SMB Traffic Analyzer @ SDC 2010
Upcoming SlideShare
Loading in...5
×
 

SMB Traffic Analyzer @ SDC 2010

on

  • 428 views

Presentation about SMB Traffic Analyzer (Protocol v2) hold at the Storage Developer Conference, 2010, Santa Clara, CA

Presentation about SMB Traffic Analyzer (Protocol v2) hold at the Storage Developer Conference, 2010, Santa Clara, CA

Statistics

Views

Total Views
428
Views on SlideShare
426
Embed Views
2

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 2

http://www.linkedin.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SMB Traffic Analyzer @ SDC 2010 SMB Traffic Analyzer @ SDC 2010 Presentation Transcript

    • SMB Traffic Analyzer Holger Hetterich Level 3 Support Engineer SUSE Linux Products GmbH 2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
    • SMB Traffic Analyzer – use case  The goal of SMB Traffic Analyzer is to find an answer to questions like:  Which services are my most used ones?  How is my Samba network used in the night?  Which services are almost never used?  Which users are the most pressing ones on the Samba network?  How much is a specific file being used?  When was that specific file renamed and by whom? 2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
    • What is SMB Traffic Analyzer?  We call it SMBTA in the following  Module for the Virtual File System layer of Samba  Capture meta data of prominent functions in the VFS layer.  Send the data to a receiver  SMBTAD receives the data and builds a SQL storage from it.  SMBTATOOLS, utilities to assist in querying the database and support real time monitoring. 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved. 3
    • World of SMBTA - Overview 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved. 4
    • Looking at the VFS module 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved. 5
    • The VFS Module  Version 1, and 2, we are talking about the latter  SMBTA v2 going to be released with Samba 3.6.0  Supported VFS operations: Mkdir, chdir, write, read, pread, pwrite, rename, open, close  Fully transparent to the user  AES encryption support  Extendable protocol  Configurable with standard Samba methods ( smb.conf ) 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • A typical transfer VFS function write SMBTAD VFS Module Common data Block Protocol Header VFS Specifies encryption Involved USER Involved Time Operation Domain and length of the data username SID Share Stamp ID block Number File w/ Of bytes full path written Individual VFS function data 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • A typical transfer VFS function extendable,datasize is The common is write it's block SMBTAD specified in the header. VFS Module Common data Block Protocol Header VFS Specifies encryption Involved USER Involved Time Operation Domain and length of the data username SID Share Stamp ID block Number File w/ Of bytes full path written Individual VFS function data 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • A typical transfer And also, the header Includes a subversion VFS function extendable,datasize is The common is write it's block SMBTAD Number, and a few extra Bytes to be used in future specified in the header. VFS Module Common data Block Protocol Header VFS Specifies encryption Involved USER Involved Time Operation Domain and length of the data username SID Share Stamp ID block Number File w/ Of bytes full path written Individual VFS function data 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Transparent and stackable The VFS „write“ function as implemented by the SMBTA module static ssize_t smb_traffic_analyzer_write(vfs_handle_struct *handle, files_struct *fsp, const void *data, size_t n) { struct rw_data s_data; s_data.len = SMB_VFS_NEXT_WRITE(handle, fsp, data, n); s_data.filename = fsp->fsp_name->base_name; DEBUG(10, ("smb_traffic_analyzer_write: WRITE: %sn", fsp_str_dbg(fsp))); smb_traffic_analyzer_send_data(handle, &s_data, vfs_id_write); return s_data.len; } 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Transparent and stackable The VFS „write“ function as implemented by the SMBTA module Stackable ! Call the NEXT function static ssize_t smb_traffic_analyzer_write(vfs_handle_struct *handle, files_struct *fsp, constlayer. *data, size_t n) in the VFS void { struct rw_data s_data; s_data.len = SMB_VFS_NEXT_WRITE(handle, fsp, data, n); s_data.filename = fsp->fsp_name->base_name; DEBUG(10, ("smb_traffic_analyzer_write: WRITE: %sn", fsp_str_dbg(fsp))); smb_traffic_analyzer_send_data(handle, &s_data, vfs_id_write); return s_data.len; } 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Transparent and stackable The VFS „write“ function as implemented by the SMBTA module Stackable ! Call the NEXT function static ssize_t smb_traffic_analyzer_write(vfs_handle_struct *handle, files_struct *fsp, constlayer. *data, size_t n) in the VFS void { struct rw_data s_data; s_data.len = SMB_VFS_NEXT_WRITE(handle, fsp, data, n); s_data.filename = fsp->fsp_name->base_name; DEBUG(10, ("smb_traffic_analyzer_write: WRITE: %sn", fsp_str_dbg(fsp))); smb_traffic_analyzer_send_data(handle, &s_data, vfs_id_write); Transparent ! Send the data return s_data.len; and return the number } of bytes just as any VFS write function 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Encryption of data 128 Bit AES VFS Module SMBTAD Using the same key Samba 3.6.0 introduces the program „smbta-util“ which will make the SMBTA setup for encryption easy. It is able to generate keys, and to enable encryption or disable it on the fly. The generated keys are easily useable by SMBTAD as a keyfile. 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Configuration – via smb.conf Example of a share definition that is SMBTA enabled. [Distribution Space] vfs object = smb_traffic_analyzer smb_traffic_analyzer:host = localhost smb_traffic_analyzer:port = 3490 smb_traffic_analyzer:protocol_version = V2 comment = Blah inherit acls = Yes path = /distspace read only = No 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • This is the ultimate evil !  Exposing user related data is illegal in many countries !  Two methods of anonymization built in:  Prefix + hashnumber  Prefix only (full anonymization) 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • World of SMBTA - SMBTAD 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved. 16
