n n Network Traffic Accounting Net Flow n

大綱 n 網路基礎 n Network Traffic Accounting - Net. Flow n MRTG 2020/10/31 2

Part I 網路基礎 2020/10/31 3

網路基礎 n OSI參考模型 n SNMP介紹 2020/10/31 4

OSI參考模型 (Open System Interconnection) Layer） n 表達層（Presentation Layer） n 會談層（Session Layer） n 傳輸層（Transport Layer） n 網路層（Network Layer） n 資料鏈結層（Datalink Layer） n 實體層（Physical Layer） n 應用層（Application 2020/10/31 5

2020/10/31 6

2020/10/31 7

SNMP n 簡單網路管理協定（Simple Network Management Protocol） – 「要求/回應」協定：GET，SET n 遠端管理TCP/IP網路上的設備 – 對不同網路節點進行讀取及寫入狀態資訊 n 在UDP上執行 – Port 161 : sending and receiving requests – Port 162: receiving traps from managed devices 2020/10/31 8

SNMP 作原理 n SNMP Manager與Agent之間的通訊形式 – Get-request – Get-next-request – Set-request – Get-response – Trap 2020/10/31 9

SNMP Manager: a server running some kind of software system that can handle management tasks for a network SNMP Agent: a piece of software that runs on the network devices you are managing SNMP community: a logical relationship between an SNMP agent and one or more SNMP managers. 2020/10/31 10

MIB – Management Information Base n 定義網路設備各種資訊的儲存結構 • Name (OID) • Type and syntax • encoding n MIB-II – 所有網路設備皆提供的MIB標準 – 各家廠商也會提供proprietary MIB – 其他MIB standards • • • 2020/10/31 ATM MIB (RFC 2515) Frame Relay DTE Interface Type MIB (RFC 2115) BGP Version 4 MIB (RFC 1657) RADIUS Authentication Server MIB (RFC 2619) Mail Monitoring MIB (RFC 2249) DNS Server MIB (RFC 1611) 11

OID : . iso. org. dod. internet. mgmt. mib-2. interface. if. Number. 0. 1. 3. 6. 1. 2. 1. 0 2020/10/31 12

SNMP & MIB 相關 具 n MRTG （Multi Router Traffic Grapher） n Getif – window-based MIB browser n net-snmp套裝軟體 – snmpget (get) – snmpwalk (get-next) – snmpset (set) – snmptrap (trap) 2020/10/31 13

2020/10/31 14

2020/10/31 15

2020/10/31 16

su-2. 05# snmpget -Cf -c public 140. 112. 1. 1 sys. Descr. 0 SNMPv 2 -MIB: : sys. Descr. 0 = STRING: Hardware: x 86 Family 6 Model 5 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5. 0 (Build 2195 Uniprocessor Free) su 2. 05# snmpwalk -c public 140. 112. 1. 1 SNMPv 2 -MIB: : sys. Descr. 0 = STRING: Hardware: x 86 Family 6 Model 5 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5. 0 (Build 2195 Uniprocessor Free) SNMPv 2 -MIB: : sys. Object. ID. 0 = OID: SNMPv 2 -SMI: : enterprises. 311. 1. 1. 3. 1. 2 SNMPv 2 -MIB: : sys. Up. Time. 0 = Timeticks: (2306518) 6: 24: 25. 18 SNMPv 2 -MIB: : sys. Contact. 0 = STRING: SNMPv 2 -MIB: : sys. Name. 0 = STRING: NTUCC-MADELINE SNMPv 2 -MIB: : sys. Location. 0 = STRING: SNMPv 2 -MIB: : sys. Services. 0 = INTEGER: 76 IF-MIB: : if. Number. 0 = INTEGER: 3 IF-MIB: : if. Index. 1 = INTEGER: 1 IF-MIB: : if. Index. 2 = INTEGER: 2 IF-MIB: : if. Index. 3 = INTEGER: 3 IF-MIB: : if. Descr. 1 = STRING: MS TCP Loopback interface IF-MIB: : if. Descr. 2 = STRING: 3 Com Ether. Link PCI 2020/10/31 17

