DOCSLIB.ORG

Realtime High-Speed Network Traffic Monitoring Using Ntopng

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Realtime High-Speed Network Traffic Monitoring Using ntopng Luca Deri, IIT/CNR and ntop; Maurizio Martinelli, IIT/CNR; Alfredo Cardigliano, ntop https://www.usenix.org/conference/lisa14/conference-program/presentation/deri-luca This paper is included in the Proceedings of the 28th Large Installation System Administration Conference (LISA14). November 9–14, 2014 • Seattle, WA ISBN 978-1-931971-17-1 Open access to the Proceedings of the 28th Large Installation System Administration Conference (LISA14) is sponsored by USENIX Realtime High-Speed Network Traffic Monitoring Using ntopng ! Luca Deri, IIT/CNR, ntop Maurizio Martinelli, IIT/CNR Alfredo Cardigliano, ntop ! ! ! Abstract facilitating the monitoring of virtual environments. Monitoring network traffic has become increasingly These are only partial solutions because either v5 Net- challenging in terms of number of hosts, protocol pro- Flow (or v9 with basic information elements only) or liferation and probe placement topologies. Virtualised inaccurate, sample-based sFlow are supported. Network environments and cloud services shifted the focus from managers need traffic monitoring tools that are able to dedicated hardware monitoring devices to virtual ma- spot bottlenecks and security issues while providing accurate information for troubleshooting the cause. This chine based, software traffic monitoring applications. This paper covers the design and implementation of means that while NetFlow/sFlow can prove a quantita- ntopng, an open-source traffic monitoring application tive analysis in terms of traffic volume and TCP/UDP designed for high-speed networks. ntopng’s key fea- ports being used, they are unable to report the cause of tures are large networks real-time analytics and the abil- the problems. For instance, NetFlow/IPFIX can be used ity to characterise application protocols and user traffic to monitor the bandwidth used by the HTTP protocol behaviour. ntopng was extensively validated in various but embedded NetFlow probes are unable to report that monitoring environments ranging from small networks specific URLs are affected by large service time. to .it ccTLD traffic analysis. Today a single application may be based on complex cloud-based services comprised of several processes ! distributed across a LAN. Until a few years ago web 1. Introduction applications were constructed using a combination of Network traffic monitoring standards such as sFlow [1] web servers, Java-based business logic and a database and NetFlow/IPFIX [2, 3] have been conceived at the servers. The adoption of cache servers (e.g. memcache beginning of the last decade. Both protocols have been and redis) and mapReduce-based databases [5] (e.g. designed for being embedded into physical network Apache Cassandra and MongoDB) increased the appli- devices such as routers and switches where the network cations’ architectural complexity. The distributed nature traffic is flowing. In order to keep up with the increas- of this environment needs application level information ing network speeds, sFlow natively implements packet to support effective network monitoring. For example, sampling in order to reduce the load on the monitoring it is not sufficient to report which specific TCP connec- probe. While both flow and packet sampling is support- tion has been affected by a long service time without ed in NetFlow/IPFIX, network administrators try to reporting the nature of the transaction (e.g. the URL for avoid these mechanisms in order to have accurate traffic HTTP, or the SQL query for a database server) that measurement. Many routers have not upgraded their caused the bottleneck. Because modern services use monitoring capabilities to support the increasing num- dynamic TCP/UDP ports the network administrator bers of 1/10G ports. Unless special probes are used, needs to know what ports map to what application. The traffic analysis based on partial data results in inaccu- result is that traditional device-based traffic monitoring rate measurements. devices need to move towards software-based monitor- Physical devices cannot monitor virtualised environ- ing probes that increase network visibility at the user ments because inter-VM traffic is not visible to the and application level. As this activity cannot be per- physical network interface. Over the years however, formed at network level (i.e. by observing traffic at a virtualisation software developers have created virtual monitoring point that sees all traffic), software probes network switches with the ability to mirror network are installed on the physical/virtual servers where ser- traffic from virtual environments into physical Ethernet vices are provided. This enables probes to observe the ports where monitoring probes can be