Your SlideShare is downloading. ×
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Traffic Analysis Techniques for Flow and Non-Flow Networks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Traffic Analysis Techniques for Flow and Non-Flow Networks

1,339

Published on

Learn how to best analyze your traffic on flow enabled and non-flow enabled networks. We cover how to optimize the power of flow-based traffic analysis in networks and create valuable strategies to …

Learn how to best analyze your traffic on flow enabled and non-flow enabled networks. We cover how to optimize the power of flow-based traffic analysis in networks and create valuable strategies to ensure future network stability and security.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,339
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
43
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • http://en.wikipedia.org/wiki/Network_tap http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html http://www.gigamon.com/span_port_or_tap.php
  • Transcript

    • 1. Traffic Analysis How To Webinar Series Traffic Analysis for Flow and Non Flow-Enabled Networks: January 26, 2010
    • 2.
      • Today’s Presenters:
        • Kevin Gillis, VP Product Management, Network Management
        • Jason Williams, Product Manager & The WhatsUp Guru
      • Agenda:
        • The Need for Traffic Analysis
        • Session 1,2 and 3 Recap
        • Flow Publisher Overview
        • “ Mixed Network”
        • Technical Demonstration
        • Q&A
        • Next Steps
      Agenda:
    • 3. The Need for Traffic Analysis
      • My network is slow and I do not know why…
        • Existing tools don’t give me any or enough visibility…
          • Into user and application network bandwidth utilization
          • Into network performance issues
          • Into locating and troubleshooting issues
          • Into applications and their effect on the network
          • Into security breaches and unauthorized usage
      Tools are either too expensive or complex to deploy
    • 4. The Need for Traffic Analysis
      • My network is slow and my network does not know why…
        • Existing hardware does not give me any or enough visibility…
          • My network hardware is not NetFlow, sFlow or J-Flow capable
          • My network hardware is not NetFlow, sFlow or J-Flow enabled
          • My network hardware is flow capable but it’s too expensive enable by taking down the network, adding hardware and upgrading the IOS
          • The segment of my network is not 100% flow enabled
      • Current solutions
        • Require expertise in packet level and protocol level analysis
        • Require device or network upgrades/downtime
        • Require investment in appliances or probes
      Flow enabled hardware is either too expensive or complex to deploy
    • 5. Recap of Traffic Analysis Series Session 1: Application and User Traffic Analysis
    • 6. Application and User Traffic Analysis
      • Rapid isolation of server versus network based issues
      • Insight into reasons for application traffic
        • Traffic loads
        • Users
        • Peak usage timeframes
      • Establish a performance baseline
      • Locate under and over subscribed applications and servers
        • Standalone servers
        • Virtualized servers
          • Traffic to individual virtual machines (VMs)
      Why is server based traffic analysis important? Creates opportunity to optimize server infrastructures based upon actual user and application utilization data.
    • 7. Server Traffic Analysis Deployment
      • Flow Publisher Server Agent
        • Windows Server
          • 32 & 64 bit: Standard and Enterprise Server 2008 and Standard & Enterprise Server 2003 SP2
          • Non-virtualized and virtualized servers
          • Network interface
        • Runs as a Windows service
          • Small resource footprint
      Application and user traffic analysis at the source
    • 8. Recap of Traffic Analysis Series Session 2: Traffic Analysis for Non Flow-Enabled Networks: “TAP”ing
    • 9. TAPing…
      • What’s a TAP and how does it work?
        • TAP stands for Test Access Point.
        • A network tap is a fully passive device.
        • Electrically or optically packets are copied onto the tap ports.
      • Considerations
        • Fidelity: You get 100% guaranteed view of network traffic even with larger deployments of 10 Gigabit+. They are completely passive and do not cause any distortion even on FDX and full bandwidth networks.
        • Security: Taps are not addressable network devices & therefore cannot be hacked
