Your SlideShare is downloading. ×
0
SMB Traffic Analyzer
   Holger Hetterich
   L3 Support Engineer
   SUSE Linux Products GmbH
What is SMB Traffic Analyzer?
    Milestone 1 (current development)
    ➔

     ➔Collect metadata of write and read proces...
SMB Traffic Analyzer: Overview
        Samba Server
          >= 3.2.x         and concept
                               ...
The VFS module in detail
    Samba Server
      >= 3.2.x

smb_traffic_analyzer
   VFS module
                             ...
Looking at VFS
          smb_traffic_analyzer(1)
     “Sit in the VFS layer of samba, watch any Read or Write- file
    op...
Looking at VFS
         smb_traffic_analyzer(2) –
         what data is stored?
    •Length of a data transfer in bytes

 ...
Looking at VFS
          smb_traffic_analyzer(3)
    A sample share configured for smb_traffic_analyzer.
[pool1]
         ...
Looking at VFS
        smb_traffic_analyzer(4) – Is this legal
        at all?
    Exposing user related data is illegal i...
Samba Server
                         The stad daemon in detail
      >= 3.2.x

smb_traffic_analyzer
   VFS module
       ...
Looking at the stad daemon(1)

   “Be as fast as possible at accepting data from the VFS
 module, put the data into a SQL ...
Looking at the stad daemon(2)

 Simplest possible way to run stad:
 $ stad ­i 3490

 - use database /var/lib/staddb with s...
Looking at the stad daemon(3) – data
       processing plugins
Why not a simple text file?
Stad supports a plugin architec...
Looking at the stad daemon(4) –
        performance impact
Thinkpad X61 configured as “all in one” system, copying 2.8 GB
...
Looking at the stad daemon(5) –
       storage is limited
 Without a regulating process, the database that is
 maintained ...
Looking at the stad daemon(6) –
       stadtorture - A test utility for stad
 Stadtorture is a tool utilizing libsmbclient...
Samba Server
                       The stadview program in detail
       >= 3.2.x

smb_traffic_analyzer
   VFS module
   ...
Looking at the stadview program(1)

 Show statistics about the data stored in the
 database. Update this information in re...
Looking at the stadview program(2)




           Demonstration




18
Where do we go to?
 ➔   Milestone 2 (long term goals)
      ➔Create appliances for stad:

          ➔Out of the box samba ...
SMB Traffic analyzer – project data
     Homepage:
     http://holger123.wordpress.com/smb-traffic-analyzer/
     Any comp...
SMB Traffic analyzer
     http://holger123.wordpress.com/smb-traffic-analyzer/




            QUESTIONS AND
            A...
Upcoming SlideShare
Loading in...5
×

SMB Traffic Analyzer @ Samba Xp 2009

817

Published on

My talk on the SMB Traffic Analyzer project at the SambaXP conference 2009

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
817
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "SMB Traffic Analyzer @ Samba Xp 2009"

