interpreting network traffic flows

Interpreting Network Traffic Flows

Bill Jensen, Paul Nazario and Perry Brunelli

Agenda

1. How did we get here

2. Network monitoring tools

3. Sample graphs

Shawn Fanning http://www.time.com/time/magazine/

articles/0,3266,55730,00.html

Napster

Taming Bandwidth Hogs . . . How can your campus do it?

Ana Preston, University of Tennessee

Linda Roos, University of Nebraska, Lincoln

Tuesday, 11:45, Marquis 4

www.funnytimes.com

A simple question

CIO requested that we estimate Internet transit requirements for the next 18 months

Sources

www.research.att.com/~amo/doc/networks.html

http://www.research.microsoft.com/~Gray/Moore_Law.html

What are current bandwidth requirements?

What do we receive from our provider?

A few words about UW Internet access

WiscNet is a state education-based ISP - founded with help from UW-Madison

Charter membership included 14 UW-System universities and 8 privates colleges

WiscNet now serves over 500 educational institutions - predominantly K-12

The WiscNet backbone

Comprised of OC-3 links connecting UW- Madison, UW-Milwaukee, the Chicago NAP and the Ameritech Advanced Data Service Center (AADS), also in Chicago.

WiscNet Services

Internet transport and transit Internet 2 transport Peering transport at AADS

Current bandwidth requirements continued... Inbound vs. outbound traffic Usage caps Prime time usage Peering and I2 traffic Effect of peer-to-peer networking and

future policy on usage/fair utilization

www.wiscnet.net

What is a flow?

Host-to-host conversation between that includes the IP address and port # for each host.

Representation of a series of packets traveling between two end-points.

A unidirectional series of IP packets of a given protocol, traveling between a source and destination within a certain period of time.

Flow as represented by log

Easy to think of it as we would a sniffer trace - bits and bytes seen traversing the wire

In actuality, the flows are the accounting record or log of activity as reported by the router

Measurement Tools - Flowscan

Flowscan - freely available perl scripts and modules that aggregate other freely available tools for representing flows

Analyzes and reports on NetFlow data collected by CAIDA’s clfowd

Stored using RRDtool - time series data Flowscan provides reporting capabilities

and visualization of flow data

Example

cflowd receives flow data from the router and writes it to disk.

Flowscan parses/messages data from cflowd and stores the results in RRD format.

RRDtool graph produces graphs from RRD files.

More on FlowScan

See http://net.doit.wisc.edu/~plonka/lisa/FlowScan/

plonka@doit.wisc.edu

http://mil.doit.wisc.edu/~plonka/

Dave ->

General Flowscan Graphs

Network Events Captured by FlowScan

New Development

wwwstats.net.wisc.edu/CampusIO/top/originAS.html

wwwstats.net.wisc.edu/CampusIO/top/128.104.16.0_22_top.html

“It’s easier to ride a horse in the direction it’s going”

Daniel Burrus

www.burrus.com