how to passively measure packet monitoring
play

How to (passively) measure? Packet Monitoring 1 What to expect? - PowerPoint PPT Presentation

Nov 20, 2022 •116 likes •487 views

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

  1. How to (passively) measure? Packet Monitoring 1

  2. What to expect? ❒ Overview / What is packet monitor? ❒ How to acquire the data ❒ Handling performance bottlenecks ❒ Case Study: Packet Capture Performance ❒ Analyzing the transport and application layer ❒ (Mis-)Using the Bro Network Intrusion Detection System (NIDS) for network measurements 2

  3. What is a Packet Monitor? ❒ Measuring / recording network data on a per packet basis ❒ Ordinary (although high-end) PC hardware ❒ Datapath: Network Network Card PCI-Bus Kernel CPU Monitor and Usersp. Mem Kernel Disks PCI-Bus 3

  4. Passive Monitoring: Challenges (1) ❒ User privacy & network security ❒ Data privacy vs. data sharing ❒ Data filtering ❒ Tap into live network traffic and extract packets ❒ Must not interfere with normal packet transmission ❒ Real-time: cannot control bandwidth, cannot postpone work 4

  5. Passive Monitoring: Challenges (2) Performance Issues ❒ High data rate ❍ Bandwidth limits on CPU, I/O, memory, and disk/tape ❍ Network cards optimized for bi-directional data transfer, not capturing ❒ High data volume ❍ Space limitations in main memory and on disk/tape ❍ Could do online analysis to sample, filter, & aggregate ❒ High processing load ❍ CPU/memory limits for extracting, counting, & analyzing ❍ Could do offline processing for time-consuming analysis ❒ General solutions to system constraints ❍ Sub-select the traffic (addresses/ports, first n bytes) ❍ Kernel and interface card support for measurement 5

  6. Monitoring Links: Overview ❒ How to get data off the network, without interfering normal transmission? ❒ For half-duplex: ❍ Shared medium ❍ Hub ❒ For full-duplex: ❍ Monitor / SPAN port ❍ "Tap" 6

  7. Monitoring Links (1) ❒ Half Duplex: host cannot send and receive at the same time. Only one host can send. Hub (packets are sent to all ports) Shared media (Ethernet, wireless) every node sees all packets Host A Host C H Host A Host B u Monitor b Host B Monitor 7

  8. Monitoring Links (2) ❒ Full Duplex: host can send and receive at the same time ❒ Monitoring- / SPAN port on switch ❍ every packet seen by switch copied to SPAN port ❍ easy (every switch supports this) ❍ all sending host are aggregated into one monitoring link ==> Packet loss Host A Host B Switch Monitor SPAN 8

  9. Monitoring Links (3) ❒ Full Duplex ❒ Tap into data ❍ Only between two nodes (routers) ❍ Can capture all traffic ❍ Need two receive ports on Monitor ❍ Fiber: purely optical ❍ Copper: needs active components TX RX Router Router Tap B RX TX A Monitor 9

  10. Handling Performance Bottlenecks 10

  11. Handling high bandwidth ❒ Hard for monitors to cope with high load ❍ Interrupt VS Polling ❍ Long datapath => data is copied several times ❒ Use dedicated network monitoring cards ❍ Often have several ports (for Taps) ❍ Filtering / aggregation in hardware on card ❍ Very expensive (EUR 3,500 for 1 Gpbs) ❒ Split traffic 11

  12. Splitting traffic ❒ Problem: no recent host bus or disk system can handle the bandwidth needs for 10 Gbps 10GigE ❒ Solution: split traffic and distribute the load (e.g., 10 Gbps on multiple 1 Gbps links) ❍ Use a switch: link bundling features 10 x 1GigE ❍ Use specialized hardware ❒ Important: Keep corresponding Monitor data together ❍ per IP, per IP-pair, per connection 12

  13. Splitting Traffic: Link Bundling ❒ Etherchannel (Cisco switches) feature enables link- bundling for: ❍ Higher bandwidth, redundancy ❍ Or load-balancing, e.g., for Webservers ❒ Simple switches use only MAC addresses ❍ => not suitable for router-to-router link ❒ On a Cisco 3750: any combination of IP and/or MAC addresses ❍ => is sufficient for our scenario ❒ On Cisco 65xx: MACs, IPs and/or port numbers 13

  14. Case Study: Packet Capture Performance Goal: ❍ See how measurement studies are conducted ❍ See what influence capture performance and what system is "best" 14

  15. Case study: Packet Capture Perform. ❒ Compare 1Gbps monitors based on standard hardware ❍ Different CPU architectures, Different OSes ❒ Workload ❍ Capture full packets, but do not analyze them ❍ Identical input to all systems ❍ Increase bandwidth until 1Gbps fully loaded ❍ Realistic packet size distribution ❒ Metrics ❍ Capturing rate: number of captured packets ❍ System load: CPU usage while capturing 15