        • Ease of Use: Taps have no setups or command line issues so getting all the data is assured and saves users time. They are also fault tolerant.
      • Summary:
        • Taps offers high integrity and fidelity with 100% packet capturing; no packet or frame alterations.
        • As a fully passive device, it does not impact the performance or scalability of the switch or router unit.
        • Requires additional hardware to be purchased and installed potentially leading to downtime.
    • 10. This Switch does not support port mirroring or SPAN Example TAP Deployment
    • 11. Recap of Session 3: Mirroring and SPANing
    • 12. SPANing by any other name…
      • What’s a SPAN and how does it work?
        • Port Mirroring, Port Monitoring, Switched Port Analyzer or SPAN (Cisco world), or Roving Analysis Port (RAP-3COM)
        • A port mirror is active packet duplication
          • The network device physically has the duty of copying packets onto a mirror port.
          • This device has to carry on this task by using some resources (e.g. CPU) and that both traffic directions will be copied into the same port.
        • The network device must support port mirroring
      • Considerations
        • Packet Loss: Full duplex links can’t exceed the network speed before packet loss occurs. This because there’s physically no space to copy packets.
          • LAN switches are designed to groom data (change timing, add delay), extract bad frames and ignore all layer 1 & 2 information.
          • VLAN tags are not normally passed which can lead to false issues detected and difficulty in finding VLAN issues.
          • Frame interaction timing is changed, corrupt packets and/or small packets are dropped.
        • Time Consuming and Potentially Political:
          • Proper spanning requires that a network engineer configure the switches properly
          • You must ensure that no packet flow is mirrored more than once.
          • Configurations can become a political issue between IT team, the security team and the compliance team
      • Summary:
        • Port mirroring may not require any new hardware as it can be performed by many switches (but not all)
        • Fidelity and integrity must be considered. Packet loss can happen for a variety of reasons.
        • Scalability is a real concern: With Gigabit and 10 Gigabit technologies (and Full Duplexing doubling the base bandwidth), switches/routers can’t both mirror and handle primary job of switching and routing.
    • 13. Flow Publisher 1.0 Overview
    • 14. Flow Publisher v1.0 Summary
      • Flow data generated from raw network traffic
        • Convert raw traffic into NetFlow v1, v5 and v9 compliant flow records
          • Full range of NetFlow information
          • Not sampled flow data
      • Pinpoint or broad traffic analysis
        • Windows servers and any applications (e.g. Oracle, SAP, Exchange)
        • Passive using TAPs (Test Access Point)
        • Active packet duplication through virtually any network device supporting port mirroring
      • High impact: non-invasive and inexpensive to maintain
        • Leverages existing network infrastructure
        • No device hardware or software upgrades required
        • Does not require network or device downtime
      Enables flow analysis for non-flow capable devices
    • 15. Flow Publisher v1.0 Features
      • Two Components
        • Agent Manager Interface
          • Configure and manage a single or multiple agents
        • Flow Publisher Agent
          • Processes raw traffic data
          • Standalone installation
              • Windows computer
            • TAP or mirrored interfaces
            • Accepts raw traffic from up to 4 individual interfaces
          • Hosted installation
            • Directly on Windows Servers
              • Application monitoring
              • User monitoring
              • VMware Virtualized Systems
      Software only solution 2. 1.
    • 16. Flow Publisher v1.0 Features cont’d
      • Integrates with v14.x of WhatsUp Gold and v2.0 of Flow Monitor for:
        • Real-time traffic monitoring and analysis
        • Threshold alerting
        • 40+ reports (web and mobile)
      • Maps MAC addresses to reported interfaces
      • Jumbo and fragmented packet support
      • Configurable logging
        • 3 levels of detail
      • 2 levels of traffic capture
        • Normal
        • Promiscuous
    • 17. Flow Publisher v1.0 Features cont’d
      • Provides the same information into Flow Monitor for analysis and reporting as other NetFlow sources. This includes the following:
        • Protocol
