(1/28)
(2/28)
(10 Mbps ) Video, Audio. (3/28)
10 ~ 15 ( : telnet, ftp ),, (4/28)
UDP/TCP (5/28)
centralized environment packet header information analysis network traffic data, capture presentation network interface user analyzed information (6/28)
: User User memory 4. packet capture application 3. Kernel packet memory Protocol Stack 1. promiscuous mode User Kernel 2. (7/28) packets device driver (Link (Link level) interrupt Kernel Network
: :. :. (8/28)
:, (9/28)
Capture Method Analysis Method Analysis Interval Analysis Scope Load distribution User Interface Tcpdump libpcap packet by packet current layer 7 no Text Ntop libpcap real-time traffic analysis 5 second, hourly layer 7 no Web MRTG snmp agent batch traffic analysis 5 minute, hourly, daily, weekly, monthly layer 2 yes Web WebTrafMon II libpcap batch traffic analysis 1 minute, hourly, daily, monthly, yearly layer 7 yes Web. (10/28)
: (network, transport, application layer) (, ) (,, ) (11/28)
: Centralized Traffic Analysis Architecture ( ) Distributed Traffic Analysis Architecture ( ) centralized environment analysis distributed environment analysis packet header information network traffic data packet header information network traffic data capture presentation capture presentation network interface user analyzed information network interface user (12/28)
: 800 MHz, 128 MB Linux 94 Mbps traffic 800 MHz, 128 MB Linux packet generating (Mgen) (%) packet capturing (probe) 2 usec : 10 usec : 200 usec : CPU. (13/28) (usec)
: 1 848,869 46,141 (18 ) 1568 * 3 = 4704 bytes 3 time frame type src ip dst ip protocol src port dst port total size count (14/28)
: Real Media Quick Time Windows Media FastTrack Gnutella FreeNet RTP (UDP) RTP (UDP) MMST (TCP) fasttrack (TCP) gnutella (TCP) freenet (TCP) 6972? 1755 1214 6347 19114 UDP/TCP, P2P UDP/TCP (15/28)
DB.... distributed environment packet header information minutely log file log format promiscuous mode packet capture network point minutely hash log format and save into DB make short term, long term traffic data statistics network traffic data port information response hourly, daily, monthly, yearly request port information user (minutely, hourly, daily, monthly, yearly) (16/28)
Log File promiscuous mode log format log format log format log format network point time length frame type src ip dst ip protocol src port dst port (17/28)
Ethernet Dst addr IP 46-1500 bytes data 6 6 2 4 TCP Src addr Type Log format Src addr 2 2 TCP data time length frame_type src_ip dst_ip protocol src_port dst_port 1 2 2 4 4 2 2 total Ethernet frame size(ethernet header + data + CRC) frame capture time (minute) Dst addr Protocol 4 4 1 IP data src port dst port 1 (bytes) CRC (18/28)
Log File log format read log format minute hashingtodb maketable hash log format and make minute table hashing log format hourly, daily, monthly, yearly make hour, day, month, year table (minute, hourly, daily, monthly, yearly) time frame type src ip dst ip protocol src port dst port total size count (19/28)
minute_2001_11_01_12_table (2001 11 1 12 ) Field Type Null Key Default Description minute TINYINT UNSIGNED No PRI 0 ~ 59 ether_type SMALLINT UNSIGNED No PRI 0 ~ 65,535 src_ip INT UNSIGNED No PRI 0~4,294,967,295 dst_ip INT UNSIGNED No PRI 0~4,294,967,295 protocol TINYINT UNSIGNED No PRI 0 ~ 255 src_port SMALLINT UNSIGNED No PRI 0 ~ 65,535 dst_port SMALLINT UNSIGNED No PRI 0 ~ 65,535 length BIGINT UNSIGNED No 20 count INT UNSIGNED No 0~4,294,967,295 (20/28)
Web-based Traffic Analyzer minute_table hour_table day_table year_table Database month_table port information table SQL reply port information port information Database Analyzer port management CGI CGI port information Web Server request response UDP/TCP,. (21/28)
probe packet capture using libpcap Binary Log File NFS distributed environment minutely, signal save packet header information into log file minutely make hashing log format and save minute data into database C-CGI, MySQL Client SQL reply C-CGI, Apache web-server web-based traffic analyzer CRON minutely ~ yearly http Internet user 3 PCs, Pentium III 800 MHz, 256 MB, Linux MySQL Client make hourly, daily, monthly and yearly table MySQL Server Database packet analyzer (22/28)
40 ~ 44 5, MRTG WebTrafMon II : 95.8 Mbps MRTG : 94.7 Mbps (23/28)
(24/28)
(25/28)
UDP/TCP application layer (26/28)
UDP/TCP (27/28)
IPoATM 1 Gbps SLA(Service Level Agreement) Network Level (28/28)