  16. Packet Capture Perf. (2) ❒ Systems under Test : ❍ AMD Opteron 244 and 270 VS. Intel Xeon ❍ FreeBSD VS. Linux ❍ all with 2GB RAM, Intel 1Gbps fiber network card eth0 SNMP Interface Generator Counter Queries (LKPG) eth2 eth1 Cisco C3500XL Workload -> optical Splitter (mulitiplies every Signal) Linux/ Linux/ FreeBSD/ FreeBSD/ AMD Opteron Intel Xeon AMD Opteron Intel Xeon (Netburst) (Netburst) Control Network 16

  17. Packet Capture Perf. (3) Linux/AMD (32) no SMP, no HT, std. buffers, 1 app, no filter, no load Linux/Intel FreeBSD/AMD Single Processor FreeBSD/Intel Capturing Rate [%] CPU usage [%] 100 90 Upper Part: Capturing Rate [%] 80 Capturing Rate 70 60 50 Sharp decline at high data rates 40 30 FreeBSD/AMD performs best 20 10 0 100 Lower Part: CPU Usage 90 80 SP: 100% corresponds to one fully utilised processor CPU usage [%] 70 MP: 50% corresponds to one fully utilised processor 60 50 40 30 X-Axis: Generated Bandwidth 20 10 0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900 950 17 Datarate [Mbit/s]

  18. Packet Capture Perf. (4) Linux/AMD (31) SMP, no HT, std. buffers, 1 app, no filter, no load Linux/Intel FreeBSD/AMD Multiprocessor FreeBSD/Intel Capturing Rate [%] CPU usage [%] 100 90 Capturing Rate [%] 80 70 60 50 40 All systems benefit ... 30 20 .... even though the second CPU is not 10 used extensively 0 100 90 80 CPU usage [%] 70 60 50 40 30 20 10 0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900 950 18 Datarate [Mbit/s]

  19. Packet Capture Perf. (5) Linux/AMD (17) SMP, no HT, inc. buffers, 1 app, no filter, no load Linux/Intel Increasing buffers FreeBSD/AMD FreeBSD/Intel Capturing Rate [%] CPU usage [%] 100 90 Capturing Rate [%] 80 70 60 50 40 Capture rate increases more 30 20 10 0 100 90 80 CPU usage [%] 70 60 50 40 30 20 10 0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900 950 19 Datarate [Mbit/s]

  20. Packet Capture Perf. (6): Summary ❒ FreeBSD/AMD system performs best ❍ Multiprocessor and increasing buffers help ❒ Additional insights ❍ Filtering is cheap, even for large filter terms ❍ Running multiple capture applications in parallel leads to bad performance ❍ When using compression (e.g., ZIP) Intel has advantages ❍ Intel Hyperthreading does not change performance 20

  21. Analyzing the transport and application layer How to get from packets to connections (TCP, UDP) to application level protocols (HTTP, DNS, etc.) 21

  22. Packet VS Connections VS Applications ❒ Monitors deliver single packets ❒ Lots of measurements one can do on per packet basis ❍ Timing, packet sizes, routing, IP stats, .... ❒ More measurements on transport layer (TCP/UDP) ❍ Timing, connection size, .... ❒ But often we want to analyze application layer protocols (e.g., HTTP, SIP, etc.) 22

  23. Application-level Messages ❒ Application-level transfer may span multiple packets ❍ Demultiplex packets into separate “flows” ❍ Identify by source/dest IP addresses, ports, and protocol ❍ Maybe also application level identifiers 23

  24. Application-level Messages: Reassembly ❒ Reconstructing ordered, reliable byte stream ❍ De-fragment fragmented IP packets ❍ Reassemble TCP segments ❍ Sequence number and segment length in TCP header ❍ Buffer to store packets in correct order & discard duplicates ❒ Packets might be missing (measurement drops) ❒ Packet might be truncated 24

  25. Application-level Messages: Reassembly (2) ❒ Inconsistent retransmissions ❍ TCP retransmission, but data does not match ❒ Need state per connection ❒ Idle connections ❍ Is teardown missing? ❍ Is there going to be more data? ❍ Cannot keep state for ever (memory exhaustion) ❍ => need strategy for state removal 25

  26. Application-level Messages Extraction of application-level messages ❒ Parsing the syntax of the application-level ❍ Clients may not adhere to specification ❒ Identifying the start of the next message, e.g., HTTP ❍ Absence of body ❍ Presence of Content-Length ❍ Chunk-encoded message ❍ Multipart/byterange ❍ End of TCP connection 26

