Professional Documents
Culture Documents
Monitoring (Last)
Monitoring (Last)
CONTENTS
QUESTION NUMBER 1.................................................................................................2
Intrusive Monitoring.................................................................................................8
Privacy protection..................................................................................................13
Personal Information.............................................................................................14
IP address..................................................................................... .......................14
MAC address.........................................................................................................15
URL........................................................................................................................16
Packet Loss...........................................................................................................24
REFERENCES...............................................................................................................25
APPENDIX.....................................................................................................................26
Page 1
NETWORK MONITORING
Question No: 1
Propose two network scenarios where SNMP and NetFlow monitoring should be used to
observe specific problems occurring (one scenario for SNMP and one for NetFlow). As part
of the answer, you should describe the scenario, the possible problem(s), and explain why
SNMP or NetFlow are the preferred alternative.
Computer networking is generally referred as the set up, which enables a group of
computers to communicate with each other and share data as well as resources. Nowadays
the telecommunications has augmented enormously and the Internet has been spread over
the globe. Moreover different crucial sectors like science, medicine and engineering are
making use of networks of computers for transferring huge volume of data from one location
to another. Consequently, the need for an efficient monitoring system is essential for
preserving the security of such networks. The network monitoring systems are either
software or a hardware which is capable for analysing the network performance for
preventing any security threats and providing more functional visibility.
Currently, there are a lot of network monitoring and managing protocols. In this
section, two important methods of network monitoring are being discussed. They are;
Page 2
NETWORK MONITORING
Scenario
Consider the case of an International bank. The bank is having multiple branches all
over the country. These branches are all interconnected with their major server in London.
The bank has allotted each server with different LAN dealing with different operations such
as user accounts, online transactions etc. On one peak day the employees reported to the
network manager that the Bank network connection is too low to carry out the customer
services like account updating, access user details etc. On receiving this report, the
administrator analysed the network performance in detail. The architecture of the Bank’s
Network can be plotted as follows.
Page 3
NETWORK MONITORING
The bank’s network has been implemented with SNMP mechanism effectively. As a
result each and every device in the network is having separate SNMP agents which update
the corresponding device performance time-by-time. These agents reports the errors or
device failures to the Network Monitoring System (NMS) and stores this information with the
Management Information Base (MIB)
.
Page 4
NETWORK MONITORING
The architecture of the NetFlow protocol comprises thee basic components. They can
be detailed as follows
Sensors :- sniffs the network traffic for any loss, errors, congestion etc
Collectors :- catches the records from sensor and stores on disk
Analysis systems: - The data thus obtained is analysed and studied.
Page 5
NETWORK MONITORING
Network troubleshooting
Real-time network monitoring
Applying Quality of Service (QoS)
. The NetFlow is unidirectional and is most suitable for web-traffic and TCP
connection summaries. NetFlow provides more understanding to the network conditions than
SNMP protocol and NetFlow also accounts to large volume of data analysis when compared
to SNMP mechanism.
Scenario
Consider the case of an average business firm. The firm is having different subnets
called Section A and Section B, allotted one for the general staff and the other for official
administrators, respectively. The manager is having an independent system connected
directed to the server. The network architecture of the firm is shown as follows.
On a particular day, manager reported to the network administrator that the Internet
is too slow for him to update the company profile which is of high priority and need to be
updated on a daily basis. The manager also reported that the internet is basically weak in
the afternoon session that the employees working with the office administrations could not
finish up the day-to-day operational details successfully.
Page 6
NETWORK MONITORING
On receiving this report, the network manager analysed the traffic flow through out
the network with the help of NetFlow. Based on the NetFlow analysis he could figure out that
there is a heavy traffic flow between the employee systems and the server. He could also
work out that some of the employees are browsing through certain video sites as well as
online gamming sites which take hold of a major portion of the firm’s network bandwidth.
As a result of this observation, the network manager decided to stabilise the network
bandwidth through the following steps.
1. Update the firewall policy to prevent the employees from accessing the video as well
as gamming sites which require high bandwidth.
2. Restrict internet access for particular employee systems (who actually do not need it)
in the afternoon session and thereby providing more bandwidth to the managerial
systems as well as those in the office administration.
Question No: 2
Using the discussed methods for intrusive and non-intrusive measurement, describe network
and traffic scenarios (one for each of the points below) where measurement of bottleneck
bandwidth would:
a. Work even for packets which are not sent back-to-back
b. Include errors even when back-to-back packets are used
c. Be accurate only when using two back-to-back packets
The efficiency of monitoring the network depends on the methods and tools adopted.
