网路流量监测与管理.ppt

《网路流量监测与管理.ppt》由会员分享，可在线阅读，更多相关《网路流量监测与管理.ppt（58页珍藏版）》请在三一办公上搜索。

1、2023/10/1,1,網路流量監測與管理,台灣大學計資中心邵喻美madelinentu.edu.tw,2023/10/1,2,大綱,網路基礎Network Traffic Accounting-NetFlowMRTG,2023/10/1,3,Part I,網路基礎,2023/10/1,4,網路基礎,OSI參考模型SNMP介紹,2023/10/1,5,OSI參考模型(Open System Interconnection),應用層（Application Layer）表達層（Presentation Layer）會談層（Session Layer）傳輸層（Transport Layer）網路層

2、（Network Layer）資料鏈結層（Datalink Layer）實體層（Physical Layer）,2023/10/1,6,2023/10/1,7,2023/10/1,8,SNMP,簡單網路管理協定（Simple Network Management Protocol）要求/回應協定：GET，SET遠端管理TCP/IP網路上的設備對不同網路節點進行讀取及寫入狀態資訊在UDP上執行Port 161:sending and receiving requestsPort 162:receiving traps from managed devices,2023/10/1,9,SNMP工作

3、原理,SNMP Manager與Agent之間的通訊形式Get-requestGet-next-requestSet-requestGet-responseTrap,2023/10/1,10,SNMP Manager:a server running some kind of software system that can handle management tasks for a networkSNMP Agent:a piece of software that runs on the network devices you are managingSNMP community:a lo

4、gical relationship between an SNMP agent and one or more SNMP managers.,2023/10/1,11,MIB Management Information Base,定義網路設備各種資訊的儲存結構Name(OID)Type and syntaxencodingMIB-II所有網路設備皆提供的MIB標準各家廠商也會提供proprietary MIB其他MIB standardsATM MIB(RFC 2515)Frame Relay DTE Interface Type MIB(RFC 2115)BGP Version 4 MI

5、B(RFC 1657)RADIUS Authentication Server MIB(RFC 2619)Mail Monitoring MIB(RFC 2249)DNS Server MIB(RFC 1611),2023/10/1,12,OID:.iso.org.dod.internet.mgmt.mib-2.interface.ifNumber.0.1.3.6.1.2.1.2.1.0,2023/10/1,13,SNMP&MIB 相關工具,MRTG（Multi Router Traffic Grapher）Getif window-based MIB browsernet-snmp套裝軟體s

6、nmpget(get)snmpwalk(get-next)snmpset(set)snmptrap(trap),2023/10/1,14,2023/10/1,15,2023/10/1,16,2023/10/1,17,su-2.05#snmpget-Cf-c public 140.112.1.1 sysDescr.0 SNMPv2-MIB:sysDescr.0=STRING:Hardware:x86 Family 6 Model 5 Stepping 2 AT/AT COMPATIBLE-Software:Windows 2000 Version 5.0(Build 2195 Uniproces

7、sor Free)su-2.05#snmpwalk-c public 140.112.1.1 SNMPv2-MIB:sysDescr.0=STRING:Hardware:x86 Family 6 Model 5 Stepping 2 AT/AT COMPATIBLE-Software:Windows 2000 Version 5.0(Build 2195 Uniprocessor Free)SNMPv2-MIB:sysObjectID.0=OID:SNMPv2-SMI:enterprises.311.1.1.3.1.2SNMPv2-MIB:sysUpTime.0=Timeticks:(2306

8、518)6:24:25.18SNMPv2-MIB:sysContact.0=STRING:SNMPv2-MIB:sysName.0=STRING:NTUCC-MADELINESNMPv2-MIB:sysLocation.0=STRING:SNMPv2-MIB:sysServices.0=INTEGER:76IF-MIB:ifNumber.0=INTEGER:3IF-MIB:ifIndex.1=INTEGER:1IF-MIB:ifIndex.2=INTEGER:2IF-MIB:ifIndex.3=INTEGER:3IF-MIB:ifDescr.1=STRING:MS TCP Loopback i