  27. (Mis-)Using the Bro Intrusion Detection System for Network Measurement 27

  28. What is a NIDS? ❒ Network Intrusion Detection System (NIDS) ❍ Monitors network traffic to detect attacks in real-time ❍ Reports suspicious activity to operator ❒ A NIDS has to be robust ❍ To protect itself from direct attacks ❍ To detect / prevent evasions ❍ Must be careful to not exhaust its resources (memory, CPU, disk) 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Passively Monitoring Networks at Gigabit Speeds Luca Deri <deri@ntop.org> Yuri Francalacci

Passively Monitoring Networks at Gigabit Speeds Luca Deri <deri@ntop.org> Yuri Francalacci

Passively Monitoring Networks at Gigabit Speeds Luca Deri <deri@ntop.org> Yuri Francalacci <yuri@ntop.org> ntop.org Presentation Overview Monitoring Issues at Wire Speed Traffic Filtering and Protocol Conversion

438 views • 22 slides
Same problem, different approach Monitor process does not query explicitly Instead, it passively

Same problem, different approach Monitor process does not query explicitly Instead, it passively

Same problem, different approach Monitor process does not query explicitly Instead, it passively collects information and uses it to build an observation. (reactive architectures, Harel and Pnueli [1985]) An observation is an ordering of event

618 views • 40 slides
Myroma Biometric Olfactory Wearable for Stress Management Passively monitors mental wellbeing,

Myroma Biometric Olfactory Wearable for Stress Management Passively monitors mental wellbeing,

Myroma Biometric Olfactory Wearable for Stress Management Passively monitors mental wellbeing, releases scents to intervene Passively monitors mental wellbeing, releases scents to intervene Passively monitors mental wellbeing, releases

407 views • 13 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Continuous Distributed Monitoring in the Evolved Packet Core Industry Experience Report Romaric

Continuous Distributed Monitoring in the Evolved Packet Core Industry Experience Report Romaric

Continuous Distributed Monitoring in the Evolved Packet Core Industry Experience Report Romaric Duvignau 1 Marina Papatriantafilou 1 Konstantinos Peratinos 3 om 2 Patrik Nyman 2 Eric Nordstr DEBS 2019, Darmstadt (June 26). 1 Chalmers

664 views • 41 slides
What do Packet Dispersion Techniques Measure? Constantinos Dovrolis, Univ-Delaware Parmesh

What do Packet Dispersion Techniques Measure? Constantinos Dovrolis, Univ-Delaware Parmesh

What do Packet Dispersion Techniques Measure? Constantinos Dovrolis, Univ-Delaware Parmesh Ramanathan, Univ-Wisconsin David Moore, CAIDA Constantinos Dovrolis - IEEE Infocom 2001 - April 24-26, 2001 1 of 28

290 views • 28 slides
when you can measure what you are speaking about, and express it in 1. Understand the

when you can measure what you are speaking about, and express it in 1. Understand the

Vern Paxsons Paper How often are packets dropped? End-to-End Why these questions? Internet Packet How often are packets reordered? Dynamics, 1997/99 when you can measure what you are speaking about, and express it in 1.

460 views • 17 slides
Conducting Targeted Water Monitoring Studies to Measure Water Quality Success Steve Hopkins,

Conducting Targeted Water Monitoring Studies to Measure Water Quality Success Steve Hopkins,

Conducting Targeted Water Monitoring Studies to Measure Water Quality Success Steve Hopkins, Nonpoint Source Coordinator Iowa Department of Natural Resources National NPS Training Workshop November 8, 2018 Why Water Monitoring Studies? Is

720 views • 33 slides
How to measure albedo v1707 Subjects PV system performance monitoring the performance

How to measure albedo v1707 Subjects PV system performance monitoring the performance

How to measure albedo v1707 Subjects PV system performance monitoring the performance model standards and instruments recommendations 2 Introduction Hukseflux Thermal Sensors (NLD) leading manufacturer of

788 views • 50 slides
Monitoring cycling: you can't manage what you don't measure John Lieswyn, Principal Transport

Monitoring cycling: you can't manage what you don't measure John Lieswyn, Principal Transport

Monitoring cycling: you can't manage what you don't measure John Lieswyn, Principal Transport Planner, ViaStrada Sandi Morris, Senior Civil Technician, WSP-Opus Glenn Connelly, Senior Associate Transportation Engineer, Beca Presentation

424 views • 26 slides
Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

03/11/2017 Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer to a radio for the transmission of digital data via amateur radio. It is another mode of operation that has a multitude of uses, such as

571 views • 17 slides
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview

Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview

Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring Tools

493 views • 26 slides
Monitoring Cardiac Health Using a Laser Doppler Approach to Measure Pulse Wave Velocity Madison

Monitoring Cardiac Health Using a Laser Doppler Approach to Measure Pulse Wave Velocity Madison

Monitoring Cardiac Health Using a Laser Doppler Approach to Measure Pulse Wave Velocity Madison Boston - Team Leader Michal Adamski - Communicator Haley Knapp - BSAC Katie Barlow - BWIG Lizzie Krasteva - BPAG Professor Paul Thompson - Advisor Dr.