Being more and more applications brought to the market, it has become more complex to
determine the most efficient method for a perfect analysis of network. In this part, two
important methods of network monitoring and the scenarios in which they can be
implemented are discussed. The methods are as follows;
1. Intrusive Monitoring
2. Non-Intrusive Monitoring
Page 7
NETWORK MONITORING
Intrusive Monitoring
Non-Intrusive Monitoring
Bottleneck Bandwidth
The bottleneck bandwidth can be defined as the maximum throughput the path can offer
from the source to destination provided there is no other traffic present in that path. The
bandwidth is being restricted by the bottleneck link’s fundamental capacity. The figure below
shows the representation of packet spacing occurred in the case of bottleneck bandwidth. The
bottleneck bandwidth gives the spacing between the packets which can be represented from the
following
Page 8
NETWORK MONITORING
(From: http://web2.uwindsor.ca/courses/cs/aggarwal/HPGCGroup/Docs/bbest.ppt )
The measurement of bottleneck bandwidth accounts to the congestion control, QoS
mechanisms. It also facilitates dynamic server selection within the networks. The bandwidth
measurement can be divided into
The single packet algorithm is based on TTL packets for bandwidth evaluation. Once the
TTL packet came down to 0, the packet will be vomited and at the same time, the router will
send back and ICMP time exceeded packet as well to the real sender. In this way a series of
packets with different TTL values are send out. From the analysis of these probes, the
bandwidth of each link is calculated. The features of this algorithm are
There is no cross traffic
The space intervals are large enough and they can be kept as it is.
2. Packet-pair algorithm
The packet-pair algorithm is based on the principle that when two packets are
queued next to each other at the bottleneck link, then the packets will exit the bottleneck
link at `t` seconds apart. In order to pass through the bottleneck link, the packets need to be
of dissimilar velocities. If the velocity of one is smaller, then that can pass over the other
packet eliminating the bottleneck link.
The packet-pair algorithm based bandwidth calculation formula is as follows.
b= s/ (tn1-tn0)
Where,
Page 9
NETWORK MONITORING
For an intrusive method we need to find the bottleneck bandwidth of a non back to back
packet, we need to try first ping the system, for example ping www.google.com
Here we can see that the ping process is a non back to back process of sending packets,
because the packet transfer occurs when single packet is send by the server at a time. Here
we can find TTL, RTT. So if we need to find the bottleneck bandwidth for certain packets it
not possible to use wireshark, windump because these tools are used for back to back
packet capture. So we need to use some other tools like sting for calculating the bottleneck
bandwidth.
Sting is a tool worked on the basis of tcp, while using sting we can find both upstream and
downstream files, sting uses raw sockets for altering response (lecture notes, Ghita, B)
Below figure shows examples for calculating the bottleneck bandwidth for packet that not
send in a back to back way.
Page 10
NETWORK MONITORING
From the above graph we can able to calculate the bottleneck bandwidth of data that is
transferring in a non back to back method.
When considering the different packets that are captured using a wireshark (same as
question number 4), from those packets we can calculate the bottleneck bandwidth for
different back to back packets. Below shows two cases which for calculating the bottleneck
bandwidth of back to back packet.
CASE1:
In above figure the packet number 2156 and 2157 are two back to back packets in that
trace. For the purpose of calculating the bottleneck bandwidth of those back to back packets
we can use the below equation
Bottleneck bandwidth = (header + length) of packet 2/ (time stamp of packet2- time stamp of
packet1)
In this case
Header = 20 +20 =40
Length =1514
Time stamp packet 2= 10.331403
Time stamp packet 1=10.330842
Page 11
NETWORK MONITORING
The above two vales for bottleneck bandwidth are different and it shows that there is
an error occurs in bottleneck bandwidth even when packets are send back to back. These
errors in bottleneck bandwidth are because of the improper or inaccurate clock time, these
inaccurate clock times are due to delay in transfer.
c. Be accurate only when using two back-to-back packets
The situation in which two back-to-back packets is an ideal one. Such packets will
ha
ve the most accuracy and the highest bottleneck bandwidth
Page 12
NETWORK MONITORING
the graph above depicts the accuracy of two back to back packets .
Question No: 3
The release of packet traces to the public provides wide benefits as far as the
network researches are concerned. The traces act as the major source or identity for
network parameters, and therefore they are capable of offering sufficient information to study
about characteristic features of any network. But as far as the privacy of these networks is
taken into consideration, these traces publishing brings a lot of concern. This also attracts
concerns towards balancing the security of the organisation as the packets contains vital
information like IP address, URL, MAC address etc. Hence it is important to represent these
offending components in a different form and then making the rest public. This mechanism is
termed as packet trace anonymisation.
