Your SlideShare is downloading. ×
Luca Deri of ntop at the Würth Phoenix´s Conference on Nagios held in Bolzano/Italy
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Luca Deri of ntop at the Würth Phoenix´s Conference on Nagios held in Bolzano/Italy

1,157
views

Published on

Luca Deri explains the functions of ntop during the Nagios conference in Italy held on the 20th of May 2010 in Bolzano/Italy

Luca Deri explains the functions of ntop during the Nagios conference in Italy held on the 20th of May 2010 in Bolzano/Italy

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,157
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Who is Generating all This Traffic ? Network Monitoring in Practice Luca Deri <deri@ntop.org> © 2010 - ntop.org
  • 2. Who’s ntop.org? • Started in 1998 as open-source monitoring project for developing an easy to use passive monitoring application. • Several project spin-off — Accelerated packet capture — 1 and 10 Gbit packet capture — NetFlow/sFlow probes — Peer-to-Peer VPN © 2010 - ntop.org 2
  • 3. ntop.org at a Glance © 2010 - ntop.org 3
  • 4. Who is Using ntop Products ? • International • Domestic © 2010 - ntop.org 4
  • 5. Some ntop Partners © 2010 - ntop.org 5
  • 6. Some Common Monitoring Questions [1/2] • Top N talkers (those who transmit most traffic). • Top N conversations (the host pairs that transmit most traffic between each other). • Top N Applications (e.g. SAP is using 70% of the available bandwidth). • Data volume per entity basis (link, location, region/subnet, class of users/cluster). © 2010 - ntop.org 6
  • 7. Some Common Monitoring Questions [2/2] • Data volume and rates per AS (e.g. do we need to sign a new peering contract ?). • QoS marking per application or entity basis (e.g. does BGP reports us that we’re sending the traffic on the optimal path ?). • Reports about traffic we don’t expect to see on the network (e.g. why host X is sending IPX packets although we speak pure IP ?). © 2010 - ntop.org 7
  • 8. Some Challenges • SNMP is good for element management (e.g. router and server monitoring) but poor for traffic measurement. • Not all routers/switches speak NetFlow/ sFlow: we need to deploy soft probes. • 1 and 10 Gbit networks can produce a lot of monitoring data: our monitoring apps must be able to handle all this traffic. © 2010 - ntop.org 8
  • 9. Networks are Changing… [1/2] Wireless Edge Intranet Central Core Wired Mgmt Distribution Edge Internet © 2010 - ntop.org 9
  • 10. Networks are Changing… [2/2] • Without edge control there’s no real network control. • Central traffic monitoring isn’t enough anymore: not all traffic flows through the center. • Edge equipment is often very basic and it means that there’s no visibility at the edge: this about this before purchasing your network equipement. © 2010 - ntop.org 10
  • 11. Typical Monitoring Deployment: LAN © 2010 - ntop.org 11
  • 12. Typical Monitoring Deployment: Internet Traffic © 2010 - ntop.org 12
  • 13. Typical Monitoring Deployment: Cloud and Intra-VM Monitoring © 2010 - ntop.org 13
  • 14. Some Lessons Learnt • In order to monitoring the traffic we need to deploy a probe where the traffic is flowing. • We need to make sure we can handle both NetFlow and sFlow if we want to have complete network visibility. • Cloud computing and server virtualization push us to monitor in-VM virtual networks. © 2010 - ntop.org 14
  • 15. What if we upgrade to 10Gbit ? • Be prepared to: — handle 10x as much traffic as with 1 Gbit. — be able to handle encapsulations (GRE, GTP) and tagging (MPLS, VLANs) in your monitoring software. — buy 10 Gbit probes. • Good news: — 10 Gbit adapters are now commodity (< 1’000 Euro/port) © 2010 - ntop.org 15
  • 16. How can ntop help me? • Central network monitoring console. • Software NetFlow/sFlow probes that can be deployed across the network. • 10 Gbit packet capture acceleration and filtering. • Ability to handle billion of flows with sub- second response time. © 2010 - ntop.org 16
  • 17. What is ntop ? © 2010 - ntop.org 17
  • 18. Network Inventory © 2010 - ntop.org 18
  • 19. Host Fingerprint Based on http://ettercap.sourceforge.net/ © 2010 - ntop.org 19
  • 20. Traffic Trends © 2010 - ntop.org 20
  • 21. Host Health © 2010 - ntop.org 21
  • 22. VoIP Support © 2010 - ntop.org 22
  • 23. ntop Scripting using Python http://ntop.local:3000/python/hello.py HTTP(S) <html> </body> .... </body> </html> handlePythonHTTPRequest(...) © 2010 - ntop.org 23
  • 24. Where is my Traffic Going To ? © 2010 - ntop.org 24
  • 25. nProbe: IPFIX/NetFlow Soft Probe sFlow NetFlow Packet Capture Flow Export nProbe Data Dump Raw Files / MySQL / SQLite / FastBit © 2010 - ntop.org 25
  • 26. ntop on-the-go [1/2] • Apple iPhone is commonly used as mobile web pad. • Accessing ntop information in mobility is often required by network administrators. • The ntop web GUI can be accessed via Apple Safari, however a tighten and more ntop HTTP(S) comprehensive interface was necessary.JSON • Ability to control several ntop instances via a single device. © 2010 - ntop.org 26
  • 27. ntop on-the-go [2/2] © 2010 - ntop.org 27
  • 28. nProbe: Main Features • Ability to keep up with Gbit speeds on Ethernet networks handling thousand of packets per second without packet sampling on commodity hardware. • Support for major OS including Unix, Windows and MacOS X. • Resource (both CPU and memory) savvy, efficient, designed for environments with limited resources. • Full NetFlow v9/IPFIX support • V9 extensions: payload, network/application latency, RTP. • Ability to extend the probe with user-written plugins. • BGP Peering with the router for full AS monitoring © 2010 - ntop.org 28
  • 29. nProbe: Network Performance and Response Time © 2010 - ntop.org 29
  • 30. nProbe: Network Awareness © 2010 - ntop.org 30
  • 31. Handling Billion Flows nProbe+FastBit vs MySQL Query MySQL nProbe + FastBit Q1 22.6 5.6 Q2 69 0.5 Q3 971 12.5 Q4 1341 48.2 Q5 2257 30.7 nProbe+FastBit vs nfdump nProbe+FastBit 45 nfdump 1500 All measurements are in seconds © 2010 - ntop.org 31
  • 32. Who’s Looking at Me and Where ? © 2010 - ntop.org 32
  • 33. Interactive Data Search © 2010 - ntop.org 33
  • 34. 10 Gbit Wire-rate Traffic Monitoring with Commodity Hardware © 2010 - ntop.org 34

×