Part II Network Traffic Accounting 2020/10/31 19

Network Traffic Accounting n Net. Flow簡介 n 執行Net. Flow n Net. Flow資料統計程式 2020/10/31 20

Network Traffic Accounting n The needs: – To characterize the traffic and account for how and where it flows – Usage-based billing – Traffic engineering n Products – Cisco – Net. Flow • Provides L 3 network traffic flow information – Foundry – s. Flow • RFC 3176: Statistically sampling technology • Provides L 2 -L 4 network-wide traffic flow information – Juniper – • Class-based accounting: filter-based, MPLS-based, 2020/10/31 Destination class uage accounting 21

Cisco - Net. Flow Captures data from each incoming packet n Net. Flow flow n – a unidirectional stream of IP packet with the following common fields: • • • n Source and destination IP addresses Source and destination port numbers Layer 3 protocol type Type of service (To. S) byte Input interface (if. Index) Exported in UDP datagrams in one of four formats: – v 1, v 5, v 7, v 8 2020/10/31 22

Net. Flow n Net. Flow is a three-part solution: – Exporter – Mediation devices • Cisco Net. Flow. Collector • Public-domain tools : flow-tool – Traffic Analysis Tools • Cisco Network Data Analyzer • 統計分析程式 : netflow. pl 2020/10/31 23

執行Net. Flow – 設定路由器 n 指令 – Global • ip flow-export destination <IP> <port> – Interface • Ip route-cache flow Router(config) # ip flow-export destination 140. 112. 1. 1 9991 Router(config) # int fa 1/1/0 Router(config-if) # ip route-cache flow 2020/10/31 25

記錄及儲存flow data n flow-tool套裝程式 – Collection of programs to post-process Cisco netflow compatible flows – Written in C, designed to be fast – Installation • configure; make install • on most platforms (Free. BSD, Linux, Solaris, BSDi, Net. BSD) – 下載程式： • http: //www. splintered. net/sw/flow-tools/ 2020/10/31 26

n Flow-tool安裝程序（以Linux系統為例） – 解壓縮：zcat flow-tools-0. 58. tar. gz | tar xvf – – 必須先安裝下列軟體： • zlib • gnu make – 安裝： • . /configure • gmake install 2020/10/31 27

flow-tool n flow-capture： – Collect Net. Flow exports and stores to disk. – Built in compression. – Manages disk space by expiring older flow files at configurable limits. – Detects lost flows by missing sequence numbers. 2020/10/31 28

n 測試 – flow-receive 0/0/9991 | flow-print – tcpdump –n udp port 9991 tcpdump: listening on fxp 0 14: 17: 39. 491510 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 492820 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 493786 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 495057 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 496298 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 496863 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 496967 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 497068 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 497176 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 497279 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 497381 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 497486 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 497589 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 14: 17: 39. 497694 140. 112. 3. 76. 1024 > 140. 112. 3. 88. 9991: 2020/10/31 udp 1168 udp 1168 udp 1168 udp 1168 30

