Interpreting Network Traffic Flows Bill Jensen Paul Nazario

Interpreting Network Traffic Flows Bill Jensen, Paul Nazario and Perry Brunelli

Agenda 1. How did we get here 2. Network monitoring tools 3. Sample graphs

Napster n n Shawn Fanning http: //www. time. com/time/magazine/arti cles/0, 3266, 55730, 00. html

Taming Bandwidth Hogs. . . How can your campus do it? Ana Preston, University of Tennessee Linda Roos, University of Nebraska, Lincoln Tuesday, 11: 45, Marquis 4

www. funnytimes. com

A simple question n CIO requested that we estimate Internet transit requirements for the next 18 months

Sources n n www. research. att. com/~amo/doc/netwo rks. html http: //www. research. microsoft. com/~Gr ay/Moore_Law. html

What are current bandwidth requirements? What do we receive from our provider?

A few words about UW Internet access n n n Wisc. Net is a state education-based ISP - founded with help from UW-Madison Charter membership included 14 UWSystem universities and 8 privates colleges Wisc. Net now serves over 500 educational institutions - predominantly K-12

The Wisc. Net backbone n Comprised of OC-3 links connecting UW- Madison, UW-Milwaukee, the Chicago NAP and the Ameritech Advanced Data Service Center (AADS), also in Chicago.

Wisc. Net Services n n n Internet transport and transit Internet 2 transport Peering transport at AADS

Current bandwidth requirements continued. . . n n n Inbound vs. outbound traffic Usage caps Prime time usage Peering and I 2 traffic Effect of peer-to-peer networking and future policy on usage/fair utilization

www. wiscnet. net

What is a flow? n n n Host-to-host conversation between that includes the IP address and port # for each host. Representation of a series of packets traveling between two end-points. A unidirectional series of IP packets of a given protocol, traveling between a source and destination within a certain period of time.

Flow as represented by log n n Easy to think of it as we would a sniffer trace - bits and bytes seen traversing the wire In actuality, the flows are the accounting record or log of activity as reported by the router

Measurement Tools - Flowscan n n Flowscan - freely available perl scripts and modules that aggregate other freely available tools for representing flows Analyzes and reports on Net. Flow data collected by CAIDA’s clfowd Stored using RRDtool - time series data Flowscan provides reporting capabilities and visualization of flow data

Example n n n cflowd receives flow data from the router and writes it to disk. Flowscan parses/messages data from cflowd and stores the results in RRD format. RRDtool graph produces graphs from RRD files.

Dave -> More on Flow. Scan plonka@doit. wisc. edu See http: //net. doit. wisc. edu/~plonka/lisa/Flow. Scan/ http: //mil. doit. wisc. edu/~plonka/

General Flowscan Graphs

Network Events Captured by Flow. Scan

New Development wwwstats. net. wisc. edu/Campus. IO/top/origin. AS. html wwwstats. net. wisc. edu/Campus. IO/top/128. 104. 16. 0_22_top. html

“It’s easier to ride a horse in the direction it’s going” Daniel Burrus www. burrus. com