WHITE PAPER

Non-Intrusive Monitoring
Using Embedded Systems to Monitor Network Activities
By Steven Wigent, Product Manager

www.pt.com

White Paper: Non-Intrusive Monitoring

Introduction - What is Non-Intrusive Monitoring?

Non-intrusive monitoring is a method to examine network data as it flows through the network without interfering with the data. A modern non-intrusive monitoring system is generally a combination of embedded hardware components and control software connected to a host or server. Data being distributed over T1, E1, and J1 Time Division Multiplexed (TDM) networks are examples of where non-intrusive monitoring takes place. Non-intrusive monitoring is a passive method to examine network activities. Many monitoring applications require that the data stream remain unaffected by the monitoring process. It is in these applications that non-intrusive monitoring methods are deployed. Another method of monitoring is active monitoring, in which the system intentionally interferes with the data stream. Active monitoring processes and equipment will not be discussed in this paper. Figure 1 illustrates the components used in a non-intrusive monitoring system and how they are connected. Figure 2 illustrates the steps in the monitoring process, and how the data is examined and collected if trigger requirements are met.

Figure 1. Components of a Non-Intrusive Monitoring System

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

White Paper: Non-Instrusive Monitoring

Figure 2. Schematic of Non-Intrusive Monitoring Processes

Each of the components in a non-intrusive monitoring system plays a specific role in the monitoring process: Data Conduit The data conduit is the medium of data flow for a specific network. The data conduit could be part of a public phone system, a wireless communications system, a data network, or other network systems. Some data conduits are bi-directional, also called full duplex. In a full-duplex transmission, the data could be traveling either way through the conduit, and therefore monitoring systems may need to be able to monitor both directions of traffic. Network Tap The network tap is an attenuated hardware device that is connected in line with the data conduit. The network tap performs two functions: it allows data to pass normally through the conduit as if the network tap was not there and it presents the data to the monitoring hardware. The attenuation is intended to pull a small amount of the signal power from the data conduit in order to read the data. The network tap must have the ability to adjust for different signaling methods, such as T1, E1, or J1 standards. The network tap must work with some very weak signals. However, todays circuit designs provide a large advantage for this application; the engineering of these circuits deals with the loading issues while recovering the data with excellent reliability.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

White Paper: Non-Intrusive Monitoring

Monitoring Hardware The monitoring hardware collects the data from the network tap and reviews the data on a continual basis. The hardware can consist of a server and/or line cards (T1/E1/J1, such as PT's PCE335, PCE335HSI, PCE385, PCI334A, and the PCI384). Software If the monitoring hardware includes the server, the software typically is embedded within the monitoring hardware, and is used to: Examine the network data Compare the data with trigger requirements Perform specific actions if the trigger requirements are met

The software can perform filtering operations, such as removing Fill-in Signal Units (FISUs) in SS7 communication streams. The data is compared with trigger events: specifications programmed into the monitoring system. If the data matches one of the trigger events, the data is passed up to the server for future use, whether storage or additional processing. The trigger events and the data types depend on the specific monitoring application. If the data does not match the trigger event, the data is discarded. In a turnkey application, all data, except for the filtered data, goes to the server and the server then looks for those trigger events and performs further processing, in parallel, as required. Server The server connects the monitoring hardware to a network. Some monitoring hardware can be directly installed into a server rack mount, while others can be cable-connected. The server allows the data collected by the monitoring hardware to be analyzed, stored, or sent to another location. Additional data analysis and processing can occur on the server once the data is received from the monitoring hardware. The monitoring hardware and the server can coexist in the same location, or can be separate boxes. (NOTE: another option is to use controllers such as the PT's PCI384 and PCE385 that can provide data right over the PCI and PCIe bus).