attached. Recent- system internals and collect information (e.g. what user/ ly, virtual switches such as VMware vSphere Dis- process is responsible for a specific network connec- tributed Switch or Open vSwitch natively support Net- tion) that would be otherwise difficult to analyse out- Flow/sFlow for inter-VM communications [4], thus side the system’s context just by looking at packets. USENIX Association 28th Large Installation System Administration Conference (LISA14) 69 Network administrators can then view virtual and cloud last decade according to the Moore’s law, system ar- environments in real-time. The flow-based monitoring chitecture support for increasing network interface paradigm is by nature unable to produce real-time in- speeds (10/10 Mbps to 10/40 today) has not always formation [17]. Flows statistics such as throughput can been proportional. As it will be later explained it is be computed in flow collectors only for the duration of necessary to keep up with current network speeds the flow, which is usually between 30 and 120 seconds without dropping packets. (if not more). This means that using the flow paradigm, • While non-IP protocols basically disappeared, appli- network administrators cannot have a real-time traffic cation protocols have significantly increased and they view due to the latency intrinsic to this monitoring ar- still change rapidly as new popular applications ap- chitecture (i.e. flows are first stored into the flow cache, pear (e.g. Skype). The association UDP/TCP port then in the export cache, and finally sent to the collec- with an application protocol is no longer static, so tor) and also because flows can only report average unless other techniques, such as DPI (Deep Packet values (i.e. the flow throughout can be computed by Inspection) [6] are in place, identifying applications dividing the flow data volume for its duration) thus hid- based on ports is not reliable. ing, for instance, traffic spikes. • As TLS (Transport Layer Security) [7] is becoming The creation of ntopng, an open-source web-based pervasive and no longer limited to secure HTTP, net- monitoring console, was motivated by the challenges of work administrators need partial visibility of encrypt- monitoring modern network topologies and the limita- ed communications. tions of current traffic monitoring protocols. The main goal of ntopng is the ability to provide a real-time view • The HTTP protocol has greatly changed, as it is no of network traffic flowing in large networks (i.e. a few longer used to carry, as originally designed, hypertext hundred thousand hosts exchanging traffic on a multi- only. Instead, it is now used for many other purposes Gbit link) while providing dynamic analytics able to including audio/video streaming, firewall trespassing show key performance indicators and bottleneck root and in many peer-to-peer protocols. This means that cause analysis. The rest of the paper is structured as today HTTP no longer identifies only web-related follow. Section 2 describes the ntopng design goals. activities, and thus monitoring systems need to char- Section 3 covers the ntopng architecture and its major acterise HTTP traffic in detail. software components. Section 4 evaluates the ntopng In addition to the above requirements, ntopng has been implementation using both real and synthetic traffic. designed to satisfy the following goals: Section 5 covers the open issues and future work items. Section 6 lists applications similar to ntopng, and final- • Created as open-source software in order to let users ly section 7 concludes the paper. study, improve, and modify it. Code availability is not a minor feature in networking as it enables users to ! compile and run the code on heterogeneous platforms 2. ntopng Design Goals and network environments. Furthermore, the adoption ntopng’s design is based on the experience gained from of this license allows existing open-source libraries creating its predecessor, named ntop (and thus the name and frameworks to be used by ntopng instead of cod- ntop next generation or ntopng) and first introduced in ing everything from scratch as it often happens with 1998. When the original ntop was designed, networks closed-source applications. were significantly different. ntopng’s design reflects new realities: • Operate at 10 Gbit without packet loss on a network backbone where user traffic is flowing (i.e. average • Today’s protocols are all IP-based, whereas 15 years packet size is 512 bytes or more), and support at least ago many others existed (e.g. NetBIOS, AppleTalk, 3 Mpps (Million Packets/sec) per core on a commodi- and IPX). Whereas only limited non-IP protocol sup- ty system, so that a low-end quad-core server may port is needed, v4/v6 needs additional, and more ac- monitor a 10 Gbit link with minimal size packets (64
Recommended publications
  • Monitoring Network Traffic Using Ntopng