Newflow資料格式：flow-print –f 0 < logfile Sif Src. IPaddress Dif Dst. IPaddress Pr Src. P Dst. P Pkts 0000 195. 254. 117. 168 0000 140. 131. 7. 3 01 0 0000 205. 188. 248. 89 0000 163. 28. 16. 2 06 50 fdb 6 5 0000 61. 229. 48. 83 06 454 17 9 504 589 12 493 0000 207. 218. 223. 162 0000 192. 83. 193. 2 11 35 8000 1 156 0000 207. 159. 149. 84 0000 140. 131. 1. 188 01 0 0000 202. 178. 164. 169 0000 203. 64. 48. 107 06 71 9 e 6 1 0000 168. 95. 1. 1 0000 192. 120. 18 0 Octets 0000 203. 71. 92. 1 0 10 560 11 35 a 82 c 1 187 0000 210. 224. 163. 3 0000 210. 71. 107. 3 11 3 bce 35 0000 66. 207. 130. 76 0000 163. 28. 16. 2 06 50 fdde 6 1 0000 168. 95. 1. 1 0000 203. 71. 92. 1 11 35 a 809 1 0000 64. 12. 24. 30 0000 163. 28. 16. 9 06 1 bb 76 b 5 3 0000 163. 31. 102. 156 0000 192. 122. 144 06 b 3 c 50 71 782 60 120 5 0000 163. 31. 102. 156 0000 192. 122. 144 06 1283 50 11 fbf fa 4 1 0000 140. 117. 11. 100 0000 203. 72. 39. 34 06 c 38 e 25 d 7 0000 163. 28. 16. 2 212 3 0000 211. 141. 113. 77 0000 203. 71. 88. 240 0000 61. 139. 8. 11 40 156 295 06 50 bb 03 1 3893 41 0000 140. 117. 11. 100 0000 203. 72. 39. 34 06 c 38 e 256 6 1229 0000 210. 85. 124. 196 0000 203. 64. 48. 107 06 28 da 17 43 0000 140. 117. 11. 100 0000 203. 72. 39. 34 2020/10/31 1 06 c 38 e 261 13 4909 31

# daily. pl # Modify the following to meet your configuration. # # $dir is where you put your program and config files # $rawdir is where the raw log files kept # $outputdir is where the output files should be # $dir $rawdir = "/usr/Net. Flow/analysis"; = "/usr/Net. Flow/raw"; $flowprint = "/usr/Net. Flow/bin/flow-print"; $outputdir = "/usr/local/www/data/netflow/daily"; $htmldir = sprintf ("%s/html/%02 d%02 d", $outputdir, $year, $mon, $mday); $rawoutput = sprintf ("%s/raw", $outputdir); $Top. N = 100; @NET = ("NTUProxy", "NTUGeneral"); $protfile = "$dir/protocols"; $servfile = "$dir/services"; $intranet = "$dir/intranet"; $DEBUG = 0; # debug info flag $SLEEP_TIME = 0; #debug $COUNT_THRESHOLD = 50; #debug 2020/10/31 33

Part III MRTG 2020/10/31 34

MRTG n MRTG簡介 n MRTG使用方式 n 利用MRTG監看其他系統資源 2020/10/31 35

MRTG使用方式 n 取得程式 – http: //people. ethz. ch/~oetiker/webtools/mrtg/pub – 目前最新版是mrtg-2. 9. 18 n 編譯MRTG程式 n 產生MRTG設定檔 n 修改MRTG設定檔 n 測試MRTG輸出 n 自動執行MRTG程式 2020/10/31 37

Compile MRTG n 必須先確定已安裝下列軟體 – gd – libpng – zlib n 安裝程序 – – – gunzip –c mrtg-2. 9. 18. tar. gz | tar xvf – cd mrtg-2. 9. 18. /configure –prefix=/usr/local/mrtg-2 make install 2020/10/31 38

產生MRTG設定檔 n 設定檔中必須定義 – 欲收集資料的網路設備IP或名稱 – 欲收集之資料種類 – 收集到之資料的存放路徑 – 輸出圖形及網頁的特定格式 cfgmaker --global ‘Work. Dir: /home/httpd/mrtg’ --global ‘Options[_]: bits, growright’ --output /home/mrtg/cfg/mrtg. cfg community@router. ntu. edu. tw 2020/10/31 39

MRTG設定檔語法 n Global – Work. Dir – Html. Dir – Image. Dir – Log. Dir – Refresh – Interval – Load. MIBs 2020/10/31 40

MRTG設定檔語法 n Target – 指定欲監測哪一台機器 – target[name]: port: community@router. domain. name – target[name]: oid_1&oid_2: community@router. domain. name – target[name]: snmp_name 1&snmp_name 2: community@router – target[name]: 1: community@router. A+2: community@router. A – target[name]: ‘/usr/local/ping-probe/mrtg-ping-probe www. above. net’ • • 2020/10/31 第一個參數 第二個參數 系統uptime 表示Target名稱的字串 41

