Experiences in Analyzing Network Traffic

1
Experiences in Analyzing Network Traffic

• Shou-Chuan Lai
• National Tsing Hua University
• Computer and Communication Center
• Nov. 20, 2003

2
Houston, we have a problem!
3
What happened?
4
What can we do?
5
Problem Diagnose

• Call for help
• Call our contracted support
• Ask an expert
• Do it yourself
• Cable tester
• Network analyzer
• Network Management System

6
Possible Solution

• Replace malfunction parts
• Adjust network configurations
• Expand network capacity

7
Network Traffic Analysis
8
Network Traffic Information

• Link
• Host
• Service port
• Application
• User behavior

9
Analyze Tools

• Device built-in functions
• LED status
• LCD messages
• MRTG
• SNMP MIB-II
• NetFlow
• Cisco Routers w/ NetFlow export function
• Switch w/ mirror/SPAN NetFlow generator

10
SNMP MIB-II
11
SNMP MIB-II

• Simple Network Management Protocol
• RFC 1157
• Management Information Base
• RFC 1213

12
Simple Network Management Protocol Architecture
MANAGER
SNMP
SNMP
SNMP
MIB
AGENTS
AGENTS
AGENTS
13
SNMP Operations
SNMP Manager
SNMP Agent
GetRequest
UDP port 161
GetResponse
GetNextRequest
UDP port 161
GetResponse
SetRequest
UDP port 161
GetResponse
Trap
UDP port 162
14
MIB Object Names
root
itu(2)
iso(1)
org(3)
dod(6)
internet(1)
directory(1)
mgmt(2)
experiment(3)
private(4)
enterprise(1)
mib(1)
system(1)
interface(2)
at(3)
ip(4)
icmp(5)
tcp(6)
udp(7)
15
MIB-II

• Common Operational Statistics (RFC 1857)
• ifInUcastPkts (unicast packets in)
• ifOutUcastPkts (unicast packets out)
• ifInNUcastPkts (non-unicast packets in)
• ifOutNUcastPkts (non-unicast packets out)
• ifInOctets (octets in)
• ifOutOctets (octets out)

16
MRTG
17
MRTG (Multi Router Traffic Grapher)

• A tool to monitor the traffic load on
  network-links.
• Generates HTML pages containing graphical images
  which provide a LIVE visual representation of
  this traffic.
• Based on Perl and C and works under UNIX and
  Windows NT.

18
MRTG (I) An Example
Byte per Second
Packet per Second
19
MRTG (II) A Suspicious Case
Excess Outgoing Packets
20
MRTG (III) Other Applications
Router CPU Utilization
Mail Server Queue Length
21
MRTG Track Back

• Deploy MRTG on each switch w/ SNMP support
• In case of abnormal traffic behavior, with each
  link information, we may be able to trace back to
  the switch port which nearest the problem node.
• With SNMP SET, we may disable that port as a
  temporal solution.

22
NetFlow
23
Why NetFlow ?

• NetFlow statistics empowers users with the
  ability to characterize their IP data flows
• The who, what, where, when, and how much IP
  traffic questions are answered
• Offers a rich data set to be mined for network
  management, traffic engineering, and value-added
  service offerings (i.e. marketing data, personal
  NMS data)

24
What is a Flow?

• Defined by 7 unique keys
• Source IP address
• Destination IP address
• Source port
• Destination port
• Layer 3 protocol type
• TOS byte (DSCP)
• Input logical interface (ifIndex)

25
NetFlow Version 5 Format
26
NetFlow Collection
Internet
NetFlow
NetFlow Collector
Campus Network
Department Network
27
NetFlow Example I
Date In (GB) Out (GB)
Mon Nov 17 2003 924 1730
Sun Nov 16 2003 665 1506
Sat Nov 15 2003 847 1780
Fri Nov 14 2003 893 1623
Thu Nov 13 2003 891 1627
Wed Nov 12 2003 926 1607
Tue Nov 11 2003 825 1425
28
NetFlow Example II
Out-going Traffic (SRC IP) Out-going Traffic (SRC IP) Out-going Traffic (SRC IP) Out-going Traffic (SRC IP) Out-going Traffic (SRC IP) Out-going Traffic (SRC IP)
No FQDN IP Address Octets (MB) Note
1 140.--.--.158 49619 2.80 AB
2 140.--.--.34 46253 2.61 Dept
3 140.--.--.27 27024 1.53 Dept
4 140.--.--.92 24608 1.39 AB
5 140.--.--.157 19396 1.09 AB
29
NetFlow Example III
Destination Hosts 100 Destination Hosts 100 Destination Hosts 100 Destination Hosts 100 Destination Hosts 100 Destination Hosts 100 Destination Hosts 100 Destination Hosts 100
No FQDN IP Address Octets (KB) Packets (K) Packet Size Note
1 140.---.119.41 12378667 24.36 8814 1404 450
2 163.25.---.37 3877362 7.63 2761 1404 178
3 163.25.---.39 2620457 5.16 1867 1403 190
4 ---.203.138.86 2359499 4.64 1680 1404 93
5 ---.66.245.245 2343650 4.61 1669 1404 131
30
NetFlow Example IV
SRC PORT TCP1849 UDP1 SRC PORT TCP1849 UDP1 SRC PORT TCP1849 UDP1 SRC PORT TCP1849 UDP1 SRC PORT TCP1849 UDP1 SRC PORT TCP1849 UDP1 SRC PORT TCP1849 UDP1 SRC PORT TCP1849 UDP1 SRC PORT TCP1849 UDP1
No Prot. Port Con Octets (KB) Packets Packet Size Note
1 TCP 32120 843 8569782 16.87 9055670 969 914
2 TCP 32121 771 2686 0.01 36580 75 1526
3 UDP 137 12 2 0.00 16 123 16
4 TCP 6112 9 7223 0.01 57300 129 14
5 TCP 139 4 1 0.00 14 44 4
31
Internet Worm Problem
Internet
Network Security Responding System
NetFlow Analyzer
Web Pages
NetFlow
Manual Control
Notifying System
Blocking System
IP
32
Open Mail Relay Problem
Open Relay Analyzer
IPPort
IP
NetFlow Analyzer
NetFlow
Blocking System
Notifying System
33
Feature Works
34
The Issues

• Octets vs. Contents
• Service port vs. Application
• Quantity vs. Quality
• Network Security
• Personal Privacy

35
Reference

• University of Twente, Netherlands, SimpleWeb,
  http//www.simpleweb.org/
• Tobias Oetiker, Dave Rand, MRTG,
  http//people.ee.ethz.ch/oetiker/webtools/mrtg/
• Tobi Oetiker, RRDtool, http//people.ee.ethz.ch/
  oetiker/webtools/rrdtool/
• Cisco Systems, Inc., Cisco IOS NetFlow,
  http//www.cisco.com/go/netflow
• Mark Fullmer, flow-tools, http//www.splintered.
  net/sw/flow-tools/
• ntop.org, ntop, http//www.ntop.org/
• Slava Astashonok, fprobe, http//sourceforge.net
  /projects/fprobe

36
Thank You!

• Q A