429 views • 15 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs) packets being

485 views • 13 slides
Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #)

Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #)

Curriculum & Activities Night Class of 2020 Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #) Feeder School Name NEON GREEN sticker on front of packet = MISSING EXPLORE Appointment date

99 views • 6 slides
Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How to authenticate a data packet containing the electricity usage of a room at certain time? Data is signed, but how to verify the signature?

224 views • 19 slides
Pluggable transport work Flashproxy can do IPv6. Upcoming Flashproxy Tor Browser Bundle

Pluggable transport work Flashproxy can do IPv6. Upcoming Flashproxy Tor Browser Bundle

Pluggable transport work Flashproxy can do IPv6. Upcoming Flashproxy Tor Browser Bundle (TBB) Windows package Obfsproxy packages: debs and bridge-side docs (and obfsproxy in our ec2 images) Client-side Obfsproxy TBBs New

1.02k views • 47 slides
Designing Efficient FTP Mechanisms for High Performance Data-Transfer over InfiniBand Ping Lai,

Designing Efficient FTP Mechanisms for High Performance Data-Transfer over InfiniBand Ping Lai,

Designing Efficient FTP Mechanisms for High Performance Data-Transfer over InfiniBand Ping Lai, Hari Subramoni, Sundeep Narravula, Amith Mamidala and Dhabaleswar. K.Panda Computer Science and Engineering Department The Ohio State University, USA

560 views • 26 slides
Gyrokinetic simulation of blob transport and divertor heat-load C.S. Chang 1 , J. Boedo 2 , M.

Gyrokinetic simulation of blob transport and divertor heat-load C.S. Chang 1 , J. Boedo 2 , M.

TH/2-3 Gyrokinetic simulation of blob transport and divertor heat-load C.S. Chang 1 , J. Boedo 2 , M. Churchill 1 , R. Hager 1 , S. Ku 1 , J. Lang 1 , R. Maingi 1 , Scott E. Parker 3 , D. Stotler 1 , S.J. Zweben 1 1 Princeton Plasma Physics

402 views • 18 slides
Low Carbon Travel & Transport Hubs ERDF 2014 - 2020 Key Information at November 2016 Low

Low Carbon Travel & Transport Hubs ERDF 2014 - 2020 Key Information at November 2016 Low

Low Carbon Travel & Transport Hubs ERDF 2014 - 2020 Key Information at November 2016 Low Carbon Travel and Transport Hubs Hub Dictionary Definitions The central part of a wheel, rotating on or with the axle, and from which the

325 views • 13 slides
Participants University of Wrzburg Thomas Zinner, Dominik Klein, Christian Schwartz, Daniel

Participants University of Wrzburg Thomas Zinner, Dominik Klein, Christian Schwartz, Daniel

Institute of Computer Science Chair of Communication Systems Prof. Dr.-Ing. P. Tran-Gia MultiNext: Measuring Concurrent Multipath Transmissions in an Experimental Facility T. Zinner (Uni Wrzburg), K. Tutschku (Uni Vienna), T. Zseby

754 views • 11 slides
Turbulence on APE: towards channel@apeNEXT GGI Firenze 2007 Federico Toschi IAC-CNR

Turbulence on APE: towards channel@apeNEXT GGI Firenze 2007 Federico Toschi IAC-CNR

Turbulence on APE: towards channel@apeNEXT GGI Firenze 2007 Federico Toschi IAC-CNR http://www.iac.cnr.it/~toschi The past, the present and the future APE100 RB, Channel flow APEmille RB, Channel flow, Fast Fourier

955 views • 61 slides
Statistical Methods for Plant Biology PBIO 3150/5150 Anirudh V. S. Ruhil February 23, 2016 The

Statistical Methods for Plant Biology PBIO 3150/5150 Anirudh V. S. Ruhil February 23, 2016 The

Statistical Methods for Plant Biology PBIO 3150/5150 Anirudh V. S. Ruhil February 23, 2016 The Voinovich School of Leadership and Public Affairs 1/26 Table of Contents 1 Association Between 2 Categorical Variables 2 The Odds Ratio ( OR ) 3

553 views • 26 slides
Lecture 4: Verification of Weak Memory Models Part 2: Robustness against TSO Ahmed Bouajjani

Lecture 4: Verification of Weak Memory Models Part 2: Robustness against TSO Ahmed Bouajjani

Lecture 4: Verification of Weak Memory Models Part 2: Robustness against TSO Ahmed Bouajjani LIAFA, University Paris Diderot Paris 7 Joint work with Roland Meyer, Egor Derevenetc (Univ. Kaiserslautern) and Eike M ohlmann (Univ.

1.53k views • 98 slides

More recommend