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

White Paper: Non-Instrusive Monitoring

Applications of Non-Intrusive Monitoring

The process of non-intrusive monitoring can be applied to a number of situations where data needs to be collected from the information flowing through a network. One of the common requirements for these applications is the constant processing of data to keep up with the network flow. The sections below outline some of the primary applications for non-intrusive monitoring. Billing Systems One application of non-intrusive monitoring is for analyzing network usage and assigning appropriate billing. This is most evident in SS7 telecommunication networks, both wired and wireless, where different carriers share common infrastructure, and need to discern their own customers from the flow of data passing through the network. The monitoring hardware belonging to an individual carrier continuously processes the network data, and is triggered only when a customer for that specific carrier uses the network. When a network customer is detected, the monitoring system collects information on that specific network activity, such as customer information, call recipient, and length of the call. While not directly related to billing, many telecommunication companies also use non-intrusive monitoring to evaluate network load levels. In this case, the company is looking at the quantity and types of network activity occurring at different locations in their network, in order to properly plan for expansion or reconfiguration of their network. Lawful Intercept Lawful Intercept consists of capturing the telecommunications activity of a person or organization being investigated by a law enforcement agency. Traditionally, this has included monitoring telephone conversations, but can also include wireless communications, VoIP communications, and data transmission.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

White Paper: Non-Intrusive Monitoring

Lawful Intercept operations are governed by specific laws in each country, but the regulations generally include: The Lawful Intercept mechanism must not interfere with the flow of network traffic
u

The monitoring operation must be performed in such a way that the target of the investigation is not aware of the monitoring

In the United States, Lawful Intercept is governed by the Communications Assistance for Law Enforcement Act (CALEA), which went into effect in 1995, and was later updated to include internet-based communications, such as VoIP communications. Non-intrusive monitoring systems can help law enforcement agencies perform surveillance while maintaining compliance with the laws. Monitoring Enhanced 9-1-1 Systems Enhanced 9-1-1 services, or E9-1-1, are designed to automatically match an incoming call to a physical address. Once an address has been associated with the call, the monitoring system routes the call to the most appropriate local agency. For traditional wired telecom systems, emergency services have access to a database that matches phone numbers to addresses. For wireless systems, there are two methods of obtaining location information. The first is on-board global positioning systems (GPS), which provides coordinates of the location of the device. The other method is triangulation, which determines location based on the proximity of the signal to adjacent wireless transceiver towers. In both of these methods, the location information is used to route the call to the appropriate local agency. VoIP systems that interconnect with the public telephone network are required to incorporate E9-1-1 into their services. VoIP providers are cooperating with public telephone networks to access the emergency services database in order to provide accurate location information for calls initiated on a VoIP system.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

White Paper: Non-Instrusive Monitoring

Network Intrusion Detection While the non-intrusive monitoring applications described in the previous sections pertain primarily to voice communication systems with some relevance to data transmission, network intrusion detection is focused solely on monitoring data flow. The goal in this application is to ensure that all traffic on a specific network consists of legitimate users and processes performing legitimate activities. Intrusion detection systems look at the patterns and content of network traffic, looking for actions or data that is outside specified parameters for acceptable network use. For this type of application, the monitoring system needs to examine incoming traffic, as well as the response from the monitored system, in order to discern possible unauthorized activities from normal network communications.

Hardware Requirements for Non-Intrusive Monitoring

In a non-intrusive monitoring application, the hardware that is used has to be selected to match the specific type of network being monitored and the types of monitoring and processing required for the application. Selecting the right hardware is critical for the success of a non-intrusive monitoring system deployment. Functionality of Monitoring Hardware The hardware selected for a non-intrusive monitoring application has to take into account a variety of functions, including: Constant Data Flow The data flow through a network conduit is rapid and constant. The monitoring hardware in a non-intrusive monitoring system is designed to be able to continuously review the data being collected through the network tap. Embedded Processing In some cases, the monitoring hardware can have on-board embedded processors to allow for data processing on board the monitoring card, reducing the data transferred between the card and its associated server. In other systems, all processing is performed on board the server.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

White Paper: Non-Intrusive Monitoring

Anonymity The network tap in a non-intrusive monitoring system is not a network-addressable device, so the monitoring system does not create any load or latency on the network itself. Also, harmful packets cannot be directed to the network tap because of its anonymity.