MRTG設定檔語法 n Target選項 – Max. Bytes : The maximum value either of the two variables monitored are allowed to reach – Max. Bytes 1 : maxbytes for variable 1 – Max. Bytes 2 : maxbytes for variable 2 – Title : title for the HTML page which gets generated for the graph – Page. Top : Things to add to the top of the generated HTML page 2020/10/31 42

MRTG設定檔語法 n Options – – – n growright bits gauge absolute nopercent Special target name – Target[^] – Target[$] – Target[_] 2020/10/31 43

最基本的 mrtg. cfg Work. Dir: /usr/tardis/pub/www/stats/mrtg Target[r 1]: 2: public@myrouter. somplace. edu Max. Bytes[r 1]: 8000 Title[r 1]: Traffic Analysis ISDN Page. Top[r 1]: <H 1>Stats for our ISDN Line</H 1> 2020/10/31 44

包含數個router的mrtg. cfg Work. Dir: /usr/tardis/pub/www/stats/mrtg Title[^]: Traffic Analysis for Page. Top[^]: <H 1>Stats for Page. Top[$]: Contact The Chief if you notice anybody<HR> Max. Bytes[_]: 8000 Options[_]: growright Title[isdn]: our ISDN Line Page. Top[isdn]: our ISDN Line</H 1> Target[isdn]: 2: public@router. somplace. edu Title[backb]: our Campus Backbone Page. Top[backb]: our Campus Backbone</H 1> Target[backb]: 1: public@router. somplace. edu Max. Bytes[backb]: 1250000 # the following line removes the default prepend value # defined above Title[^]: Title[isdn 2]: Traffic for the Backup ISDN Line Page. Top[isdn 2]: our ISDN Line</H 1> Target[isdn 2]: 3: public@router. somplace. edu 2020/10/31 45

自動執行MRTG程式 n 利用MRTG觀察長期趨勢 n 將MRTG程式設定為定期執行 – 在crontab中加入設定 crontab –e 0, 5, 10, 15, 20, 25, 30, 35, 40, 45, 50, 55 * * /mrtg/bin/mrtg/conf/mrtg. cfg 2020/10/31 46

網路狀況 – round-trip time & packet loss n mrtg-ping-probe – monitor the round-trip time and packet loss to another networked host n 從網路下載： – ftp: //ftp. pwo. de/pub/pwo/mrtg-ping-probe/ n mrtg-ping-probe用法 mrtg-ping-probe [-hsv. V] [-d deadtime] [-k count] [-l length] [-o ping_options] [-p [factor*] {min|max|avg|loss|integer} / [factor*]{min|max|avg|loss|integer}] [-r [rsh: ][user@]host[: osname]] [-t timeout] host – Target[yahoo. com]: ‘/usr/local/mrtg-ping-probe www. yahoo. com’ – Target[yahoo. com]: ‘/usr/local/mrtg-ping-probe –p lost/lost www. yahoo. com’ 2020/10/31 48

[root@scorpio]5: 33 pm</#/usr/local/ping-probe/mrtg-ping-probe www. above. net 190 189 [root@scorpio]5: 35 pm</f#/usr/local/ping-probe/mrtg-ping-probe -t 42 -p loss/loss www. above. net 0 0 2020/10/31 49

# crontab 0, 10, 20, 30, 40, 50 * * /usr/lib/sa/sa 1 & # mrtg. cfg Target[server_cpu]: ‘/usr/local/bin/system-load. sh’ =============================== #! /usr/local/bin/perl @line = `sar | tail -3 | head -1 | sed 's/ */ /g'`; @data = split(/ /, @line[0]); if (@data[2] eq "") { printf "0n"; } else { printf ("%3. 0 fn", @data[1] + 0. 5); } printf ("%3. 0 fn", (@data[1])+(@data[2])); $uptime = `/usr/bin/uptime | sed 's/ */ /g'`; @uptime = split(/, /, $uptime); @uptime = split(/up/, @uptime[0]); $server = `/bin/uname -n`; printf "@uptime[1]n"; printf $server; 2020/10/31 51

