A Survey of Network Traffic Monitoring and Analysis Tools PDF
A Survey of Network Traffic Monitoring and Analysis Tools PDF
A Survey of Network Traffic Monitoring and Analysis Tools PDF
Abstract:
From hundreds to thousands of computers, hubs to switched networks, and Ethernet to either ATM or 10Gbps Ethernet, administrators need more sophisticated network traffic monitoring and analysis tools in order to deal with the increase. These tools are needed, not only to fix network problems on time, but also to prevent network failure, to detect inside and outside threats, and make good decisions for network planning. This paper surveys all possible network traffic monitoring and analysis tools in non-profit and commercial areas. The tools are categorized in three categories based on data acquisition methods: network traffic flow from NetFlow-like network devices and SNMP, and local traffic flow by packet sniffer. The popular tools for each category and their main features and operating system compatibilities are discussed. The feature comparisons on each category are also made.
Keywords:
Network Traffic Monitoring and Analysis Tools, Traffic Flow, NetFlow, sFLow, IPFIX, RMON, Flow-tools, cflowd, flowd, FlowScan, Autofocus, Fluxoscope, pmacct, InMon, snoop, tcpdump, Ethereal, Wireshark, Sniffer, MRTG, Cricket
Table of Contents
1. Introduction 2. Traffic flow information 2.1 Network traffic flow information (by NetFlow-liked) 2.1.1 Cisco NetFlow 2.1.1.1 Examples of network traffic flow collectors (Flow-tools, cflowd, and flowd) 2.1.1.2 Examples of network traffic flow monitoring and analysis tools (FlowScan, Autofocus, and Fluxoscope) 2.1.2 sFlow (pmacct and InMon Traffic Sentinel) 2.2 Network traffic flow information (by SNMP) (MRTG and Cricket) 2.3 Local traffic flow information (by packet sniffer) 2.3.1 Software sniffer (snoop, tcpdump, Wireshark) 2.3.2 Hardware sniffer (Sniffer) 3. Comparison of traffic flow information 4. Summary 5. References 6. List of Acronyms 7. Appendix A: List of network traffic monitoring and analysis tools
1. Introduction
Network monitoring and measurement have become more and more important in a modern complicated network. In the past, administrators might only monitor a few network devices or less than a hundred computers. The network bandwidth may be just 10 or 100 Mbps (Megabit per second); however, now administrators have to deal with not only
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
1 of 24
higher speed wired network (more than 10 Gbps (Gigabit per sec) and ATM (Asynchronous Transfer Mode) network) but also wireless networks. They need more sophisticated network traffic monitoring and analysis tools in order to maintain the network system stability and availability such as to fix network problems on time or to avoid network failure, to ensure the network security strength, and to make good decisions for network planning. When a network failure occurs, monitoring agents have to detect, isolate, and correct malfunctions in the network and possibly recover the failure. Commonly, the agents should warn the administrators to fix the problems within a minute. With the stable network, the administrators' jobs remain to monitor constantly if there is a threat from either inside or outside network. Moreover, they have to regularly check the network performance if the network devices are overloaded. Before a failure due to the overload, information about network usage can be used to make a network plan for short-term and long-term future improvement There are various kinds of tools dealing with the network monitoring and analysis, such as tools used by Simple Network Management Protocol (SNMP), Windows Management Instrumentation (WMI), Sniffing, and Network flow monitoring and analysis. Given the data packet and network traffic flow information, administrators can understand network behavior, such as application and network usage, utilization of network resources, and network anomalies and security vulnerabilities. In this paper, we survey all possible network traffic monitoring and analysis tools in both public and commercial areas. The organization of this paper is as follows. In section 2, we classified the tools in three categories based on how to retrieve the network flow information: network traffic flow information from network devices (NetFlow-like in section 2.1 and SNMP in section 2.2) and from local traffic network (by packet sniffer in section 2.3). The popular tools for each category with main features and operating system compatibilities are given. In section 3, the feature comparisons for each category are made based on [sFlow03]. Finally, summaries are drawn in section 4. Since in fact, there are a huge number of monitoring and analysis tools available (in Appendix 7), we also include lists of all possible tools from [1, 2, 3, 4, 5, 6, 7, 8, 9]. However, all tools in this paper focus only on a network traffic monitoring and analysis purpose. A reader can follow the link for further information or click on the references [1] to [9]. However, unlike the purpose of this paper (network traffic monitoring and analysis tools), these links contain other network management and monitoring tools. For example, in [1], the ESnet Network Monitoring Task Force (NMTF) has maintained the updated list of network monitoring tools both LAN and WAN. The link gathers thousands of tools and classifies into eight main groups: Network Monitoring Platforms (NMP), Monitoring Tools Integrated with NMP, Commercial Monitoring Tools not Integrated with an NMP, Public Domain Network Monitoring Tools, Web Tools, Auxiliary Tools to Enable Monitoring, Analysis, Report Creation or Simulation. For commercial network monitoring tools, there are eight subgroups: Analyzer/Sniffer, Application/Services monitoring, Flow monitoring, FTP, Network security, SNMP tools, Topology, and VOIP (Voice Over IP). And fourteen subgroups are classified for public network monitoring tools: Application Monitoring, Finger Printing, FTP (File Transfer Protocol), Mapping, Monitoring Infrastructures, Packet Capture, Path Characterization, Ping, RRDtool (Round Robin Database Tool) , SNMP, Throughput tools, Traceroute. In [2], the Cooperative Association for Internet Data Analysis (CAIDA) also provides tools and analyses promoting the engineering and maintenance of