        • Application (port number)
        • Conversations
        • Sender host
        • Receiver host
        • Sender domain
        • Receiver domain
        • Sender top level domain (TLD)
        • Receiver TLD
        • Top sender country
        • Top receiver country
        • Type of service (ToS)
        • Top Senders with the Most Conversation Partners
        • Top Senders with the Most Failed Connections
        • ICMP Types
        • Top Receivers with the Most Conversation Partners
        • Top Receivers with the Most Failed Connections
        • Packet Size Distribution
    • 18. Agent & Collector High-level Interaction Three flexible deployment models provide unlimited choices Switch forwards mirrored traffic to Flow Publisher agent Agent forwards NetFlow records to Flow Monitor collector TAP forwards bi-directional traffic to Flow Publisher agent Server based agent forwards NetFlow records to Flow Monitor collector Flow Publisher agent on PC WhatsUp Gold and Flow Monitor collector
    • 19. Flow and Non Flow-Enabled Flow Monitoring
    • 20. A Flow is a Flow is a Flow… Application and user traffic analysis at the source
      • SPAN/Mirroring
        • Hardware solution, Free or low costs, drops packets, remote admin, specialized skills
      • Passive Tap
        • Hardware solution, <$1k, 100% capture, minimal admin and skills
      • Application Traffic
        • Windows service, small resource footprint, normal & promiscuous mode
    • 21. Summary High config skills Minimal config skills Minimal config skills Remote Configuration Local configuration Local or Remote config Can change timing of frame interaction Does not alter timing Does not alter timing Can monitor intra-switch traffic Can not monitor intra-switch traffic N/A Drops packets on busy FD Networks Full visibility into FD networks No packet loss Drops physical layer, bad and/or small frames 100% capture including errors Normal or Promiscuous mode No to low cost Moderate Cost No Cost Active device Passive device Active device SPAN/Mirror TAP Application
    • 22. Flow and Non Flow-Enabled Flow Monitoring Technical Demonstration
    • 23. Generate flow based traffic without expensive software, hardware, operating system upgrades or sacrificing down-time.
    • 24. Q & A Please submit your questions via the Q&A feature in the lower right corner Additional Questions? Jason Williams – guru@ipswitch.com Kevin Gillis – k@ipswitch.com or http://whatsupgold.com/community – then go to Forums
    • 25. Questions from customers…
      • Anthony F
        • Q: Did I hear and see correctly...This application will flow monitoring of non-flow enabled devices?  Such as some of Cisco's smaller catalysts switches.
        • A: That is correct.  Our other sessions will go into details on how to set that up.
      • Michael M
        • Q: Can you set thresholds per TOS field per device? For example can I set up a threshold that will alarm me if EXP traffic exceeds 30% on any device?
        • A: Yes, you should be able by creating a Flow Monitor Custom Threshold.
      • Scot L
        • Q: How can unclassified traffic be further defined?
        • A: By configuring or monitoring the ports.
      • Temple M
        • Q: In a case where you are spanning or mirroring a core switch to the agent, which in turn reports to the Whatsup box, does that create an intense increase in traffic or storage to the Whatup system?
        • A: It may, but remember that Flows contains only headers and there are several options to keep the volume under control.
      • Kai M
        • Q: But a switch with port mirroring is as good as a tap right?
        • A: Yes, but mirroring has a small limitation in performance, when both directions are used at the same time at higher level. It may drop some packets.
      • Ming W
        • Q: Is the Flow Monitor licensed based on the number of WUG devices licensing?
        • A: The Flow Monitor license is based on the number of devices sending netflow data, totally independent of the WhatsUp devices.
    • 26. Next Steps…
      • Find out more about Flow Publisher v1.0
      • http://www.whatsupgold.com/whatsnew
      • Try - free 30 day evaluation
      • http://www.whatsupgold.com/download
      • Buy – (3) ways to purchase
      • www.whatsupgold.com/buy
        • 1. WhatsUp Gold Representative 2. An Ipswitch Reseller Partner of your choice 3. Online via our ecommerce shop
      Increased visibility into single segment, multi-segment, application and user traffic on your network!
    • 27.
      • 1 randomly selected attendee will receive a Flip Mino camcorder
      Flip over this…
    • 28. Thank you!

    ×