Using Embedded Systems for Monitoring Embedded systems consist of hardware and software that form a component of some larger system and are expected to function without human intervention. A typical embedded system consists of a single-board microcomputer with software that starts running a special purpose application program as soon as it is turned on and will not stop until it is turned off. Embedded systems are ideal for non-intrusive monitoring applications because of the straightforward nature of the monitoring process. The embedded application will begin monitoring as soon as the system is installed and powered up, providing constant monitoring without the need for a person to observe or intervene in the process. Using Host Systems for Monitoring In many cases, host systems or servers are used for processing data collected from monitoring system hardware. In this type of configuration, the monitoring hardware simply passes the data to the server, as opposed to the embedded systems described previously that perform on-board processing prior to data transfer. The capabilities of the host allow for more complex data analysis to occur on board the server in parallel with data monitoring and preliminary review. In many cases, host systems involve a high-powered server and data acquisition system in conjunction with the monitoring hardware. PT Hardware PT offers a wide range of hardware products that can be used as the foundation for a variety of non-intrusive monitoring applications. Each product provides different capabilities and benefits, allowing users to choose the right product for their specific application. Table 1 illustrates the different PT products applicable to non-intrusive monitoring applications and their individual specifications.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

White Paper: Non-Instrusive Monitoring

Table 1. PT Hardware for Non-Intrusive Monitoring Applications

Product
PCI384

Form Factor
PCI

Processor
Motorola 8260

Monitoring Ports
2
u u

Highlights
Solaris ready Quad T1/E1/J1 Communications Interface for PCI Systems u Software Programmable Interface u H.100 Bus Support u Capable of switching 96/128 time slots bi-directionally to any of the 4096 H.100 CT bus channels u 128 MB Dedicated Processor DRAM Memory u Handles extensive onboard traffic and protocol requirements Multipurpose Intelligent WAN Communications Adapter u Four High-Speed Channels Capable of Sustaining 2 Mbps per Port u 4 MB of Shared SRAM Memory u Universal I/O Supporting 3.3 V and 5 V u Support for 33 MHz and 66 MHz PCI Bus
u

PCI334A

PCI

Motorola MC68360

PCE335 and PCE335-HSI

PCI Express

Freescale MPC8270 PowerQUICC II

Solaris ready Multipurpose Intelligent PCI Express WAN Communications Adapter u Four High-speed Channels Capable of Sustaining 2 Mbps per Port u 128 MB Dedicated Processor DRAM Memory u Handles Extensive Onboard Traffic and Protocol Requirements u 32 MB Application Flash
u u

PCE385

PCI Express

Freescale MPC8280 PowerQUICC II

Solaris ready Quad T1/E1/J1 Communications Interface for PCI Express Systems u Software Programmable Interfaces u H.100 Bus Support u Capable of switching 96/128 time slots bi-directionally to any of the 4096 H.100 CT bus channels
u u

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

White Paper: Non-Intrusive Monitoring

Table 1. PT Hardware for Non-Intrusive Monitoring Applications (cont.)

Product
CPC308A

Form Factor
CompactPCI

Processor
1 GHz PowerQUICC III

Monitoring Ports
4
u

Highlights
Onboard eight-port gigabit switch u Can be used in a host system, or in a standalone mode independent of other blades in a server Onboard eight-port gigabit switch u Hardware u Can be used in a host system, or in a standalone mode independent of other blades in a server. u Suitable for large volume applications in most network types
u

CPC324A

CompactPCI

1 GHz PowerQUICC III

12

CPC5565

CompactPCI

Intel Core 2 Duo Featuring Dual-Core 2.2 GHz Processor

3 USB

High-Density Compute Blade u High-Performance Computing Solution for PICMG 2.16 Systems u 128-Bit Memory Addressability to 8 GB PC3200 DDR SDRAM with ECC u Onboard Eight-Port Gigabit Switch
u

AMC308/318

AMC

Freescale MPC8560 PowerQUICC III

Quad T1/E1/J1 Communications Controller u Mid-size, Single AMC Module u Full Compliance with AMC.0 R2.0 Specifications u PCI Express (AMC.1) and Gigabit Ethernet (AMC.2) connectivity
u