    • SMBTAD – concept overview SMBTAUTILS Cache Store incoming VFS data fast Network handler Database feeder c aff i Handle client Tr Requests VFS SQLITE 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • SMBTAD – caching  Temporarily store VFS data in the Systems RAM  Be quick : the coolness of talloc_pool !  The database feeder runs as a thread:  Sleep !  Check the cache, open a new cache, and feed the old contents into the database.  Sleep ! … 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • SMBTAD – Battle for Performance On average, we Battleground : ThinkPad X61 standalone Are 8,9 seconds behind, that is a SMBTAD Performance test performance done by the smbtatorture utility decrease of 180,00 s about 7,4 %. 160,00 s The decrease is 140,00 s 127,61 s 127,89 s 129,16 s 133,46 s 127,05 s 131,12 s 127,29 s 132,53 s 125,09 s 125,01 s much less if 121,41 s 118,84 s 120,20 s 121,16 s 123,35 s 123,26 s 121,61 s SMBTA is run 120,00 s 117,65 s 114,87 s 114,50 s on a dedicated 100,00 s system. Similar tests at SUSE 80,00 s labs with several 60,00 s systems resulted in about 40,00 s 2-3 %. SMBTA enabled 20,00 s SMBTA enabled (talloc_pool patch 1) Pure Samba Server SMBTA enabled (talloc_pool patch 2) SMBTA enabled (talloc_pool patch 3) SMBTA enabled (talloc_pool patch 3) 0,00 s Pure Samba Server SMBTA enabled (talloc_pool patch 2) Run 1 Run 2 Run 3 Run 4 Run 5 Run 6 Run 7 Run 8 Run 9 Run 10 SMBTA enabled (talloc_pool patch 1) SMBTA enabled 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • SMBTAD – maintain the DB  The database needs to be maintained, it would otherwise grow and grow.  A configureable maintenance timer and process is included in SMBTAD.  Clean up any data that is older than a given timespan  Run this maintenance process at regular intervalls 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • World of SMBTA – SMBTATOOLS 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved. 21
    • SMBTATOOLS  Smbtaquery  Produce reports/statistics from the data  Runs complex queries, may take time  Works with a simple interpreter to make querying easy for users.  Smbtamonitor  Real time monitoring 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • SMBTATOOLS - smbtaquery Smbtaquery - built-in interpreter OBJECT ACTION Username Total, Share List, RESULT File Top, Domain Usage, Global last_activity - hides the complexity of the database to the end user - easy to learn syntax - identification of given objects, adds requirements for unique identification automatically 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Screenshots of smbtaquery 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Screenshots of smbtaquery 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Screenshots of smbtaquery 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Screenshots of smbtaquery 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • Screenshots of smbtaquery 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • SMBTAQUERY  Any smbtaquery object understands  From … to  Since  'global since yesterday, usage r;'  'user holger from 10-23-2010 00:01:00 to today, total rw;' 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • SMBTATOOLS - smbtamonitor  Idea: Enable Real-Time by omitting database queries, instead work directly with the incoming data in SMBTAD.  SMBTAD includes a subsystem for monitors:  Filter incoming information in realtime for objects  Make internal Database queries to initizalize a monitor object  Run a specific monitor function (such as Throughput per second)  Displays real time information on a given Object  Throughput R / W / RW by second  Total numbers  Live logging  Runs as many monitor instances as wanted 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • SMBTA – project outlook  Release 0.1, when it's done :)  What's missing  Documentation!  Open bugs ( bugzilla.novell.com, [SMBTA] in the subject )  Release 0.2 with:  XML support for smbtaquery  Export to openoffice, HTML and others  Web interface for smbtaquery and smbtamonitor  Using smbtaquery as engine  Run a client side round robin database w/ smbtamonitor  AES Encryption SMBTAD ↔ SMBTATOOLS  Additional features in the VFS module  Optional compression  Support for clustered Samba 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.
    • SMBTA – Information and Q&A  SMB Traffic Analyzer ( GPL v3 )  http://holger123.wordpress.com/smb-traffic-analyzer/  Core team:  Holger Hetterich <hhetter@novell.com>  Overall  Michael Haefner  smbtamonitor  Benjamin Brunner  smbtaquery  Björn Geuken  Graphical interfaces  Ralf Schwiete  Port to SOLARIS Thank you Samba Team! Q&A Thanks to Novell/SUSE! 2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights Reserved.