9、nterfaceIF-MIB:ifDescr.2=STRING:3Com EtherLink PCI,2023/10/1,18,網管系統,網路管理掌握網路主機狀況加速故障排除減少網管人員的負擔網管系統商業軟體系統整合型系統：收集MIB資料，統計分析，繪圖，事件通知功能多樣化，價格昂貴免費軟體網管系統的一部份功能,2023/10/1,19,Part II,Network Traffic Accounting,2023/10/1,20,Network Traffic Accounting,NetFlow簡介執行NetFlowNetFlow資料統計程式,2023/10/1,21,Network Tr

10、affic Accounting,The needs:To characterize the traffic and account for how and where it flowsUsage-based billingTraffic engineeringProductsCisco NetFlowProvides L3 network traffic flow informationFoundry sFlowRFC 3176:Statistically sampling technologyProvides L2-L4 network-wide traffic flow informat

11、ionJuniper Class-based accounting:filter-based,MPLS-based,Destination class uage accounting,2023/10/1,22,Cisco-NetFlow,Captures data from each incoming packetNetFlow flow a unidirectional stream of IP packet with the following common fields:Source and destination IP addressesSource and destination p

12、ort numbersLayer 3 protocol typeType of service(ToS)byteInput interface(ifIndex)Exported in UDP datagrams in one of four formats:v1,v5,v7,v8,2023/10/1,23,NetFlow,NetFlow is a three-part solution:ExporterMediation devicesCisco NetFlow FlowCollectorPublic-domain tools:flow-toolTraffic Analysis Tools C

13、isco Network Data Analyzer統計分析程式:netflow.pl,2023/10/1,24,執行NetFlow,設定路由器統計分析流程收集並儲存從網路設備輸出的flow data分析收集到的flow data，並產生報表,2023/10/1,25,執行NetFlow 設定路由器,指令Globalip flow-export destination InterfaceIp route-cache flowRouter(config)#ip flow-export destination 140.112.1.1 9991Router(config)#int fa1/1/0Ro

14、uter(config-if)#ip route-cache flow,2023/10/1,26,記錄及儲存flow data,flow-tool套裝程式Collection of programs to post-process Cisco netflow compatible flows Written in C,designed to be fastInstallation configure;make;make install on most platforms(FreeBSD,Linux,Solaris,BSDi,NetBSD)下載程式：http:/,2023/10/1,27,Flo

15、w-tool安裝程序（以Linux系統為例）解壓縮：zcat flow-tools-0.58.tar.gz|tar xvf 必須先安裝下列軟體：zlibgnu make安裝：./configuregmakegmake install,2023/10/1,28,flow-tool,flow-capture：Collect NetFlow exports and stores to disk.Built in compression.Manages disk space by expiring older flow files at configurable limits.Detects lost

16、 flows by missing sequence numbers.,2023/10/1,29,flow-capture z Z n N e E p P w WZ：壓縮比例N：每日留存份數E：共留存幾份在硬碟中P：埠號W：存放路徑Ex:flow-capture z 6 n 143 e 1500 p 9991 w/netflow,2023/10/1,30,測試flow-receive 0/0/9991|flow-printtcpdump n udp port 9991tcpdump:listening on fxp014:17:39.491510 140.112.3.76.1024 140.1

17、12.3.88.9991:udp 116814:17:39.492820 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.493786 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.495057 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.496298 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.496863 140.112.3.76.1024 140.1

18、12.3.88.9991:udp 116814:17:39.496967 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.497068 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.497176 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.497279 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.497381 140.112.3.76.1024 140.1

19、12.3.88.9991:udp 116814:17:39.497486 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.497589 140.112.3.76.1024 140.112.3.88.9991:udp 116814:17:39.497694 140.112.3.76.1024 140.112.3.88.9991:udp 1168,2023/10/1,31,Newflow資料格式：flow-print f0 logfileSif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts

20、Octets0000 195.254.117.168 0000 140.131.7.3 01 0 0 9 504 0000 205.188.248.89 0000 163.28.16.2 06 50 fdb6 5 589 0000 61.229.48.83 0000 192.192.120.18 06 454 17 12 493 0000 207.218.223.162 0000 192.83.193.2 11 35 8000 1 156 0000 207.159.149.84 0000 140.131.1.188 01 0 0 10 560 0000 202.178.164.169 0000

21、 203.64.48.107 06 71 9e6 1 40 0000 168.95.1.1 0000 203.71.92.1 11 35 a82c 1 187 0000 210.224.163.3 0000 210.71.107.3 11 3bce 35 1 71 0000 66.207.130.76 0000 163.28.16.2 06 50 fdde 6 782 0000 168.95.1.1 0000 203.71.92.1 11 35 a809 1 60 0000 64.12.24.30 0000 163.28.16.9 06 1bb 76b5 3 120 0000 163.31.1

22、02.156 0000 192.192.122.144 06 b3c 50 5 212 0000 163.31.102.156 0000 192.192.122.144 06 1283 50 3 156 0000 211.141.113.77 0000 203.71.88.240 11 fbf fa4 1 295 0000 140.117.11.100 0000 203.72.39.34 06 c38 e25d 7 3893 0000 61.139.8.11 0000 163.28.16.2 06 50 bb03 1 41 0000 140.117.11.100 0000 203.72.39.

23、34 06 c38 e256 6 1229 0000 210.85.124.196 0000 203.64.48.107 06 28da 17 1 43 0000 140.117.11.100 0000 203.72.39.34 06 c38 e261 13 4909,2023/10/1,32,統計分析程式,將收集並儲存下來的netflow資料予以統計分析產生報表可從網路下載程式http:/netflow.nctu.edu.tw/netflow.html以perl撰寫netflow.pldaily.pl可針對網段、協定、流入/流出之IP網段進行合計或TOP統計台大NetFlow統計網頁,202

24、3/10/1,33,#daily.pl#Modify the following to meet your configuration.#$dir is where you put your program and config files#$rawdir is where the raw log files kept#$outputdir is where the output files should be#$dir=/usr/NetFlow/analysis;$rawdir=/usr/NetFlow/raw;$flowprint=/usr/NetFlow/bin/flow-print;$

25、outputdir=/usr/local/www/data/netflow/daily;$htmldir=sprintf(%s/html/%02d%02d%02d,$outputdir,$year,$mon,$mday);$rawoutput=sprintf(%s/raw,$outputdir);$TopN=100;NET=(NTUProxy,NTUGeneral);$protfile=$dir/protocols;$servfile=$dir/services;$intranet=$dir/intranet;$DEBUG=0;#debug info flag$SLEEP_TIME=0;#de

26、bug$COUNT_THRESHOLD=50;#debug,2023/10/1,34,Part III,MRTG,2023/10/1,35,MRTG,MRTG簡介MRTG使用方式利用MRTG監看其他系統資源,2023/10/1,36,Multi Router Traffic Grapher,用來監測網路連結上之流量的工具運作原理利用SNMP收集網路設備的流量或其他狀態數據將收集到的資料產生網頁，以圖形呈現提供每日，過去七天，過去四週，以及過去12個月的紀錄可接受從外部程式收集的資料，予以統計繪圖,2023/10/1,37,MRTG使用方式,取得程式http:/people.ee.ethz.ch

27、/oetiker/webtools/mrtg/pub目前最新版是mrtg-2.9.18編譯MRTG程式產生MRTG設定檔修改MRTG設定檔測試MRTG輸出自動執行MRTG程式,2023/10/1,38,Compile MRTG,必須先確定已安裝下列軟體gdlibpngzlib安裝程序gunzip c mrtg-2.9.18.tar.gz|tar xvf cd mrtg-2.9.18./configure prefix=/usr/local/mrtg-2makemake install,2023/10/1,39,產生MRTG設定檔,設定檔中必須定義欲收集資料的網路設備IP或名稱欲收集之資料種類收