AMC121

AMC

Intel Core 2 Duo

2 Com, 1USB, 1 Serial

Mid-Size, Single Compute Module u High-Performance Computing Solution for AdvancedTCA and MicroTCA Systems u MiniSD Site for Onboard Program and OS Storage u 4 MB Shared L2 Cache
u

AMC131

AMC

Freescale Dual-Core 1 GHz MPC8641D PowerPC

2 Com, 1USB, 1 Serial

Mid-Size, Single Compute Module u High-Performance Computing Solution for AdvancedTCA and MicroTCA Systems u MiniSD Site for Onboard Program and OS Storage u 1 MB L2 On-Chip Cache
u

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

10

White Paper: Non-Instrusive Monitoring

PT's modules allow programming interfaces into the framer and time division multiplexing (TDM) switch. There are also modules that provide the user access to the Channel Associated Signaling (CAS), also known as robbed-bit signaling. Monitoring applications have been in use on network systems for many years. However, most manufacturers of monitoring hardware have not kept up with the changes in network technology, including the introduction of new hardware form factors. PT is one of the few vendors that continues to develop new hardware to meet the latest needs of the industry, and to be used with the newest hardware and form factors. Because all of these products have embedded processors, PT's hardware has the intelligence to perform on-board filtering and data processing, providing a more efficient use of server bandwidth.

Software Requirements for Non-Intrusive Monitoring

Non-intrusive monitoring systems depend on software; specifically the embedded software within the monitoring hardware and analysis components that reside on the host. It is this software that analyzes the incoming data, determines if the data meets specific trigger requirements, and decides what to do with the data after it is examined, whether it is to discard the data, perform further operations on the data, to save the data for later examination, or to provide alerts to a specific system or person on the network. Monitoring Software Functionality The software used in a non-intrusive monitoring application has to take into account a variety of functions, including: Efficiency In a monitoring application, significant amounts of data may have to be examined in real time. The software responsible for processing the data must be efficiently designed so it will not lead to data backlogs or dropped data.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

11

White Paper: Non-Intrusive Monitoring

Available Protocols Different data conduit types, including T1, E1, J1, or serial lines, use different protocols. Signaling between international networks can often be a significant challenge to developers because of the many different variants of SS7 found throughout the world. The monitoring software must be able to translate these protocols to maintain the integrity of the monitoring process. Customization Each monitoring application has specific goals and specific requirements. The software package for a non-intrusive monitoring system must be able to be customized for each individual monitoring application. Filtering an SS7 network system is just one example where filtering can be deployed. The SS7 network passes data containing three types of units: Fill-In Signal Units (FISU), Link Status Signal Units (LSSU), and Message Signal Units (MSU). The FISUs are used to fill in empty time on the network so the data stream is continuous. Since the FISUs are not relevant to data analysis, monitoring systems must be able to filter out FISUs from the data stream. Doing so streamlines the analysis process, because the quantity of data to be examined is much smaller after this initial filtering.

A benefit of using embedded system hardware for non-intrusive monitoring is that the bulk of the data processing can take place on board, reducing the amount of server bandwidth required to transmit data after processing. A benefit for using the host system of a monitoring server for the real-time data analysis is that it will have one or more robust CPUs. This enables it to analyze in greater detail, the input data and pass it to parallel tasks for further processing.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

