icmynet flow netflow based traffic investigation analysis
play

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic - PowerPoint PPT Presentation

Oct 02, 2022 •174 likes •641 views

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF

  1. ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES – Academic Network of Serbia RCUB - Belgrade University Computer Center ETF – Faculty of Electrical Engineering

  2. NetFlow Challenges: Who is consuming the bandwidth and how? D Deep insight into network traffic i i ht i t t k t ffi Recognize traffic anomaly – security threats Network optimization olution – NetFlow TM TM S l S i N Fl Protocol developed by Cisco for exporting IP flow statistics Other vendors: J-Flow, NetS tream, sFlow, IPFIX... TF-NOC, 11.10.2011

  3. How it works? Exported data: S rc/ dst IP S S rc/ dst ports rc/ dst ports Protocol Total bytes, packets, fllows QoS QoS BGP src/ dst AS Exporter IP I / In/ out ports t t Timestamp Router … . (Exporter) ( p ) … . TF-NOC, 11.10.2011

  4. Why to use? Performance management based on S NMP network traffic – who is using? CPU/ Memory usage – why is increased? who is talking with whom? TF-NOC, 11.10.2011

  5. NetFlow Analyzers Collect, process, present and analyze NetFlow data Most popular commercial solutions: p p S olarwinds, MenageEngine, S crutinyzer... ICmyNet.Flow ICmyNet.Flow AMRES participated the development with expertise, requirements, testing Competitive with other commercial solutions p Full free software available for NRENs and their members www.icmynet.com live demo download free trial user manual support contact pp TF-NOC, 11.10.2011

  6. System architecture Binary raw data files ICmyNet.Flow Flows_2009-10-21-09.20.00 Collector Collector Flows_2009-10-21-09.25.00 Flows_2009-10-21-09.30.00 ICmyNet.Flow Database Aggregator gg g ICmyNet.Flow Web Raw Data Files Archive TF-NOC, 11.10.2011

  7. Parameters for traffic analysis Detailed information about: IP subnets traffic Hosts traffic Hosts traffic Network S ervices and applications based on TCP/ UDP ports Network Protocols (TCP, UDP, ICMP, GRE...) QoS markers (ToS , IP precedence or DS CP) BGP Autonomous S ystem Numbers For each parameter counters for : Traffic Bandwidth (in bits/ s, kbps, Mbps..) Traffic Volume (in MBytes, GB, TB...) Number of Packets, volume and time based diagrams (pps) Number of Flows, volume and time based diagrams (fps) Configurable cut-off percentage or data amount for negligible consumers TF-NOC, 11.10.2011

  8. Overview Web application is chosen for the user interface De-facto standard for network management applications Accessibility, permanent development, flexibility Java application working under Tomcat JS F technologies TF-NOC, 11.10.2011

  9. Traffic Patterns Traffic Pattern - Traffic of Interest, defined by user Matches the traffic between “ Internal” and “ External” network S tatistics IS NOT per interface Statistics IS per subnet in Traffic Pattern D fi Defined by d b IP networks other NetFlow parameters External Internal network network TF-NOC, 11.10.2011

  10. Traffic Patterns Internet Exclude 10 0 0 0/8 Exclude 10.0.0.0/8 Internal Network 10.0.0.0/8 TF-NOC, 11.10.2011

  11. External Network Traffic Patterns Internal Network TF-NOC, 11.10.2011

  12. Traffic Patterns Application Servers 172 16 0 0/24 172.16.0.0/24 Internal Network 10.0.0.0/8 TF-NOC, 11.10.2011

  13. Traffic Pattern – basic element of analysis Internal Network 10.0.0.0/8 External Network 10.0.0.0/8 TF-NOC, 11.10.2011

  14. Traffic Patterns Advanced Traffic Patterns can be configured with flexible matching of any supported NetFlow field Examples : Examples : AMRES -> Facebook Internal address 147.91.0.0/ 16, S rc or Dst AS 32934 (Facebook) (Facebook) Router X Internal & External address: 0.0.0.0/ 0, Exporter 10.1.1.1 Potential attacks: Potential attacks: S rc or Dst port: 22, 135-139, 445, 1434,… “Weird” Protocols: Protocols: Exclude 6 (TCP) or 17 (UDP) Protocols: Exclude 6 (TCP) or 17 (UDP) Blocked Traffic: Out Interface: 0 (Null) TF-NOC, 11.10.2011

  15. Subnets S ubnets Defined by name and IP y address range in Internal network View tab / Address S pace IP address hierarchy of IP address hierarchy of subnets in a tree structure IPv6 are fully supported! TF-NOC, 11.10.2011

  16. Subnet Sets S ubnet S et User defined group of S ubnets and/ or other S ubnets S ets View tab / Custom S pace User defined hierarchy of S ubnet S S ets and belonging S ets and belonging S ubnets ubnets Any logical grouping of S ubnets: Institutions Faculties Universities S chools Libraries Libraries etc... TF-NOC, 11.10.2011

  17. View Tab – Top N TF-NOC, 11.10.2011

  18. View Tab – Chart TF-NOC, 11.10.2011

  19. View Tab – List TF-NOC, 11.10.2011

  20. Archived raw data review Raw data are archived in the files created every 5 minutes Compressed and archived in separate folder Every single flow is saved Raw data View Raw data View Access, review and explore raw data files S earching for a single flow or event that traversed the network t k TF-NOC, 11.10.2011

  21. Archived raw data review TF-NOC, 11.10.2011

  22. Searching and grouping raw data Filter, group and sort by any meaningful column TF-NOC, 11.10.2011

  23. Analysis of traffic anomaly Case study TF-NOC, 11.10.2011

  24. TF-NOC, 11.10.2011

  25. TF-NOC, 11.10.2011

  26. TF-NOC, 11.10.2011

  27. TF-NOC, 11.10.2011

  28. TF-NOC, 11.10.2011

  29. TF-NOC, 11.10.2011

  30. TF-NOC, 11.10.2011

  31. TF-NOC, 11.10.2011

  32. TF-NOC, 11.10.2011

  33. TF-NOC, 11.10.2011

  34. TF-NOC, 11.10.2011

  35. TF-NOC, 11.10.2011

  36. TF-NOC, 11.10.2011

  37. Configuration issues – Interfaces NetFlow configured in both directions on interfaces Exported data duplication Host A NetFlow Collector TF-NOC, 11.10.2011

  38. NetFlow configured in ingress direction on all interfaces Configuration issues – Interfaces No data duplication Host A TF-NOC, 11.10.2011

  39. Configuration issues – Interfaces NetFlow configured in ingress direction on all interfaces with redundant links D t d Data duplication! li ti ! Gi0/3 Gi0/3 Gi0/2 Gi0/1 Gi0/1 Host A TF-NOC, 11.10.2011

  40. Configuration issues – Interfaces S olution: Configure ingress direction on edge links (do not configure on core links) (do not configure on core links) Exclude interfaces on core links between exporters from Traffic Pattern TF-NOC, 11.10.2011

  41. Configuration issues - Timers Timer – aging Long Defines data export interval for long flows – 5 min Real Flow Received Flow Bits/s Bits/s Bits/s Bits/s Time of Time of export export 20k 5K t t 20 minutes 5 minutes TF-NOC, 11.10.2011

  42. Configuration issues - Timers Fast Defines data export criteria based on the threshold ( 100packets) (~100packets) Preserves memory overload TF-NOC, 11.10.2011

  43. Configuration issues - Aggregation Receiving application is using 5 minute aggregation TF-NOC, 11.10.2011

  44. NetFlow statistics from non-netflow device? L2 switches usually do not support NetFlow protocol Examples: Examples: LAN networks Gigabit Ethernet 0/0 FastEthernet 0/1 NREN member FastEthernet 0/2 connected to NREN backbone S olution Port mirroring Mirrored Ports S S erver with two NIC i h NIC FastEthernet 0/23 S oftflowd http:/ / www.mindrot.org/ proj ects / softflowd/ / softflowd/ FastEthernet 0/24 Gigabit Ethernet 0/1 http:/ / code.google.com/ p/ softflo wd/ NetFlow Date Export Interfaces info disappears, but Traffic Patterns don’ t need it! SOFTFLOW DEAMON NetFlow Emulator TF-NOC, 11.10.2011

  45. Conclusions ICmyNet.Flow Pros Traffic Patterns Traffic Patterns S ubnets and S ubnet S ets hierarchy Works with non-netflow devices Raw data inspection Full IPv6 support Full IPv6 support Web based, j ava – OS independent Cons S S ome net admins prefer link based statistics ome net admins prefer link based statistics (physical infrastructure view) Lack of top conversations statistics (plan to support in new version, 2012) Links www.icmynet.com live.icmynet.com/ NetFlowWeb TF-NOC, 11.10.2011

  46. rcub.bg.ac.rs slavko.gaj in@ Questions TF-NOC, 11.10.2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NetFlow use cases ICmyNet / NetVizura Milo Zekovi, milos.zekovic@soneco.rs ICmyNet Chief

NetFlow use cases ICmyNet / NetVizura Milo Zekovi, milos.zekovic@soneco.rs ICmyNet Chief

NetFlow use cases ICmyNet / NetVizura Milo Zekovi, milos.zekovic@soneco.rs ICmyNet Chief Customer Officer Soneco d.o.o. Serbia Agenda ICmyNet / NetVizura overview Use cases / case studies Statistics per exporter/interfaces Traffic

629 views • 26 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National

NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National

NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National University Chungnam National University {teshi85, yhlee06, lee}@cnu.ac.kr 2010.04.24(Sat) based on "An Internet Traffic Analysis Method with

