NetFlow - Stanford University
Download
Report
Transcript NetFlow - Stanford University
NetFlow
Very useful for traffic analysis
Standard sampler:
– Cisco Netflow
– Juniper Traffic Sampling
Parameters:
– Flow export timer (Determines when current flow info is written to disk)
– Sampling scheme (Deterministic, Stratified, Simple random)
– Sampling rate
Available resources:
– GEANT network routers in Europe
– Abilene (Internet2) routers in US
– GT ingress/egress (Dr.Russ Clark)
1/1000 deterministic + Unanonymized
1/100 deterministic + Anonymized
Unsampled + Anonymized
NetFlow (contd.)
Netflow format:
– unix_secs, unix_nsecs, sysuptime, exaddr, dpkts, doctets, first, last,
engine_type, engi ne_id, srcaddr, dstaddr, nexthop, input, output, srcport,
dstport, prot, tos, tcp_flags, sr c_mask, dst_mask, src_as, dst_as
NetFlow data Example:
1070236831,0,3175466240,198.32.11.5,1,1500,3175436989,3175436989,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,16,16,16,25656,52
1070236831,0,3175466240,198.32.11.5,3,1884,3175408565,3175433201,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,24,16,16,25656,52
1070236831,0,3175466240,198.32.11.5,1,628,3175448463,3175448463,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3855,6,0,24,16,16,25656,52
1070236831,0,3175466240,198.32.11.5,1,1500,3175442525,3175442525,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3864,6,0,16,16,16,25656,52
1070236831,0,3175466240,198.32.11.5,1,1500,3175451974,3175451974,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,16,16,16,25656,52
1070236831,0,3175466240,198.32.11.5,6,3768,3175398562,3175449061,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,24,16,16,25656,52
1070236836,0,3175471250,198.32.11.5,1,92,3175454577,3175454577,0,0,130.18.248.0,202.28.48.0,198.32.11.4,18,35,0,0,1,0,0,16,24,10546,4621
1070236836,0,3175471250,198.32.11.5,1,92,3175414202,3175414202,0,0,130.18.248.0,165.132.224.0,198.32.11.4,18,35,0,0,1,0,0,16,16,10546,4665
1070236836,0,3175471250,198.32.11.5,1,92,3175433202,3175433202,0,0,130.18.248.0,210.103.24.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768
1070236836,0,3175471250,198.32.11.5,1,92,3175403033,3175403033,0,0,130.18.248.0,211.248.144.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768
TCPDump data Example:
1144154983.524877
1144154983.524950
1144154983.524985
1144154983.525037
1144154983.525039
1144154983.525064
1144154983.525066
1144154983.525079
1144154983.525092
1144154983.525105
IP 220.135.232.0.61606 > 130.207.208.0.32459: . ack 2904096123 win 65535
IP 140.247.56.0.443 > 199.77.128.0.39948: . 1448:2896(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>
IP 216.77.184.0.37169 > 130.207.240.0.119: . 2920:4380(1460) ack 1 win 49640
IP 64.215.168.0.80 > 199.77.200.0.50643: . 747182892:747184340(1448) ack 742379073 win 14416 <nop,nop,timestamp 4096146186 3508922431>
IP 217.129.248.0.2585 > 130.207.160.0.443: . ack 4289220173 win 65201
IP 64.215.168.0.80 > 199.77.200.0.50643: . 1448:2896(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>
IP 65.196.176.0.80 > 199.77.200.0.64548: R 0:0(0) ack 1 win 0
IP 140.247.56.0.443 > 199.77.128.0.39948: . 2896:4344(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>
IP 64.215.168.0.80 > 199.77.200.0.50643: . 2896:4344(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>
IP 64.215.168.0.80 > 199.77.200.0.50643: . 5792:7240(1448) ack
ns2
Important components:
– Basic ns2 code downloaded from http://www.isi.edu/nsnam
– TCL script to setup and simulate the test environment
– Topology generator (Ex: GT-ITM)
Example TCL script:
#Create a simulator object
set ns [new Simulator]
#Define different colors for
flows
$ns color 1 Blue
$ns color 2 Red
#Open the nam trace file
set nf [open out.nam w]
$ns namtrace-all $nf
#Define a 'finish' procedure
proc finish {} {
global ns nf
$ns flush-trace
#Close the trace
file
#Create links between the nodes
$ns duplex-link $n0 $n2 1Mb 10ms DropTail
$ns duplex-link $n1 $n2 1Mb 10ms DropTail
$ns duplex-link $n3 $n2 1Mb 10ms SFQ
$ns duplex-link-op $n0 $n2 orient rightdown
$ns duplex-link-op $n1 $n2 orient rightup
$ns duplex-link-op $n2 $n3 orient right
#Monitor the queue for link between node
2 and 3
$ns duplex-link-op $n2 $n3 queuePos 0.5
#Create a UDP agent and attach it to node
n0
set udp0 [new Agent/UDP]
$udp0 set class_ 1
$ns attach-agent $n0 $udp0
close $nf
exit 0
}
#Create four nodes
set n0 [$ns node]
set n1 [$ns node]
set n2 [$ns node]
set n3 [$ns node]
# Create a CBR traffic source and attach
it to udp0
set cbr0 [new Application/Traffic/CBR]
$cbr0 set packetSize_ 500
$cbr0 set interval_ 0.005
$cbr0 attach-agent $udp0
#Create a UDP agent and attach it to node
n1
# Create a CBR traffic source and
# attach it to udp1
set cbr1 [new
Application/Traffic/CBR]
$cbr1 set packetSize_ 500
$cbr1 set interval_ 0.005
$cbr1 attach-agent $udp1
#Create a Null agent (a traffic
sink)
# and attach it to node n3
set null0 [new Agent/Null]
$ns attach-agent $n3 $null0
#Connect the traffic sources with
# the traffic sink
$ns connect $udp0 $null0
$ns connect $udp1 $null0
# Schedule events for the CBR
agents
$ns at 0.5 "$cbr0 start"
$ns at 1.0 "$cbr1 start"
$ns at 4.0 "$cbr1 stop"
$ns at 4.5 "$cbr0 stop"
#Call the finish procedure after
# 5 seconds of simulation time
$ns at 5.0 "finish"
#Run the simulation
ns2 (contd.)
Topology
– Create Spec file (“Geo” is used for Intra-domain topologies. Use “ts” for interdomain transit-stub topologies):
## Comments :
## <#method keyword> <#number of graphs> [<#initial seed>]
## <#stubs/xit> <#t-s edges> <#s-s edges>
## <#n> <#scale> <#edgemethod> <#alpha> [<#beta>] [<#gamma>]
## number of nodes = 1*8* (1 + 4*6) = 200
geo 5 100 10 3 0.5
– Execute command: itm <spec file>
– Generates topology in Stanford Graph Base format
* GraphBase graph (util_types ZZZIIZIZIZZZZZ,9V,102A)
"geo(0,{5,10,3,1.000,0.000,0.000})",5,20,10
* Vertices
"0",A6,3,2
"1",A12,9,9
"2",A16,2,4
"3",A18,8,4
"4",A19,2,1
"",0,0,0
"",0,0,0
"",0,0,0
"",0,0,0
* Arcs
V1,0,9,
0
V0,0,9,
0
V2,A0,2
,0
V0,0,2,
0
V3,A2,5
,0
V0,0,5,
0
V4,A4,1
,0
– Convert SGB to NS format using sgb2ns command