  1. 1. SMB Traffic Analyzer Holger Hetterich L3 Support Engineer SUSE Linux Products GmbH
  2. 2. What is SMB Traffic Analyzer? Milestone 1 (current development) ➔ ➔Collect metadata of write and read processes on one or more samba servers. ➔Store data in a SQL queryable container. ➔Provide statistics based on this data, and visualize them Milestone 2 (long term goals) → later in this talk ➔ Testing 2
  3. 3. SMB Traffic Analyzer: Overview Samba Server >= 3.2.x and concept Connection via smb_traffic_analyzer either unix domain- VFS module or internet socket. Stad daemon program, Feeds a database with incoming Client Data from the VFS module, configuration Accepts queries from clients storage, run SQL Storage of meta- queries data, maintenance of the database Stadview client program, Testing Visualizing collected data SQL enabled database 3
  4. 4. The VFS module in detail Samba Server >= 3.2.x smb_traffic_analyzer VFS module Stad daemon program, Feeds a database with incoming Data from the VFS module, Accepts queries from clients Stadview client program, Testing Visualizing collected data SQL enabled database 4
  5. 5. Looking at VFS smb_traffic_analyzer(1) “Sit in the VFS layer of samba, watch any Read or Write- file operation, and send data about this operations via network to a receiver.” ➔Introduced into the samba source tree at September 25, 2008 ➔Included in 3.2.x and 3.3.x, SLE11 ships it. ➔Fully transparent VFS module ➔Configured easily via smb.conf Testing ➔Can operate either on a unix domain socket or on an internet socket 5
  6. 6. Looking at VFS smb_traffic_analyzer(2) – what data is stored? •Length of a data transfer in bytes •If the transfer was a Read or Write access •The name of the file involved in the transfer •The name of the user who initiated the transfer •The name of the domain under which the transfer happened Testing •A timestamp including date and time to the millisecond 6
  7. 7. Looking at VFS smb_traffic_analyzer(3) A sample share configured for smb_traffic_analyzer. [pool1] path=/pool1 read only = No vfs objects = smb_traffic_analyzer smb_traffic_analyzer:host = localhost smb_traffic_analyzer:port = 3490 Or activating the object in the global section activates all shares: [global] vfs objects = smb_traffic_analyzer smb_traffic_analyzer:host = localhost smb_traffic_analyzer:port = 3490 7
  8. 8. Looking at VFS smb_traffic_analyzer(4) – Is this legal at all? Exposing user related data is illegal in many countries. Two ways of anonymization: PREFIX + Hash-number: you can still recognize individual users: smb_traffic_analyzer:anonymize_prefix = User PREFIX: map any username to one string. smb_traffic_analyzer:anonymize_mode = Total Testing 8
  9. 9. Samba Server The stad daemon in detail >= 3.2.x smb_traffic_analyzer VFS module Stad daemon program, Feeds a database with incoming Data from the VFS module, Accepts queries from clients Stadview client program, Testing Visualizing collected data SQL enabled database 9
  10. 10. Looking at the stad daemon(1) “Be as fast as possible at accepting data from the VFS module, put the data into a SQL enabled storage. At the same time, maintain the database at the user's wish, and accept SQL queries about the data from clients.” ➔Configured via command line or ini-style config file ➔Caching data into the sytem RAM ➔Accepts multiple clients and VFS modules Testing 10
  11. 11. Looking at the stad daemon(2) Simplest possible way to run stad: $ stad ­i 3490 - use database /var/lib/staddb with sqlite3 - accept VFS connection on internet socket port 3490 - accept client connections on internet socket port 3491 Advanced configuration is done in a config file, see the manpage. 11
  12. 12. Looking at the stad daemon(3) – data processing plugins Why not a simple text file? Stad supports a plugin architecture for it's data processing. If there is no interest in a networked client or SQL queryable information, an other plugin can do the output. Currently shipping: - sqlite3 Plugin - CSV text file plugin (loadable with OpenOffice, Excel and friends) In Development: - MySQL Plugin - syslog plugin 12
  13. 13. Looking at the stad daemon(4) – performance impact Thinkpad X61 configured as “all in one” system, copying 2.8 GB in 3.381 file objects to a share. → running stad, the database and the samba server Performance reduction : 39 % By changing the conservative default parameters of stads system RAM usage, enlarging it's memory area to hold data packages for the db, it was possible to reach a Performance reduction: 12% Dell QuadCore Desktop system as Samba server, and Blade server running stad and the db, copying 4.8 GB to a share. → stad and db separated from the samba server 13 Performance reduction : 16%
  14. 14. Looking at the stad daemon(5) – storage is limited Without a regulating process, the database that is maintained by stad would grow and grow. This parameters in the config file will run the maintenance process every hour, and delete any data that is older than 5 days from the database.        [maintenance]        maintenance_timer = 01:00:00        maintenance_timer_config = 5,00:00:00 14
  15. 15. Looking at the stad daemon(6) – stadtorture - A test utility for stad Stadtorture is a tool utilizing libsmbclient to produce traffic on a server. → creates a file set on two samba shares → copies files around with pauses → can record it's own run and playback → turn into a benchmarking tool 15
  16. 16. Samba Server The stadview program in detail >= 3.2.x smb_traffic_analyzer VFS module Stad daemon program, Feeds a database with incoming Data from the VFS module, Accepts queries from clients Stadview client program, Testing Visualizing collected data SQL enabled database 16
  17. 17. Looking at the stadview program(1) Show statistics about the data stored in the database. Update this information in real-time. Also try not to crash while being demonstrated at sambaXP :) At some day, run on the Windows platform. → utilitzing GTK and Cairo graphics → easy output to different devices → no local configuration → manage multiple sessions on a stad server 17
  18. 18. Looking at the stadview program(2) Demonstration 18
  19. 19. Where do we go to? ➔ Milestone 2 (long term goals) ➔Create appliances for stad: ➔Out of the box samba server/stad/stadview ➔Out of the box stad/stadview ready for network integration ➔Secure connections between VFS module/stad/stadview. ➔Collect any VFS operations (like full-audit) ➔Make table based applets for stadview ➔Make samba / stad a native Microsoft Event Testing Viewer Source ➔Have stadview running on Windows 19
  20. 20. SMB Traffic analyzer – project data Homepage: http://holger123.wordpress.com/smb-traffic-analyzer/ Any component is GPLv3. Documentation: Detailed manpages with examples for all components. Around five people are working on SMB Traffic analyzer project since January 2008. Main contact in case of questions, patches or suggestions: ozzy@metal-district.de (Holger Hetterich) hhetter@novell.com 20
  21. 21. SMB Traffic analyzer http://holger123.wordpress.com/smb-traffic-analyzer/ QUESTIONS AND ANSWERS 21
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×