[root@aquarius]5: 27 pm<~#system-load. sh Sun. OS aquarius 5. 7 Generic_106541 -18 sun 4 u 00: 00 00: 10: 00 00: 20: 00 00: 30: 00 00: 40: 00 00: 50: 00 01: 00: 01 01: 10: 00 01: 20: 00 01: 30: 00 01: 40: 00 …. . 15: 50: 00 16: 10: 00 16: 20: 00 16: 30: 00 16: 40: 00 16: 50: 00 17: 10: 00 17: 20: 00 Average 2020/10/31 %usr 12 3 12 3 07/07/02 %sys %wio %idle 4 1 83 4 1 92 4 1 84 4 0 93 4 1 84 4 1 92 4 0 84 4 0 93 4 1 84 4 1 92 12 3 12 4 12 3 4 4 4 4 4 0 1 1 0 84 93 84 92 84 93 7 3 1 89 52

[root@aquarius]5: 27 pm<~#system-load. sh 4 7 82 day(s) aquarius 2020/10/31 53

DNS statistics n mrtg/stat. pl – 利用dns server產生的統計數據繪成圖形，以利觀 察dns server負荷的變化 n 運作原理 – 讓dns server定期產生named. stats檔 – stat. pl檔從named. stats中取出所欲觀測的數據 – 修改stat. pl • $HOSTNAME – domain name • $LOG – the path of named. stats • $RUN – the path of working directory – Target[dns_stats]: ‘/usr/local/mrtg/stat. pl’ 2020/10/31 54

+++ Statistics Dump +++ (1026035100) Sun Jul 7 17: 45: 00 2002 4082015 time since boot (secs) 525288 time since reset (secs) 493244 Unknown query types 174015036 A queries 82881 NS queries 36 MD queries 5 MF queries 35361 CNAME queries 1731371 SOA queries 1 MB queries 5 MG queries 0 MR queries 3 NULL queries 0 WKS queries 67734278 PTR queries 5 HINFO queries 0 MINFO queries 5874154 MX queries 35475 TXT queries 2 RP queries 0 AFSDB queries 18 X 25 queries 0 ISDN queries 0 RT queries 2 NSAP queries 0 NSAP_PTR queries 0 SIG queries 0 KEY queries 0 PX queries 0 GPOS queries 2793085 AAAA queries 152 LOC queries 0 NXT queries 0 EID queries 8 NIMLOC queries 1638871 SRV queries 0 ATMA queries 0 NAPTR queries 0 KX queries 2020/10/31 0 CERT queries 55

#!/usr/local/bin/perl -w %D_STAT=( RR => 0, RNXD => 1, RFwd. R => 2, RDup. R => 3, RFail => 4, RFErr => 5, RErr => 6, RAXFR => 7, RLame => 8, ROpts => 9, SSys. Q => 10, SAns => 11, SFwd. Q => 12, SDup. Q => 13, SErr => 14, RQ => 15, RIQ => 16, RFwd. Q => 17, RDup. Q => 18, RTCP => 19, RFws. R => 20, SFail => 21, SFErr => 22, SNa. Ans => 23, SNXD => 24, RUQ => 25, RURQ => 26, RUXFR => 27, RUUpd => 28, ); my $HOSTNAME = "dns. ntu. edu. tw"; my $LOG = "/users/www/mrtg/dnsstat/named. stats"; my $RUN = "/users/www/mrtg/dnsstat"; my $INCOMING = $D_STAT{"RQ"}; #my $OUTGOING = $D_STAT{"RFail"}; my $OUTGOING = $D_STAT{"SAns"}; 2020/10/31 56

[root@scorpio]8: 29 pm</>users/www/mrtg/stat. pl 50616 41332 534888 dns. ntu. edu. tw 2020/10/31 57

參考網頁 n flow-tool – http: //www. splintered. net/sw/flow-tools/ n getif – http: //www. wtcs. org/snmp 4 tpc/getif. htm n MRTG – http: //people. ethz. ch/~oetiker/webtools/mrtg/ n net-snmp package – http: //net-snmp. sourceforge. net/ 2020/10/31 58