Privacy protection
The privacy protection has been the core of trace anonymisation. Mostly the privacy
techniques are carried out once the alert is sent to the repository. The major modes of alert
based privacy protection can be shown as follows
Page 13
NETWORK MONITORING
two ways: They are encryption of IP addresses under a known name and hashing the IP
addresses. The hashing is a secure way of anonymisation of trace anonymisation.
Prefix-preserving Mapping
This method of privacy protection is capable of preserving the structural relationship
between the identifiers as IP addresses. The IP addresses can be effectively prefix-
preserved as the original IP address and the anonymous ones will share the same prefixes.
Personal Information
The major issue related with the publishing of packet trace is that it reveals sufficient
information about the system’s personal information such as IP addresses. This information
could help the attackers to gain knowledge about the characteristics features of the network.
The major attributes obtained/ disclosed from the traces can be shown as follows.
IP addresses
The major threat on personal information from the trace route is that it offers the
producer’s IP address (Source IP). The IP address reveals vital information about the
network’s internal topology, which helps the attackers to track propagation of attack through
the network which is undetectable to him in the normal case. The attackers can have
detailed view of the user activities as well as services running on user’s system once he can
tie traffic to a known IP address. The trace providing information about IP address can be
shown as follows
MAC address
Page 14
NETWORK MONITORING
The traces also retain the MAC address of the trace producer. The MAC addresses
are part of Ethernet addresses which are distinct to the individual Network Interface Cards
(NIC). On obtaining this MAC address of the user’s NIC, the attackers can unearth the
actions of the user. Even more the attackers can work on sorting out the IP address
anonymisation from the MAC instances obtained from the traces. The Ethernet address is
anonymised through scrambling the upper as well as lower bits of the address
The captured trace with information regarding the Ethernet of the user is shown as
follows. It provides information about the Ethernet hardware details as well.
URL
The traces also incorporate extensive information through listing the URL/ pathnames.
The URL provides detailed information of the file content, whether it is is static or dynamic,
the language used etc. The anonymisation of the URL often results in the information
lossage therefore the URL anonymisation is carried out by encoding it with some other
information. The trace showing URL details can be listed as follows.
Page 15
NETWORK MONITORING
Question No: 4
Capture the packets from a TCP connection using a pcap-compatible program (e.g.
windump, tcpdump, analyzer, etc.). For the captured packet trace:
a. Describe through the timeline the events of the connection (initiation, closing,
transfer)
b. Analyse and explain the evolution of the congestion window
c. Calculate the RTT and bottleneck bandwidth; explain the procedure used
Page 16
NETWORK MONITORING
d. Identify packet loss, if any explain the behaviour of the sender (using the
sequence of received packets)
Packet capturing is a part of analysing the network and its behaviour in deep manner. Here
we used Wireshark for capturing the packets. Also there are different tools like tcpdump,
analyser are available for analysing it. For demonstration of a packet capture here we try to
analyse the packets from IP address 192.168.1.104 to an IP 128.183.102.55 for an image of
3400 x 4600 - 2606k – jpg from the address:
http://veimages.gsfc.nasa.gov/6148/Korea.A2004004.0445.250m.jpg
1) Initiation
Initiation is a process in which establish the connection between client and server, and this is
done in a ‘three way handshake process’.
The above figure shows the three handshake process between client and server.
In the first step
The client (IP 192.168.1.104) sending a SYN packet to the server (128.183.102.55).
In the second step
Server receives the SYN packets from the client and replies the client by sending SYN
ACK packet. And hence the server establishes a connection with the client.
In the third step
Client sends back an ACK packet for receiving the packet that sent early and hence
continue the further transmission.
These three steps initiate the process and ready for further transmission and reception of
files.
Closing
It is process of ending or terminating the connection between the server and client. This
process can be initiated by either client or server.
Page 17
NETWORK MONITORING
Here in the above figure we can see that the server initiate the termination (packet number
3032nd) by sending FIN ACK to the client.
In packet number 3033rd shows that, the client send an ACK to the server. And it indicates
that there will not be any further transmission between the client and the server.
Hence the process of termination of transmission between the two is terminated and there
will not be any further transmission.
Transfer
The first three steps represent the initiation process and the fourth step the client IP
requesting a GET packet.
In the next step the server sends an acknowledgment to the client by sending an ACK
packet. And the packet for ACK will not contain anything so it shows a Len =0. And there
onwards the server and client transfer the packets and sending the acknowledgment for it.