    Monitoring Network Traffic Using Ntopng

    Monitoring Network Traffic using ntopng Luca Deri <[email protected]> © 2013 - ntop.org Outlook • What are the main activities of ntop.org ? • ntop’s view on network monitoring. • From ntop to ntopng. • ntopng architecture and design. • Using ntopng. • Advanced monitoring with ntopng. • Future roadmap items. "2 © 2013 - ntop.org About ntop.org [1/2] • Private company devoted to development of open source network traffic monitoring applications. • ntop (circa 1998) is the first app we released and it is a web-based network monitoring application. • Today our products range from traffic monitoring, high-speed packet processing, deep-packet inspection, and IDS/IPS acceleration. "3 © 2013 - ntop.org About ntop.org [2/2] • Our software is powering many commercial products... "4 © 2013 - ntop.org ntop Goals • Provide better, yet price effective, traffic monitoring solution by enabling users to have increased traffic visibility. • Go beyond standard metrics and increase traffic visibility by analysing key protocols in detail. • Provide users comprehensive and accurate traffic reports able to offer at a fraction of price what many commercial products do together. • Promote open-source software, while protecting selected IPRs. "5 © 2013 - ntop.org ntop’s Approach to Traffic Monitoring • Ability to capture, process and (optionally) transmit traffic at line rate, any packet size. • Leverage on modern multi-core/NUMA architectures in order to promote scalability. • Use commodity hardware for producing affordable, long-living (no vendor lock), scalable (use new hardware by the time it is becoming available) monitoring solutions. • Use open-source to spread the software, and let the community test it on unchartered places. "6 © 2013 - ntop.org Some History • In 1998, the original ntop has been created.
  • Ngenius Collector Appliance Scalable, High-Capacity Appliance for Collection of Cisco Netflow and Other Flow Data

    Ngenius Collector Appliance Scalable, High-Capacity Appliance for Collection of Cisco Netflow and Other Flow Data

    l DATA SHEET l nGenius Collector Appliance Scalable, High-Capacity Appliance for Collection of Cisco NetFlow and Other Flow Data Product Overview HIGHLIGHTS Deployed at key traffic aggregation locations, nGenius® Collectors extend the reach of the nGeniusONE® Service Assurance solution and are used primarily to generate flow‑based • Measure service responsiveness across statistics (metadata) in memory for specific traffic types. This NETSCOUT data source collects the network with up to 500 Cisco IP SLA metadata on IP SLA and IPPING protocols, flow data from NetFlow routers, link‑level statistics, synthetic transaction tests and utilization data from MIB‑II routers. • Scalable collection of up to 2 million Cisco NetFlow, IPFIX, Juniper J-Flow, Huawei® Listening passively on an Ethernet wire, nGenius Collectors examine specific traffic collected NetStream and sFlow flows per minute from flow‑enabled routers and switches (e.g., Cisco® NetFlow, Juniper® J-Flow, sFlow®, ® • Captures and stores Flow datagrams for NetStream ) and from IP SLA test results to generate a variety of statistics. In addition, Collectors historical deep-dive analysis can be configured to capture datagrams from Flow‑enabled routers and analyze them via datagram capture, which allows users to perform in‑depth capture and filtering. • Collects Flow data from up to 5,000 flow‑enabled router or switch interfaces Metrics from nGenius Collectors are retrieved through a managing nGenius for Flows Server per appliance for analysis, enabling display of utilization metrics, quality of service (QoS) breakdowns, and • Supports both IPv4 and IPv6 environments application breakdowns in nGenius for Flows and other tools in the nGeniusONE Service • Purpose-built hardware and virtual Assurance Solution.
  • Ntopng User's Guide

    Ntopng User's Guide

    ! !!" ! ! ! ! ! ! ! ! ! ! ! ! ntopng User’s Guide" High-Speed Web-based Traffic Analysis and Flow Collection " ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Version 1.2" August 2014!" ! ! © 1998-14 - ntop.org" ntopng User’s Guide v.1.2 1.Table of Contents" ! 1. What’s New?"......................................................................................3" 2.It’s time for a completely new ntop."............................................................5" 3. Introduction"..............................................................................................6" 3.1. The main design principles"................................................................7" 3.2. What ntopng can do for me?"..............................................................7" 3.3. ntopng Architecture"..........................................................................9" 3.4. Download ntopng"............................................................................10" 4.Using ntopng"...........................................................................................11" 4.1. Compiling ntopng Source Code".......................................................11" 4.2. Installing a Binary ntopng"................................................................11" 4.3. ntopng Command Line Options".......................................................11" 4.4. ntopng on Windows".........................................................................16" 5. API Scripting Lua".....................................................................................18"
  • Netflow Traffic Analyzer Real-Time Network Utilization and Bandwidth Monitoring