28、集到之資料的存放路徑輸出圖形及網頁的特定格式cfgmaker-global WorkDir:/home/httpd/mrtg-global Options_:bits,growright-output/home/mrtg/cfg/mrtg.cfg communityrouter.ntu.edu.tw,2023/10/1,40,MRTG設定檔語法,GlobalWorkDirHtmlDirImageDirLogDirRefreshIntervalLoadMIBs,2023/10/1,41,MRTG設定檔語法,Target 指定欲監測哪一台機器targetname:port:communityrou

29、ter.domain.nametargetname:oid_1&oid_2:communityrouter.domain.nametargetname:snmp_name1&snmp_name2:communityroutertargetname:1:communityrouterA+2:communityrouterAtargetname:/usr/local/ping-probe/mrtg-ping-probe 第一個參數第二個參數系統uptime表示Target名稱的字串,2023/10/1,42,MRTG設定檔語法,Target選項MaxBytes:The maximum value

30、either of the two variables monitored are allowed to reachMaxBytes1:maxbytes for variable 1MaxBytes2:maxbytes for variable 2Title:title for the HTML page which gets generated for the graphPageTop:Things to add to the top of the generated HTML page,2023/10/1,43,MRTG設定檔語法,Optionsgrowrightbitsgaugeabso

31、lutenopercentSpecial target nameTargetTarget$Target_,2023/10/1,44,最基本的 mrtg.cfgWorkDir:/usr/tardis/pub/www/stats/mrtg Targetr1:2:publicmyrouter.somplace.edu MaxBytesr1:8000 Titler1:Traffic Analysis ISDN PageTopr1:Stats for our ISDN Line,2023/10/1,45,包含數個router的mrtg.cfgWorkDir:/usr/tardis/pub/www/sta

32、ts/mrtg Title:Traffic Analysis for PageTop:Stats for PageTop$:Contact The Chief if you notice anybody MaxBytes_:8000 Options_:growright Titleisdn:our ISDN Line PageTopisdn:our ISDN Line Targetisdn:2:publicrouter.somplace.edu Titlebackb:our Campus Backbone PageTopbackb:our Campus Backbone Targetbackb

33、:1:publicrouter.somplace.edu MaxBytesbackb:1250000#the following line removes the default prepend value#defined aboveTitle:Titleisdn2:Traffic for the Backup ISDN Line PageTopisdn2:our ISDN Line Targetisdn2:3:publicrouter.somplace.edu,2023/10/1,46,自動執行MRTG程式,利用MRTG觀察長期趨勢將MRTG程式設定為定期執行在crontab中加入設定cro

34、ntab e0,5,10,15,20,25,30,35,40,45,50,55*/mrtg/bin/mrtg/mrtg/conf/mrtg.cfg,2023/10/1,47,利用MRTG監看其他數據,MRTG統計數據來源透過SNMP向遠端網路設備取得數據透過外部程式產生數據設定方式在Target選項中設定外部程式執行路徑,2023/10/1,48,網路狀況 round-trip time&packet loss,mrtg-ping-probemonitor the round-trip time and packet loss to another networked host從網路下載：ft

35、p:/ftp.pwo.de/pub/pwo/mrtg/mrtg-ping-probe/mrtg-ping-probe用法mrtg-ping-probe-hsvV-d deadtime-k count-l length-o ping_options-p factor*min|max|avg|loss|integer/factor*min|max|avg|loss|integer-r rsh:userhost:osname-t timeout hostT:/usr/local/mrtg/mrtg-ping-probe T:/usr/local/mrtg/mrtg-ping-probe p lost

36、/lost,2023/10/1,49,rootscorpio5:33pm/#/usr/local/ping-probe/mrtg-ping-probe 190189rootscorpio5:35pm/f#/usr/local/ping-probe/mrtg-ping-probe-t 42-p loss/loss 00,2023/10/1,50,系統CPU Load,Sysstat收集系統CPU utilization datahttp:/perso.wanadoo.fr/sebastien.godard/運作方式在crontab中設定定期執行Unix系統的sa1指令，將系統相關資訊收集並儲存在

37、/var/adm/sa/sadd(dd表示目前日期）利用perl程式將儲存在sadd檔案中的系統資訊取出，並輸出為MRTG能夠接受的格式,2023/10/1,51,#crontab0,10,20,30,40,50*/usr/lib/sa/sa1,2023/10/1,52,rootaquarius5:27pm#system-load.shSunOS aquarius 5.7 Generic_106541-18 sun4u 07/07/0200:00:00%usr%sys%wio%idle00:10:00 12 4 1 8300:20:00 3 4 1 9200:30:00 12 4 1 8400

38、:40:00 3 4 0 9300:50:00 12 4 1 8401:00:01 3 4 1 9201:10:00 12 4 0 8401:20:00 3 4 0 9301:30:00 12 4 1 8401:40:00 3 4 1 92.15:50:00 12 4 0 8416:00:00 3 4 1 9316:10:00 12 4 0 8416:20:00 3 4 1 9216:30:00 12 4 1 8416:40:00 3 4 0 9316:50:00 12 4 0 8417:00:00 4 4 1 9217:10:00 12 4 1 8417:20:00 3 4 0 93Aver

39、age 7 3 1 89,2023/10/1,53,rootaquarius5:27pm#system-load.sh 4 7 82 day(s)aquarius,2023/10/1,54,DNS statistics,mrtg/stat/stat.pl 利用dns server產生的統計數據繪成圖形，以利觀察dns server負荷的變化運作原理讓dns server定期產生named.stats檔stat.pl檔從named.stats中取出所欲觀測的數據修改stat.pl$HOSTNAME domain name$LOG the path of named.stats$RUN the p

40、ath of working directoryTargetdns_stats:/usr/local/mrtg/stat.pl,2023/10/1,55,+Statistics Dump+(1026035100)Sun Jul 7 17:45:00 20024082015 time since boot(secs)525288 time since reset(secs)493244 Unknown query types174015036 A queries82881 NS queries36 MD queries5 MF queries35361 CNAME queries1731371

41、SOA queries1 MB queries5 MG queries0 MR queries3 NULL queries0 WKS queries67734278 PTR queries5 HINFO queries0 MINFO queries5874154 MX queries35475 TXT queries2 RP queries0 AFSDB queries18 X25 queries0 ISDN queries0 RT queries2 NSAP queries0 NSAP_PTR queries0 SIG queries0 KEY queries0 PX queries0 GP

42、OS queries2793085 AAAA queries152 LOC queries0 NXT queries0 EID queries8 NIMLOC queries1638871 SRV queries0 ATMA queries0 NAPTR queries0 KX queries0 CERT queries,2023/10/1,56,#!/usr/local/bin/perl-w%D_STAT=(RR=0,RNXD=1,RFwdR=2,RDupR=3,RFail=4,RFErr=5,RErr=6,RAXFR=7,RLame=8,ROpts=9,SSysQ=10,SAns=11,S

43、FwdQ=12,SDupQ=13,SErr=14,RQ=15,RIQ=16,RFwdQ=17,RDupQ=18,RTCP=19,RFwsR=20,SFail=21,SFErr=22,SNaAns=23,SNXD=24,RUQ=25,RURQ=26,RUXFR=27,RUUpd=28,);my$HOSTNAME=dns.ntu.edu.tw;my$LOG=/users/www/mrtg/dnsstat/named.stats;my$RUN=/users/www/mrtg/dnsstat;my$INCOMING=$D_STATRQ;#my$OUTGOING=$D_STATRFail;my$OUTGOING=$D_STATSAns;,2023/10/1,57,rootscorpio8:29pmusers/www/mrtg/stat.pl5061641332534888dns.ntu.edu.tw,2023/10/1,58,參考網頁,flow-tool http:/packagehttp:/net-,