And this process continues until a FIN packet send by either of client or the server.
Page 18
NETWORK MONITORING
Congestion window is in which determines the amount of data that flows through a network
without any congestion. For the purpose of increasing the throughput, the TCP congestion
control mechanisms help out the proper use of bandwidth and thereby improving the
throughput. In ideal cases the data flow is in such away that the server sends the data
continuous and incremental to the client unless until a packet is lost without any
acknowledgement. Once a packet is lost the server reduces the transaction of TCP
algorithm and increases it gradually afterwards.
Figure 2
From the above figure 1 we can identify that the server sends a packet to the client (21 and
22 packets) the client acknowledges for those two packets in the next step. And step 23
shows an acknowledgment for the above two packets (21 and 22) by the client. In our trace,
packet trace continuous in that same format until a packet loss occurs.
In figure 1 the circulated part (23rd and 24th) shows the time difference between
acknowledgment and next packet. The time calculated for those packets comes around
Page 19
NETWORK MONITORING
102.9 milliseconds and the time gap between the 22nd and 23rd comes around 0.08
milliseconds, from the above two time period we can conclude that 102.9 shows a particular
packet is transferred and client give acknowledgement and the server try to send another
packet.
The second figure show whenever packet losses occur sever tries to reduce the number of
packet send to the client. In figure when a packet loss occur at 65th packet then server try to
send only packet after that that is packet number 69 the server sends one packet still the
client show it lost one packet, 74th step it try again to send one packet to the client still the
client is responding that it did not receive the packet. In 78 step client send an
acknowledgement that it received the packet, and the server then onwards increase the
sending packet number to two. And the process is continued for this particular trace.
The above graph shows the growth of congestion window in the initial stages of the trace.
But for ideal cases the congestion window is in different way, after the handshaking
procedure the server send two packet and the client send an acknowledgement, then server
increases the packet number into three and client ACK for it, then it goes on increasing like
five, seven, nine..etc still the final step.
Page 20
NETWORK MONITORING
maximum, minimum and average time for round trip. And the figure below shows the round
trip time calculation using ping command. And it shows that the maximum time for RTT is 99
milliseconds, minimum time is 98 milliseconds and the average time for RTT is around 98
milliseconds.
Let’s consider few different packets from the trace to find RTT.
1) trace
Page 21
NETWORK MONITORING
Bottleneck Bandwidth
It is defined as the minimum bandwidth required for a communication channel. And it can
use for finding the rate of data that to be sent at a time. Bottleneck bandwidth is calculated
on the basis of the equation
Bottleneck bandwidth= size of the second packet / (time stamp2 – time stamp1), size of the
packets= (header + length) of packets, where Header is the sum of TCP header and IP
header
Here we are considering the different cases
CASE1:
CASE 2:
Page 22
NETWORK MONITORING
Packet Loss
Packet loss may occur due to different reasons; some of them are due to congestion,
network problems, TTL expiry. When packet loss occurs, the server sends the packet again
and again to the client. Still it receives an acknowledgement. Here below figure we show an
example for a packet loss occurs while downloading a figure.
The above graph shows (circled part) the packet loss occurred at the time of data
transmission.
The graph is representation of time sequence; it shows there was a packet loss occurred
between the time periods 2.3 to 2.5. The doted points that come below the normal
transmission curve represents the packet loss occurred while transmission.
Page 23
NETWORK MONITORING
In above figure
Step 1: the client send request to the server for sending the next packet but while sending
the next packet it is lost and client received any packet,
Step 2: client issuing a duplicate acknowledgement.
Step 3: the server again sends the packet but the client received any packet again issuing a
duplicate acknowledgement then the server sends again.
Step 4: the server retransmit the missing packet again
Step 5: client acknowledges for it and the process continues.
Page 24
NETWORK MONITORING
REFERENCES
WindowsNetworking (2009) ‘Introduction to the Simple Network Management
protocol’http://www.windowsnetworking.com/articles_tutorials/Introduction-
SNMP-Part1.html (Accessed on 12-03-09)
Page 25
NETWORK MONITORING
Optimized stack (2009) ‘Optimized memory transfer and flow control for high speed
networks’
http://optimizedstack.0catch.com/ (Accessed on 20-03-09)
APPENDIX
Page 26
NETWORK MONITORING
Page 27
NETWORK MONITORING
Page 28
NETWORK MONITORING
Page 29
NETWORK MONITORING
Page 30
NETWORK MONITORING
Page 31
NETWORK MONITORING
Page 32