Length Field 2 Type Field 1 Length Field 1 Type Count … System Uptime Sequence # NetFlow Version

Network Transport Meta Info

NetFlow Packet

slide-11
SLIDE 11

NetFlow

NetFlow Exporter NetFlow Exporter

Network A Network B

NetFlow Collector

Source IP Destination IP Next Layer Protocol IPv4/6 Next Hop … Source Port Destination Port … Packet Size Number of Packets Sampling Interval TTL Interface Name …

Field N Length Field N Type … … Field 2 Length Field 2 Type Field 1 Length Field 1 Type Count … System Uptime Sequence # NetFlow Version

Network Transport Meta Info

NetFlow Packet

slide-12
SLIDE 12

d Analysts

Current Network Monitoring System

Single Host Exporter DB Query Tool Queries Aggregated Results Flow Data Request Traffic Metadata Formatted Results FastBit nProbe

slide-13
SLIDE 13

nProbe FastBit Query Tool

Challenges Capturing Process

slide-14
SLIDE 14

nProbe FastBit Query Tool

Challenges Capturing Process

Immense memory footprint

slide-15
SLIDE 15

Challenges Capturing Process

FastBit Query Tool

One process per capture interface

nProbe nProbe nProbe

slide-16
SLIDE 16

FastBit Query Tool

nProbe nProbe nProbe

Challenges Storage Backend

slide-17
SLIDE 17

Challenges Storage Backend

FastBit Query Tool

nProbe nProbe nProbe

Inefficient memory management

slide-18
SLIDE 18

Challenges Storage Backend

FastBit Query Tool

nProbe nProbe nProbe

No data compression

slide-19
SLIDE 19

Challenges Storage Backend

FastBit Query Tool

nProbe nProbe nProbe

Long query execution times

slide-20
SLIDE 20

Challenges

FastBit Query Tool

nProbe nProbe nProbe

P

  • r

S c a l a b i l i t y

slide-21
SLIDE 21

Reduced Flow Format

Src IP Dst IP IP Protocol Src Port Dst Port Packets Rcvd Packets Sent Bytes Rcvd Bytes Sent Shared Attributes Counters

slide-22
SLIDE 22

Reduced Flow Format

Src Port Dst Port Shared Attributes Counters Appl. Layer Protocol Deep Packet Inspection

slide-23
SLIDE 23

Reduced Flow Format

Src Port Dst Port Deep Packet Inspection Appl. Layer Protocol Dst Port Source Port Aggregation

Appl. Layer Protocol Flow in goProbe Stored Flow

slide-24
SLIDE 24

Collection of Flow Information — goProbe

goProbe

Written in Google Go One capture routine per interface Packet capture using modified libpcap Database flush in regular intervals

slide-25
SLIDE 25

Timer Data Channel

Data Prepare

Local Database Aggregation …

goProbe – Concept (Multiple Interfaces)

DB

Flow Table Interface

slide-26
SLIDE 26

How does it Compare?

slide-27
SLIDE 27

Database Performance Evaluation

Reference DB

Runtime CPU utilization Disk I/O Memory 7.8 GB

Aggregation Queries Conditional Queries 120 Million Entries

slide-28
SLIDE 28

Data Read From Disk [MB]

FastBit InfoBright EE InfiniDB

1405 105 5617 350 74 2200

Aggregation Conditional Runtime [s]

FastBit InfoBright EE InfiniDB

23 10 63 17 9 60

Reserved Memory [MB]

FastBit InfoBright EE InfiniDB

668 387 1399 630 351 3300

CPU Utilization [%]

FastBit InfoBright EE InfiniDB

83 213 17 302 352 23

Results

slide-29
SLIDE 29

InfiniDB Infobright EE

$

slide-30
SLIDE 30

File Based Compression Concurrency Independent Processing

Tailored Column Store

slide-31
SLIDE 31

goDB

Tailored Column Store — goDB

File Based Compression Concurrency Independent Processing

slide-32
SLIDE 32

Day 1

Destination IP Source IP Destination Port IP Protocol

  • Appl. Layer Protocol

Bytes Received Bytes Sent Packets Received Packets Sent

One File per Attribute

64 64 64

slide-33
SLIDE 33

Day 1

Destination IP Source IP Destination Port IP Protocol

  • Appl. Layer Protocol

Bytes Received Bytes Sent Packets Received Packets Sent

One File per Attribute

64 64 64 172.0.50.4 | 10.30.0.3 | 8145 | 6 | 128 | 1024 | 1 | 8

slide-34
SLIDE 34

Block-wise Writing and Reading

5 min 5 min 5 min Attribute File Block Timestamps Length of Uncompressed Block Position Header Compressed Block

slide-35
SLIDE 35

Day 1 Day d … Full Database

Concurrent Processing

slide-36
SLIDE 36

Day 1 Day d …

Concurrent Processing

slide-37
SLIDE 37

Day 1 Day d Worker 1 Worker d

sip dip counters sip dip counters

Partial Result Block i, Day 1 Partial Result Block j, Day d

Concurrent Processing

Decompress Aggregate

slide-38
SLIDE 38

Day 1 Day d Worker 1 Worker d Partial Result Block i, Day 1 Partial Result Block j, Day d

sip dip counters sip dip counters sip dip counters

Combined Result Merge Routine

Concurrent Processing

Decompress Aggregate

slide-39
SLIDE 39

Day 1 Day d Worker 1 Worker d Partial Result Block i, Day 1 Partial Result Block j, Day d

sip dip counters sip dip counters sip dip counters

Combined Result Merge Routine Format Sort Limit

Concurrent Processing

Decompress Aggregate

slide-40
SLIDE 40

Data Read From Disk [MB]

FastBit goDB

760 5617 494 2200

Aggregation Conditional Runtime [s]

FastBit goDB

20 63 13 60

Reserved Memory [MB]

FastBit goDB

50 1399 47 3300

CPU Utilization [%]

FastBit goDB

123 17 237 23

How does it Compare?

slide-41
SLIDE 41

Traffic Portfolio of an NGO Customer

slide-42
SLIDE 42
  • Global Breakdown of Ports

External Traffic Internal Traffic

slide-43
SLIDE 43
  • Global Breakdown of Ports

External Traffic Internal Traffic HTTPS HTTP SMB DNS

slide-44
SLIDE 44
  • Global Breakdown of Ports

European Hub Traffic Usage External Traffic Internal Traffic

slide-45
SLIDE 45

https://github.com/open-ch/

Conclusion

Improved capturing and flow logic High performance DB written from scratch Global deployment Open source: