large scale flow monitoring through open source software
play

Large-Scale Flow Monitoring Through Open Source Software Luca Deri - PowerPoint PPT Presentation

Jan 30, 2024 •32 likes •612 views

Large-Scale Flow Monitoring Through Open Source Software Luca Deri <deri@ntop.org> 1 AIMS 2010 - 23.06.2010 Monitoring Goals Analysis of LAN and WAN Traffic Unaggregated raw data storage for the near past (-3 days) and long-term

  1. Large-Scale Flow Monitoring Through Open Source Software Luca Deri <deri@ntop.org> 1 AIMS 2010 - 23.06.2010

  2. Monitoring Goals • Analysis of LAN and WAN Traffic • Unaggregated raw data storage for the near past (-3 days) and long-term data aggregation on selected network traffic metrics (limit: available disk space) • Data navigation by means of a web 2.0 GUI • Geolocation of network flows and their aggregation based on their geographical source. • Integration with routing information in order to provide accurate traffic path analysis. AIMS 2010 - 23.06.2010 2

  3. Traffic Collection Architecture [1/2] • Available Options 1.Exploit network equipment (routers and switches) – Advantages: • Maximize investment. • Avoid adding extra network equipment/complexity in the network. • No additional point of Failure – Disadvantages: • Often is necessary to buy costly netflow engines • Have to survive with bugs (e.g. Juniper have issues with AS information) AIMS 2010 - 23.06.2010 3

  4. Traffic Collection Architecture [2/2] 2.Custom Network Probes • Advantages – Ability to avoid limitations of commercial equipment – (Often) Faster and more flexible than hw probes • Disadvantages Mirror / Network Tap LAN LAN – Add complexity to the net Packet Copy – Need to mirror/wiretap traffic Netflow Probe AIMS 2010 - 23.06.2010 4

  5. Introduction to Cisco NetFlow • Flow: “Set of network packets with some properties in common”. Typically (IP src/dst, Port src/dst, Proto, TOS, VLAN). • Network Flows contain: Application —Peers: flow source and destination. —Counters: packets, bytes, time. Flow Collector —Routing information: AS, network mask, interfaces. Probe Router AIMS 2010 - 23.06.2010 5

  6. Collection Architectures [1/2] Live feed Backbone flow collector flow-capture Flow Archive flow-rsync transfer flow enabled router NetFlow export AIMS 2010 - 23.06.2010 6

  7. Collection Architectures [2/2] AIMS 2010 - 23.06.2010 7

  8. Flow Journey: Creation AIMS 2010 - 23.06.2010 8

  9. Flow Journey: Export AIMS 2010 - 23.06.2010 9

  10. Flow Format: NetFlow v5 vs v9 v5 v9 Flow Format Fixed User Defined Extensible No Yes (Define new FlowSet Fields) Flow Type Unidirectional Bidirectional Flow Size 48 Bytes It depends on (fixed) the format IPv6 Aware No IP v4/v6 MPLS/VLAN No Yes AIMS 2010 - 23.06.2010 10

  11. Flow Format: NetFlow v9/IPFIX AIMS 2010 - 23.06.2010 11

  12. InMon sFlow • Packet header (e.g. MAC,IPv4,IPv6,IPX,AppleTalk,TCP,UDP, ICMP) • Sample process parameters (rate, pool etc.) • Input/output ports Switch/Router • Priority (802.1p and TOS) • VLAN (802.1Q) • Source/destination prefix sFlow sFlow Datagram • Next hop address agent • Source AS, Source Peer AS • Destination AS Path • Communities, local preference • User IDs (TACACS/RADIUS) for source/destination ASIC • URL associated with source/destination HW Packet • Interface statistics (RFC 1573, RFC 2233, and RFC 2358) Sampling Network Traffic % Sampling Error <= 196 * sqrt( 1 / number of samples) [http://www.sflow.org/packetSamplingBasics/] AIMS 2010 - 23.06.2010 12

  13. Integrated Network Monitoring Traffic Analysis & Accounting sFlow enabled switches Solutions sFlow Core network switches RMON enabled switches RMON L2/L3 Switches • Network-wide, continuous surveillance • 20K+ ports from a single point NetFlow enabled routers NetFlow • Timely data and alerts • Real-time top talkers • Site-wide thresholds and alarms • Consolidated network-wide historical usage data AIMS 2010 - 23.06.2010 13

  14. Traffic Collection: A Real Scenario Registro.it Juniper Switch sFlow v5 NetFlow v9 Juniper Router anifani.nic.it monitor.nic.it GARR Level 3 AIMS 2010 - 23.06.2010 14

  15. Heterogeneous Flow Collection sFlow v5 nProbe Fastbit Web Server Web Console NetFlow v9 nProbe Fastbit AIMS 2010 - 23.06.2010 15

  16. nProbe: sFlow/NF/IPFIX Probe+Collector sFlow NetFlow Packet Capture Flow Export nProbe Data Dump Raw Files / MySQL / SQLite / FastBit AIMS 2010 - 23.06.2010 16

  17. Problem Statement [1/2] • NetFlow and sFlow are the current state-of-the- art standard for network traffic monitoring. • As the number of generated flows can be quite high, operators often use sampling in order to reduce their number. • Sampling leads to inaccuracy so it cannot always be used in production networks. • Thus network operators have to face the problem of collecting and analyzing a large number of flow records. 17 AIMS 2010 - 23.06.2010

  18. Problem Statement [2/2] Where to store collected flows? – Relational Databases • Pros: Expressiveness of SQL for data search. • Cons: Sacrifice flow collection speed and query response time. – Raw Disk Archives • Pros: Efficient flow-to-disk collection speed (> 250K flow/s). • Cons: Limited query facilities as well search time proportional to the amount of collected data (i.e. no indexing is used). AIMS 2010 - 23.06.2010 18

  19. Towards Column-Oriented Databases [1/3] • Network flow records are read-only, shouldn’t be modified after collection, and several flow fields have very few unique values. • B-tree/hash indexes used in relational DBs to accelerate queries, encounter performance issues with large tables as: — need to be updated whenever a new flow is stored. — require a large number of tree-branching operations as they use slow pointer chases in memory and random disk access (seek), thus taking a long time. • Thus with relational DBs it is not possible to do live flow collection/ import as index update will lead to flow loss. AIMS 2010 - 23.06.2010 19

  20. Towards Column-Oriented Databases [2/3] • A column-oriented database stores its content by column rather than by row. As each column is stored contiguously, compression ratios are generally better than row-stores because consecutive entries in a column are homogeneous to each other. • Column-stores are more I/O efficient (than row stores) for read- only queries since they only have to read from disk (or from memory) those attributes accessed by a query. • Indexes that use bit arrays (called bitmaps) answer queries by performing bitwise logical operations on these bitmaps. AIMS 2010 - 23.06.2010 20

  21. Towards Column-Oriented Databases [3/3] • Bitmap indexes perform extremely well because the intersection between the search results on each value is a simple AND operation over the resulting bitmaps. • As column data can be individually sorted, bitmap indexes are also very efficient for range queries (e.g. subnet search) as data is contiguous hence disk seek is reduced. • As column-oriented databases with bitmap indexes provide better performance compared to relational databases, the authors explored their use in the field of flow monitoring. AIMS 2010 - 23.06.2010 21

  22. nProbe + FastBit • FastBit is not a database but a C++ library that implements efficient bitmap indexing methods. • Data is represented as tables with rows and columns. • A large table may be partitioned into many data partitions and each of them is stored on a distinct directory, with each column stored as a separated file in raw binary form. • nProbe natively integrates FastBit support and it automatically creates the DB schema according to the flow records template. • Flows are saved in blocks of 4096 records. • When a partition is fully dumped, columns to be indexed are first sorted then indexed. AIMS 2010 - 23.06.2010 22

  23. Performance Evaluation: Disk Space MySQL No/With Indexes 1.9 / 4.2 Daily Partition (no/with Indexes) 1.9 / 3.4 FastBit Hourly Partition (no/with Indexes) 1.9 / 3.9 nfdump No indexes 1.9 Results are in GB AIMS 2010 - 23.06.2010 23

  24. Performance Evaluation: Query Time [1/2] nProbe+FastBit vs MySQL MyS MySQL nProbe + e + FastBit nProbe + be + FastBit Query Daily Pa y Partitions Hourly Pa rly Partitions No Index With No Cached No Cached Indexes Cache Cache Q1 20.8 22.6 12.8 5.86 10 5.6 Q2 23.4 69 0.3 0.29 1.5 0.5 Q3 796 971 17.6 14.6 32.9 12.5 Q4 1033 1341 62 57.2 55.7 48.2 Q5 1754 2257 44.5 28.1 47.3 30.7 Results are in seconds AIMS 2010 - 23.06.2010 24

  25. Performance Evaluation: Query Time [2/2] nProbe+FastBit vs nfdump nProbe+FastBit 45 sec nfdump 1500 sec SELECT IPV4_SRC_ADDR, L4_SRC_PORT, IPV4_DST_ADDR, L4_DST_PORT, PROTOCOL FROM NETFLOW WHERE IPV4_SRC_ADDR=X OR IPV4_DST_ADDR=X worth 19 GB of data (14 hours of collected flows) nfdump query time = (time to sequentially read the raw data) + (record filtering time) AIMS 2010 - 23.06.2010 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Large-Scale Reuse in Open Source Software Audris Mockus audris@avaya.com Avaya Labs Research

Large-Scale Reuse in Open Source Software Audris Mockus audris@avaya.com Avaya Labs Research

Large-Scale Reuse in Open Source Software Audris Mockus audris@avaya.com Avaya Labs Research Basking Ridge, NJ 07920 http://mockus.org/ Open Source Innovations Fundamentally different model of software development Built by large

306 views • 11 slides
Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection &amp; analysis of source code repositories OPEN SOURCE GIT REPOSITORY COLLECTION PIPELINE Intro Alexander Bezzubov source{d} committer &amp; PMC @ apache zeppelin startup in Madrid engineer

436 views • 25 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD)

Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD)

Design principles for 5G Toward a new paradigm, All-IT Network architecture Unbundling Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD) Unbundled Function Blocks Open Source Hardware (OCP,

180 views • 15 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
1 Distribution of work: new functionality Distribution of work: fixes 7 8 Who reports

1 Distribution of work: new functionality Distribution of work: fixes 7 8 Who reports

The case for open source software Open Source Software Why Open Source Software / Free The process, the outcome Software (OSS/FS)? Look at the Numbers! David A. Wheeler The heat, the light Revised as of September 30 2004

464 views • 9 slides
Frontera: Large-Scale Open Source Web Crawling Framework Alexander Sibiryakov, 20 July 2015

Frontera: Large-Scale Open Source Web Crawling Framework Alexander Sibiryakov, 20 July 2015

Frontera: Large-Scale Open Source Web Crawling Framework Alexander Sibiryakov, 20 July 2015 sibiryakov@scrapinghub.com Hola los participantes! Born in Yekaterinburg, RU 5 years at Yandex, search quality department: social and QA

445 views • 21 slides
Frontera: open source, large scale web crawling framework Alexander Sibiryakov, October 1, 2015

Frontera: open source, large scale web crawling framework Alexander Sibiryakov, October 1, 2015

Frontera: open source, large scale web crawling framework Alexander Sibiryakov, October 1, 2015 sibiryakov@scrapinghub.com Sziasztok rsztvev k! Born in Yekaterinburg, RU 5 years at Yandex, search quality department: social and QA

737 views • 30 slides
LARGE SCALE OPEN SOURCE DEVELOPMENT MODELS A COMPARATIVE ANALYSIS By Joe Gordon WHY Saw

LARGE SCALE OPEN SOURCE DEVELOPMENT MODELS A COMPARATIVE ANALYSIS By Joe Gordon WHY Saw

LARGE SCALE OPEN SOURCE DEVELOPMENT MODELS A COMPARATIVE ANALYSIS By Joe Gordon WHY Saw OpenStack grow from around 60 developers to over 2,100 developers Unusual development model But how do other projects solve the same problems? WHY IS

629 views • 34 slides
Data Curation at Large Experimental Facilities with Open Source Software Line Pouchard, Pavol

Data Curation at Large Experimental Facilities with Open Source Software Line Pouchard, Pavol

Data Curation at Large Experimental Facilities with Open Source Software Line Pouchard, Pavol Juhas, Kerstin Kleese Van Dam Computational Science Initiative Stuart Campbell National Synchrotron Light Source II Brookhaven National

312 views • 20 slides
NRM Long Term Monitoring Using Open Source Software Collect Earth Louwrens Ferreira 6 October

NRM Long Term Monitoring Using Open Source Software Collect Earth Louwrens Ferreira 6 October

NRM Long Term Monitoring Using Open Source Software Collect Earth Louwrens Ferreira 6 October 2017 Introduction The natural resource management programme started out in 1995 and was only known as Working for Water The main focus

294 views • 12 slides
LARGE SCALE OPEN SOURCE DEVELOPMENT MODELS A COMPARATIVE ANALYSIS By Joe Gordon ABOUT ME

LARGE SCALE OPEN SOURCE DEVELOPMENT MODELS A COMPARATIVE ANALYSIS By Joe Gordon ABOUT ME

LARGE SCALE OPEN SOURCE DEVELOPMENT MODELS A COMPARATIVE ANALYSIS By Joe Gordon ABOUT ME OpenStack Developer at HP Hacking on OpenStack for 4 years contact information jogo on freenode github.com/jogo WHY Saw OpenStack grow from around 60

833 views • 57 slides
Building a large scale SaaS app Open Source, Storage and Scalability Dan Hanley, CTO

Building a large scale SaaS app Open Source, Storage and Scalability Dan Hanley, CTO

Building a large scale SaaS app Open Source, Storage and Scalability Dan Hanley, CTO http://www.magus.co.uk 14 March, 2008 1 Agenda Who are Magus? What do we do? Who do we do it for? How do we do it? SOA Scalability

501 views • 47 slides
OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA

OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA

OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA Who are we? Open Source Monitoring Software Results Demonstration Responses Mitigations and conclusion

1.02k views • 45 slides
Restriction monads and algebras. Union College Mathematics Conference Darien DeWolf Dalhousie

Restriction monads and algebras. Union College Mathematics Conference Darien DeWolf Dalhousie

Restriction monads and algebras. Union College Mathematics Conference Darien DeWolf Dalhousie University December 4, 2016 1 / 21 Monads for Partial Computation Moggi (1991) introduces monads as abstract notions of computation. In particular,

656 views • 21 slides
CS 598: Network Security Matthew Caesar January 15, 2013 1 Networks are Important Networks

CS 598: Network Security Matthew Caesar January 15, 2013 1 Networks are Important Networks

Lecture 1: Course Overview CS 598: Network Security Matthew Caesar January 15, 2013 1 Networks are Important Networks propagate information Information is the enemy of evildoers They can no longer hide in the shadows Can

532 views • 34 slides
The GENESIS platform, its Distribution, and Web Services Stephen Rank, David Nutter, Janet

The GENESIS platform, its Distribution, and Web Services Stephen Rank, David Nutter, Janet

The GENESIS platform, its Distribution, and Web Services Stephen Rank, David Nutter, Janet Lavery, and Cornelia Boldyreff The GENESIS platform, its Distribution, and Web Services p. 1 The GENESIS Project IST-funded EU project (Durham,

311 views • 10 slides
Welcome! We will be starting soon. The Low-Income Forum on Energy Presents: Clean Energy for

Welcome! We will be starting soon. The Low-Income Forum on Energy Presents: Clean Energy for

Welcome! We will be starting soon. The Low-Income Forum on Energy Presents: Clean Energy for Low-Income: Insights from Eight Business Models Coreina Chan, Jason Meyer, Lauren Shwisberg Rocky Mountain Institute November 14, 2016 1:30 p.m.

1.03k views • 81 slides
Monitorizacin de red Area de Ingeniera Telemtica http://www.tlm.unavarra.es Grado en

Monitorizacin de red Area de Ingeniera Telemtica http://www.tlm.unavarra.es Grado en

rea de Ingeniera Telemtica Gestin y Planificacin de Redes y Servicios Monitorizacin de red Area de Ingeniera Telemtica http://www.tlm.unavarra.es Grado en Ingeniera en Tecnologas de Telecomunicacin, 4 Medir qu? Un

469 views • 24 slides
Robot Motion Planning Movies/demos provided by James Kuffner and Howie Choset + Examples from

Robot Motion Planning Movies/demos provided by James Kuffner and Howie Choset + Examples from

Robot Motion Planning Movies/demos provided by James Kuffner and Howie Choset + Examples from J.C. latombes book (references on the last page) Example from Howie Choset 1 Example from James Kuffner Example from Howie Choset 2 Robot Motion

547 views • 44 slides
Maxim Likhachev 1 Planning via Cell Decomposition Planning via Cell Decomposition Graph

Maxim Likhachev 1 Planning via Cell Decomposition Planning via Cell Decomposition Graph

Motion/Path Planning Motion/Path Planning Examples (of what is usually referred to as path planning): Examples (of what is usually referred to as motion planning): Planned motion for a 6DOF robot arm CSE 473:Planning in Robotics (slides

573 views • 3 slides
Announcements CS 188: Artificial Intelligence Spring 2011 Practice Final Out (optional)

Announcements CS 188: Artificial Intelligence Spring 2011 Practice Final Out (optional)

Announcements CS 188: Artificial Intelligence Spring 2011 Practice Final Out (optional) Similar extra credit system as practice midterm Contest (optional): Advanced Applications: Tomorrow night 11pm deadline for final

576 views • 10 slides

More recommend