534 views • 22 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying activity via payload Theory behind the idea Measuring NetFlow Measuring DNS traffic captures Implications and future work Motivation

580 views • 17 slides
Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools Background and Goals: Apache Spot was started recently DNS, Netflow, PCAP data is analyzed The goal is to identify: suspicous

644 views • 19 slides
Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis

Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis

Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis Using social networks we can complement our existing volumetric analysis. Identify phenomenon we are missing because they are just not

568 views • 24 slides
A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van

A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van

A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van Vliet, Aiko Pras Design and Analysis of Communication Systems University of Twente, The Netherlands NMRG Workshop on Netflow/IPFIX Usage in Network

592 views • 21 slides
Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Data-flow analysis Example: liveness Data-flow analysis is a global analysis framework that can be used to

635 views • 11 slides
An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis M. Elich, P.

An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis M. Elich, P.

An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis M. Elich, P. Velan, T. Jirsk, P. eleda {elich|jirsik|celeda}@mail.muni.cz, petr.velan@cesnet.cz The 7th IEEE Workshop on Network Measurements, Sydney, October

397 views • 21 slides
Incorporating Intra-flow Dependencies and Inter-flow Correlations for Traffic Matrix Prediction

Incorporating Intra-flow Dependencies and Inter-flow Correlations for Traffic Matrix Prediction

Incorporating Intra-flow Dependencies and Inter-flow Correlations for Traffic Matrix Prediction Presenter: Kaihui Gao Tsinghua University Catalog 1. Background 2. Related Works 3. Motivation 4. Data Analysis of Traffic Matrix 5.

468 views • 18 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

1.1k views • 91 slides
On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

544 views • 26 slides
Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial

Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial

Maximilian Merkert Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial Optimization Workshop, January 8, 2019 joint work with Gennadiy Averkov, Do Duc Le Outline 1 Introduction 2 Flow-based Extended

588 views • 39 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka & Paul Barford

1.33k views • 26 slides
Verification and Validation (V&V) of Autonomous Maritime Systems Dr. Alain Maguer, Alberto

Verification and Validation (V&V) of Autonomous Maritime Systems Dr. Alain Maguer, Alberto

Modelling and Simulation Tools for Verification and Validation (V&V) of Autonomous Maritime Systems Dr. Alain Maguer, Alberto Tremori, Robert Been NATO STO CMRE #UDT2019 NATO STO CMRE Centre for Maritime Research and Experimentation

593 views • 25 slides
Towards a Censorship Analyser for Tor Philipp Winter The Tor Project & Karlstad University

Towards a Censorship Analyser for Tor Philipp Winter The Tor Project & Karlstad University

Towards a Censorship Analyser for Tor Philipp Winter The Tor Project & Karlstad University 2013-08-13 Tor and censorship Some countries, corporate firewalls, captive portals and ISPs block Tor. Blocks become known through users and

534 views • 16 slides
Modelling and Simulation and Wargaming to support concept development of Autonomous Systems in

Modelling and Simulation and Wargaming to support concept development of Autonomous Systems in

IT 2 EC 2020 IT 2 EC Extended Abstract Template Presentation/Panel Modelling and Simulation and Wargaming to support concept development of Autonomous Systems in Harbour Protection Lucia Gazzaneo 1 , David Solarna 2 , Alberto Tremori 3 , Arnau

269 views • 6 slides
Improvement of Content Server with Contents Anycasting Using OpenFlow Othman Othman M.M. 1 , Koji

Improvement of Content Server with Contents Anycasting Using OpenFlow Othman Othman M.M. 1 , Koji

Improvement of Content Server with Contents Anycasting Using OpenFlow Othman Othman M.M. 1 , Koji Okamura 2 1 Department of Advanced Information Technology, Graduate school of Information Science and Electrical Engineering, Kyushu University.

232 views • 8 slides
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science University of Arizona 1 IEEE GLOBECOM 2014 December

507 views • 22 slides
CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of

CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of

10/4/16 CS 457 Networking and the Internet Fall 2016 The Global Internet (Then) The tree structure of the Internet in 1990 The Global Internet (And Now) A simple multi-provider Internet 1 10/4/16 The Global Internet Some large

307 views • 12 slides
Lab Course RouterLab Border Gateway Protocol (BGP) Internet: Network of Networks AS

Lab Course RouterLab Border Gateway Protocol (BGP) Internet: Network of Networks AS

Lab Course RouterLab Border Gateway Protocol (BGP) Internet: Network of Networks AS 2 AS 1 AS 5 AS 3 AS 4 Internet: Structure and Routing Structure : > 20,000 autonomous systems (ASs) Examples for ASs? Routing

374 views • 20 slides
Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with IP prefixes Networks are richly interconnected, often using IXPs Prefix B1 Prefix D1 Prefix C1 ISP B CDN D IXP CDN C IXP Prefix E1

641 views • 33 slides

More recommend