12

White Paper: Non-Instrusive Monitoring

PT's Software for Monitoring

Because every monitoring application has different requirements, the control software for a non-intrusive monitoring system has to be developed specifically for that application. PT has developed the NexusWare software suite, which is based on a highly integrated Linux operating system. NexusWare is a development toolbox that allows developers to custom build a monitoring solution that meets the specific requirements of the application. This powerful combination of software and hardware enables system engineers, architects, and designers in the telecommunications, aerospace and defense, and commercial markets to create applications and bring to market solutions such as media gateways, managed WAN gateways, voice over IP (VoIP), lawful intercept, radar servers, signaling gateways, and wireless base station controllers. The NexusWare software suite includes: NexusWare Core NexusWare Core provides a comprehensive, highly integrated, Linux OS and development, integration and management environment. It is intended for system engineers using PT's embedded products to build packet-based systems including next-generation wireless and IP-based systems. NexusWare C7 NexusWare C7 is a comprehensive SS7 MTP-2 installable software package for NexusWare Core that provides equipment manufacturers and application developers using PT's embedded products with a foundation for building SS7 applications, including next-generation wireless and IP telephony systems. NexusWare SIP NexusWare SIP is an installable Session Initiation Protocol (SIP) stack and API software package that provides a powerful foundation for application developers who use PT's embedded packet-based products for building SIP servers, SIP softphone applications, and SIP media gateways for wireless and IP telephony systems. Designed to work in conjunction with NexusWare Core, PT's CGL OS and development environment, NexusWare SIP is compliant with the RFC3261 specification to ensure interoperability and effortless integration of the latest advances in SIP into a wide range of applications.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

13

White Paper: Non-Intrusive Monitoring

NexusWare WAN NexusWare WAN software provides an extensive offering of protocol packages including, but not limited to, HDLC, X.25, Frame Relay, and Radar Receiver which combined with PT's embedded products enhance the ability to create flexible and efficient radar gateways, converged serial gateways, HDLC packet monitors, and front-end I/O systems. The WAN software products are offered as installable software packages for NexusWare Core or as Turn-key packages for those developers interested in the protocol package by itself. Both the turn-key and installable packages can be easily leveraged for monitoring applications. Whether the user chooses the installable or Turn-key solution, the result is a well documented and powerful MPS-API to facilitate the development process.

Next Steps
This document is intended as an overview of non-intrusive monitoring applications in embedded systems. For more information on designing network monitoring solutions for your project, you can contact PT in North America at: +1.585.256.0200. For international requests, you can contact the companys UK office at: +44 (0) 1908 646000. PT develops standards-based solutions for telecommunications, aerospace and defense, as well as commercial markets. The company's portfolio includes tightly integrated application-ready platforms for MicroTCA and CompactPCI, comprehensive blade offerings, and NexusWare, an integrated Linux OS. The companys award-winning 1U MicroTCA platform features front-to-back cooling for NEBS and ETSI compliance, and supports a wide range of AdvancedMCs that include multicore compute, video and storage, and intelligent WAN communications modules. Additional information can be found by visiting http://www.pt.com.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

14

White Paper: Non-Instrusive Monitoring

About PT (www.pt.com)
PT (NASDAQ: PTIX) is a global supplier of advanced network communications solutions to carrier, government, and OEM markets. PTs portfolio includes IP-centric network elements and applications designed for high availability, scalability, and long life-cycle deployments. The companys entire line of offerings is anchored by IPnexus, PTs own IP-native, highly integrated platforms and element management systems. OEMs and application developers, including PT itself, leverage the robust carrier grade Linux development environment and rich suite of communications protocols (PTs NexusWare) of IPnexus ApplicationReady Systems as a cornerstone component of their end product value proposition. PTs SEGway Signaling Solutions provide low cost, high density signaling, advanced routing, IP migration, gateway capabilities, SIP bridge, and core-to-edge distributed intelligence. The companys Xpress NGN applications enable evolving Mobile 2.0, Multimedia, and IMS based revenue generating services. PT is headquartered in Rochester, NY and maintains sales and engineering offices around the world.

About the Author

Steve has worked extensively with the NexusWare Software Suite as well as PT's TDM and Synchronous Serial product line for the PCI, PCI Express, CompactPCI and MicroTCA form factors. Additionally, Steve also manages PT's Communications Server Product line. Prior to joining PT, he maintained various product management and marketing positions. Steve holds a BS in Electricity and Electronics Technology with a concentrated study in Telecommunications and Micro Computer Architecture from University of Central Missouri. You can contact Steve at scw@pt.com.

PT is a trademark of Performance Technologies, Inc. The names of other companies, products, or services may be the trademarks, registered trademarks, or service marks of their respective owners in the United States and/or other countries.

Copyright 2011 Performance Technologies, Inc. All Rights Reserved.

15