network diagnostics using passive network monitoring and ...active passive learned predefined. our...
TRANSCRIPT
![Page 1: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/1.jpg)
Network Diagnostics Using Passive Network Monitoring
and Packet Analysis
Martin Holkovič, CESNET, Czech RepublicOndřej Ryšavý, Brno University of Technology, Czech Republic
![Page 2: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/2.jpg)
Motivation
User tries to send an e-mail
Networkadministrator
diagnosticsreport
SMTP serverhttps://www.flowmon.com/en/products/flowmon/traffic-recorder
![Page 3: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/3.jpg)
Why it is not an easy problem
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 3/18
• Each protocol is different
• Each network is different
• Dependencies between services
• Requiring deep knowledge and lot of time
Bahl, P.; Chandra, R.; Greenberg, A.; aj.: Towards highly reliable enterprise network services via inference of multi-level dependencies. In ACM SIGCOMM Computer CommunicationReview, ročník 37, ACM, 2007, s. 13–24
![Page 4: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/4.jpg)
Possible methods
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 4/18
• Wireshark - manual
• How are the data accessed?
• How is the model created?
Active
Passive
Learned
Predefined
![Page 5: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/5.jpg)
Our goals
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18
• Passive analysis from PCAP file
• Predefined rule-based tree model
• Automate administrator’s actions
• Good-readable diagnostic output
• Easily extendible by an administrator
![Page 6: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/6.jpg)
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 6/18
![Page 7: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/7.jpg)
Proposed architecture
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 7/18
![Page 8: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/8.jpg)
Protocols Analyzer
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 8/18
• Using Tshark (Wireshark)
• Support over 3000 protocols and over 227000 fields
• Integrated lower layers analysis
• JSON output
![Page 9: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/9.jpg)
Events Finder
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 9/18
• Simulates questions of a real administrator• E.g., SMTP authentication
• Two step process:1. Find specific packets
2. Create tuples from packets fulfilling conditions
![Page 10: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/10.jpg)
Tree Engine
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 10/18
• Binary tree• Two next states
• Each node refers to the Events Finder
• State represents the knowledge
• Integrates Python code
![Page 11: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/11.jpg)
Output creator
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 11/18
• Predefined output records
• Creates links between records
• JSON format
![Page 12: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/12.jpg)
Rules – Events Finder
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 12/18
![Page 13: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/13.jpg)
Rules – Tree Engine
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 13/18
![Page 14: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/14.jpg)
Rules - Output
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 14/18
![Page 15: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/15.jpg)
Supported protocols
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 15/18
![Page 16: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/16.jpg)
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 16/x
![Page 17: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/17.jpg)
Future work
• Use another passive data sources• Syslog
• SNMP traps
• Optimize performance• Filtering input data
• Indexing key-data for faster processing
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 17/18
![Page 18: Network Diagnostics Using Passive Network Monitoring and ...Active Passive Learned Predefined. Our goals Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18](https://reader033.vdocuments.mx/reader033/viewer/2022042019/5e7687e3c412d62da2695df5/html5/thumbnails/18.jpg)
Conclusion
• Network administrators need to diagnose problems
• Diagnostics is time and knowledge requiring activity
• We use PCAP files as the data source
• We have implemented tree-based analysis
• The diagnostic output is good understandable
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 18/18