    Netflow Traffic Analyzer Real-Time Network Utilization and Bandwidth Monitoring

    DATASHEET NetFlow Traffic Analyzer Real-Time Network Utilization and Bandwidth Monitoring An add-on to Network Performance Monitor (NPM), SolarWinds® NetFlow DOWNLOAD FREE TRIAL Traffic Analyzer (NTA) is a multi-vendor flow analysis tool designed to proactively reduce network downtime. NTA delivers actionable insights Fully Functional to help IT pros troubleshoot and optimize spend on bandwidth by better for 30 Days understanding the who, what, and where of traffic consumption. Solve practical operational infrastructure problems with actionable insights and save money with informed network investments. WHY CHOOSE NETFLOW TRAFFIC ANALYZER? • NTA collects and analyzes flow data from multiple vendors, including NetFlow v5 and v9, Juniper® J-Flow™, sFlow®, Huawei® NetStream™, and IPFIX. • NTA alerts you to changes in application traffic or if a device stops sending flow data. • NTA supports advanced application recognition with Cisco® NBAR2. • NTA shows pre- and post-policy CBQoS class maps, so you can optimize your CBQoS policies. • NTA can help you identify malicious or malformed traffic with port 0 monitoring. • NTA includes WLC network traffic analysis so you can see what’s using your wireless bandwidth. • NTA supplements Network Performance Monitor by helping to identify the cause of high bandwidth. Built on the Orion® Platform, NTA provides the ability to purchase and fully integrate with additional network monitoring modules (config management, WAN management, VoIP, device tracking, IP address management), as well as systems, storage, and virtualization management in a single web console. page 1 DATASHEET: NETFLOW TRAFFIC ANALYZER FEATURES New! VMware vSphere Distributed Switch (VDS) Support Comprehensive support for the VMware VDS, providing visibility within the switch fabric to your east-west VM traffic to help IT pros avoid service impacts when moving workloads.
  • Netflow Optimizer™

    Netflow Optimizer™

    NetFlow Optimizer™ Installation and Administration Guide Version 2.4.7 (Build 2.4.7.0.23) January 2017 © Copyright 2013-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents Overview ....................................................................................................................................................................... 3 How NetFlow Optimizer Works .................................................................................................................................. 3 How NFO Updater Works .......................................................................................................................................... 3 NetFlow Optimizer Installation Guide ......................................................................................................................... 4 Before You Install NFO ................................................................................................................................................ 4 Pre-Installation Checklist ........................................................................................................................................... 4 Minimum Requirements ............................................................................................................................................. 4 Supported Platforms .............................................................................................................................................. 4 Virtual Hardware
  • Rethinking Hyper- Converged Infrastructure for Edge Computing

    Rethinking Hyper- Converged Infrastructure for Edge Computing

    OpenInfra Days Shanghai 2019 Rethinking Hyper- Converged Infrastructure for Edge Computing Feng Li (李枫) [email protected] Nov 5,2019 Agenda I. Edge Computing Overview Outstanding Platforms Status, Trend, and HCI Summary II. Overall Design Design Goals & Principles Hardware Platform Why is eBPF eBPF Development III. Testbed Development Boards Software Platform Development Model IV. Computing, Networking, Storage HPC Networking ntopng DRedis Rethink Lightweight Storage Solutions V. Containerization, Services, and DevOps Kata Container Lightweight Kubernetes Cilium In-Kernel Services VI. Distributed Framework Ray My Practice VII. Messaging & RPC gRPC & Protobuf Rethink In-Kernel Messaging VIII. Data Processing Apache Arrow Lightweight Solution IX. Artificial Intelligence Trends TVM ARM NN My Practice X. Monitoring, Tuning, and Debugging Extending LISA Extending ntopng My Practice XI. Security Reference Design Hardware-Software Co-designed System Security XII. Miscs New Python Runtime FPGA XIII.eBPF-centric New Design Software Architecture XIV.Wrap-up I. Edge Computing 1) Overview https://en.wikipedia.org/wiki/Edge_computing a distributed computing paradigm which brings computation and data storage closer to the location where it is needed, to improve response times and save bandwidth.… https://www.networkworld.com/article/3224893/what-is-edge- computing-and-how-it-s-changing-the-network.html a way to streamline the flow of traffic from IoT devices and provide real-time local data analysis Intelligent
  • Getting the Most from Your Linux Cluster

    Getting the Most from Your Linux Cluster

    Linux Clusters Institute: Intro to Networking Bill Abbott Sysadmin – Office of Advanced Research Computing Rutgers University August 2019 1 Background Survey • Familiarity with… • Ethernet • InfiniBand /OmniPath • Fibre Channel • TCP/IP • Firewalls and DMZ • Switches and routers • Tools: • Basic: ip/ifconfig, netstat, ethtool, top • Advanced: tcpdump, iptraf-ng, ntop • Performance: iperf3, bbcp, iftop August 2019 2 What are We Trying to Accomplish? • Speed • Latency vs Bandwidth • Reliability • Accessibility • Public • Campus • Inside/outside • VPN • DMZ August 2019 3 TCP/IP Necessary Background Needed: • Public vs Private (RFC 1918) Addressing • 10.xx.xx.xx • 192.168.xx.xx • 172.16-31.xx.xx • Subnetting • Gateway(s) • DNS • IPv6 August 2019 4 A TCP/IP example You work at Company A. You have to contact Company B’s web department to acquire some data. • You have to call on the phone but don’t know the number, just the company name. • You call 411 and ask, and they give you the number. • You call that number and ask for extension 80. • The person who answers says hello, and you say hello. • The person tells you to call extension 443 instead. • The person who answers says hello, and you say hello. • You request the data, and the person reads it to you. • You both say goodbye. August 2019 5 Ethernet vs InfiniBand (IB) and OmniPath (OPA) • Most clusters have both Ethernet and IB or OPA • Advantages and disadvantages of each • (Relatively) slow Ethernet for external access, file copying, etc. • IB and OPA for MPI • RDMA vs IP • Management (PXE,
  • Flow-Tools Tutorial

    Flow-Tools Tutorial

    Flow-tools Tutorial SANOG 6 Bhutan Agenda • Network flows • Cisco / Juniper implementation – NetFlow • Cisco / Juniper Configuration • flow-tools programs overview and examples from Abilene and Ohio- Gigapop Network Flows • Packets or frames that have a common attribute. • Creation and expiration policy – what conditions start and stop a flow. • Counters – packets,bytes,time. • Routing information – AS, network mask, interfaces. Network Flows • Unidirectional or bidirectional. • Bidirectional flows can contain other information such as round trip time, TCP behavior. • Application flows look past the headers to classify packets by their contents. • Aggregated flows – flows of flows. Unidirectional Flow with Source/Destination IP Key % telnet 10.0.0.2 10.0.0.1 login: 10.0.0.2 Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1 Unidirectional Flow with Source/Destination IP Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1 Unidirectional Flow with IP, Port,Protocol Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.2 10.0.0.1 TCP 23 32000 3 10.0.0.1 10.0.0.2 ICMP 0 0 4 10.0.0.2 10.0.0.1 ICMP 0 0 Bidirectional Flow with IP, Port,Protocol Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort
  • Brocade Vyatta Network OS Data Sheet

    Brocade Vyatta Network OS Data Sheet

    DATA SHEET Brocade Vyatta Network OS HIGHLIGHTS A Network Operating System for the Way Forward • Offers a proven, modern network The Brocade® Vyatta® Network OS lays the foundation for a flexible, easy- operating system that accelerates the adoption of next-generation to-use, and high-performance network services architecture capable of architectures meeting current and future network demands. The operating system was • Creates an open, programmable built from the ground up to deliver robust network functionality that can environment to enhance be deployed virtually or as an appliance, and in concert with solutions differentiation, service quality, and from a large ecosystem of vendors, to address various Software-Defined competitiveness Networking (SDN) and Network Functions Virtualization (NFV) use cases. • Supports a broad ecosystem for With the Brocade Vyatta Network OS, organizations can bridge the gap optimal customization and service between traditional and new architectures, as well as leverage existing monetization investments and maximize operational efficiencies. Moreover, they can • Simplifies and automates network compose and deploy unique, new services that will drive differentiation functions to improve time to service, increase operational efficiency, and and strengthen competitiveness. reduce costs • Delivers breakthrough performance flexibility, performance, and operational and scale to meet the needs of any A Proven, Modern Operating efficiency, helping organizations create deployment System The Brocade Vyatta Network OS new service offerings and value. Since • Provides flexible deployment options separates the control and data planes in 2012, the benefits of this operating to support a wide variety of use cases software to fit seamlessly within modern system have been proven by the Brocade SDN and NFV environments.
  • Introduction to Netflow

    Introduction to Netflow

    Introduction to Netflow Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated 14th December 2018 Agenda • Netflow – What it is and how it works – Uses and applications • Generating and exporting flow records • Nfdump and NfSen – Architecture – Usage • Lab What is a Network Flow • A set of related packets • Packets that belong to the same transport connection. e.g. – TCP, same src IP, src port, dst IP, dst port – UDP, same src IP, src port, dst IP, dst port – Some tools consider "bidirectional flows", i.e. A->B and B->A as part of the same flow http://en.wikipedia.org/wiki/Traffic_flow_(computer_networking) Simple flows = Packet belonging to flow X = Packet belonging to flow Y Cisco IOS Definition of a Flow • Unidirectional sequence of packets sharing: – Source IP address – Destination IP address – Source port for UDP or TCP, 0 for other protocols – Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols – IP protocol – Ingress interface (SNMP ifIndex) – IP Type of Service IOS: which of these six packets are in the same flows? Src IP Dst IP Protocol Src Port Dst Port A 1.2.3.4 5.6.7.8 6 (TCP) 4001 22 B 5.6.7.8 1.2.3.4 6 (TCP) 22 4001 C 1.2.3.4 5.6.7.8 6 (TCP) 4002 80 D 1.2.3.4 5.6.7.8 6 (TCP) 4001 80 E 1.2.3.4 8.8.8.8 17 (UDP) 65432 53 F 8.8.8.8 1.2.3.4 17 (UDP) 53 65432 IOS: which of these six packets are in the same flows? Src IP Dst IP Protocol Src Port Dst Port A 1.2.3.4 5.6.7.8 6 (TCP) 4001 22 B 5.6.7.8 1.2.3.4 6 (TCP) 22 4001 C 1.2.3.4 5.6.7.8 6 (TCP) 4002 80 D 1.2.3.4 5.6.7.8 6 (TCP) 4001 80 E 1.2.3.4 8.8.8.8 17 (UDP) 65432 53 F 8.8.8.8 1.2.3.4 17 (UDP) 53 65432 What about packets “C” and “D”? Flow Accounting • A summary of all the packets seen in a flow (so far): – Flow identification: protocol, src/dst IP/port..
  • Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software

    Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software

    Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software Luca Deri, NETikos S.p.A. not only in terms of volume but also in terms of type, as Abstract—Passive network monitoring is a complex these applications redefined the concept of client and server. activity that mainly consists in packet capturing and Usually a server is a host that provides a service to several classification. Unfortunately this architecture often cannot clients. In terms of IP traffic: be applied to gigabit networks, as the amount of data to • A client establishes one or more connections with a capture is too large for the monitoring applications. server, uses the server, and then closes the connections. This paper describes the challenges and lessons learnt by the author while monitoring networks at gigabit speeds and • Servers can exchange data with both clients and above. Finally, it describes an architecture able to servers, whereas clients talk only with servers. successfully monitor networks at high speeds using • Client to server connections are often asymmetrical commodity hardware and open source software. (e.g. in HTTP the client sends little data with respect to the server). Index Terms—Passive Network Monitoring, Packet Capture, NetFlow, sFlow. • Packets such as ICMP port unreachable or TCP packets with the RST flag set are relatively rare, and they are used to indicate that there is a problem somewhere. I. PASSIVE NETWORK MONITORING: STATE OF THE ART • Servers and applications usually listen on well-known ears ago, many computer specialists predicted the need ports. Yto have more bandwidth available because people were supposed to need it mostly for multimedia applications.
  • 20 Linux System Monitoring Tools Every Sysadmin Should Know

    20 Linux System Monitoring Tools Every Sysadmin Should Know

    20 Linux System Monitoring Tools Every SysAdmi... http://www.cyberciti.biz/tips/top-linux-monitoring-t... About Forum Howtos & FAQs Low graphics Shell Scripts RSS/Feed nixcraft - insight into linux admin work powered by Howtos: Linux / UNIX: Speed up SSH X11 Forwarding - Jan 05, 2011 20 Linux System Monitoring Tools Every SysAdmin Should Know by Vivek Gite on June 27, 2009 · 177 comments Need to monitor Linux server performance? Try these built-in command and a few add-on tools. Most Linux distributions are equipped with tons of monitoring. These tools provide metrics which can be used to get information about system activities. You can use these tools to find the possible causes of a performance problem. The commands discussed below are some of the most basic commands when it comes to system analysis and debugging server issues such as: 1. Finding out bottlenecks. 2. Disk (storage) bottlenecks. 3. CPU and memory bottlenecks. 4. Network bottlenecks. #1: top - Process Activity Command The top program provides a dynamic real-time view of a running system i.e. actual process activity. By default, it displays the most CPU-intensive tasks running on the server and updates the list every five seconds. 1 of 45 01/13/2011 01:26 AM 20 Linux System Monitoring Tools Every SysAdmi... http://www.cyberciti.biz/tips/top-linux-monitoring-t... Fig.01: Linux top command Commonly Used Hot Keys The top command provides several useful hot keys: Hot Usage Key t Displays summary information off and on. m Displays memory information off and on. Sorts the display by top consumers of various system resources.