a robust, scalable global Internet infrastructure. Network traffic monitoring software and text-based packet monitoring software are listed in [3] with some comments. In [4], the Swiss Education and Research Network makes a list of Flow-Based Accounting Software and brief descriptions for each tool. Some of the network monitoring and management are described briefly in [5]. In category "Network Traffic Monitoring", [6] lists the tools and gives critic for popular tools. In [7], the Advanced Laboratory Workstation System lists the network monitoring software. The link is no longer maintained, but it is still there. Comlab provides some tools for modeling the user-traffic [8]. Hundreds of traffic monitoring and analysis tools (most of them are in the commercial area) are listed in [9] and [10]. www.tucows.com and www.download.com are well-known websites for downloading software in both commercial and non-profit areas. The tools by searching "network traffic monitoring" and "network traffic analyzer" are listed. Back to Table of Contents
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
2 of 24
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
3 of 24
can be very expensive in terms of router's CPU consumption, the huge number of flow data across the network, and the data storage is required; the NetFlow collector is placed just one hop from the router or directly connected. Additionally, "Sampled NetFlow" feature is an option in order for router to look at the packet in every nth packet or randomly selecting interval. Aside from the recommendations above, to place the NetFlow collector, the location also depends on the location of reporting solution and the topology of the network, but it is placed at the central site, since the implementation of NetFlow from the remote branch is optimal. Normally the switching traffic is consumed about 1 to 5% in order to export the flow records to the collectors. [Cisco, NetFlow06b]
2.1.1.1 Examples of network traffic flow collectors (Flow-tools, cflowd, and flowd)
In this section, the popular tools for NetFlow collectors are described: "Flow-tools", "cflowd", and "flowd". Although "cflowd" is no longer maintained, the flow-collecting concept is used for other flow collectors. The concepts and features for flow collectors are similar; just collect NetFlow information from Cisco routers. Thus, most NetFlow collectors are offered for free charge (NetFlow collector provided by Cisco Systems is just for small fees, but high cost for Cisco NetFlow Analyzer). In table 2.2, a list of other free NetFlow collectors was drawn with main features, operating system compatibility, and input/ output. Most NetFlow collectors include simple flow analyzer such as top ten-protocol summarization and one line statistic summary. Actually, "Flow-tools" are a combination of network traffic flow collector and flow analyzer. The flow collector can support single, distributed, and multiple servers for NetFlow versions 1, 5, 6, and 14 defined as version 8 subversions. Perl and Python are used as the programming interface. "flow-capture" module is used to collect the NetFlow record (only UDP not SCTP format) from the network devices. This module stores all flows in compress raw format. Then, either "flow-print" or "flow-cat" decodes the compress files for analyzer purpose. Other modules (including in Flow-tools package) with description are shown in table 2.1 [S. Romig et all., 2000] Table 2.1: Flow-tools package [S. Romig et all., 2000] Flow-tools modules flow-cat flow-fanout flow-report flow-tag flow-filter flow-import flow-export flow-send flow-receive flow-gen flow-dscan flow-merge Functions Concatenate flow files. Typically, flow files will contain a small window of 5 or 15 minutes of exports. "flow-cat" can be used to append files for generating reports that span longer periods. Replicate NetFlow datagrams to unicast or multicast destinations. "flow-fanout" is used to facilitate multiple collectors attached to a single router. Generate reports for NetFlow data sets. Reports include source/destination IP pairs, source/destination AS number, and top talkers. Over 50 reports are currently supported. Tag flows based on IP address or AS number. "flow-tag" is used to group flows by customer network. The tags can later be used with "flow-fanout" or "flow-report" to generate customer based traffic reports. Filter flows based on any of the export fields. "flow-filter" is used in-line with other programs to generate reports based on flows matching filter expressions. Import data from ASCII or "cflowd" format. Export data to ASCII or "cflowd" format. Send data over the network using the NetFlow protocol. Receive exports using the NetFlow protocol without storing to disk like flow-capture. Generate test data Simple tool for detecting some types of network scanning and Denial of Service attacks (DoS). Merge flow files in chronological order.
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
4 of 24
Perform translations on some flow fields Expired flows using the same policy of "flow-capture". Display meta information in flow file Split flow files into smaller files based on size, time, or tags.
"cflowd" [cflowd98] is a flow analysis tool for analyzing NetFlow data. The "cflowd" package includes flow collections, storage, and basic analysis modules for "cflowd" and "arts++" libraries. "cflowd" package contains four modules. "cflowmux" module functions as the flow collector to collect UDP data flow from Cisco routers and saves them to shared memory buffers. Then, "cflowd" watches the shared memory and reads a packet buffer when available. "cflowd" uses "CflowRawFlow" class to covert the flow-export packets to "CflowdRawFlow" object, and use "CflowdRawFlow" to generate the tables. To generate time series data for the tabular information (AS matrix, net matrix, protocol table and port matrix, "cfdcollect" retrieves the data from "cflowd" at regular intervals. "cfdcollect" also uses "CflowdServer" class as an interface and writes data in ARTS file.
Figure 2.1: "cflowd" data flow [cflowd98] "flowd" [flowd06] is another NetFlow collector. It supports NetFlow protocol version 1, 5, 7, and 9 in both IPv4 and IPv6 (multicast groups for flow export are also supported). "flowd" is considered secure since "privilege separated" is used to separate the parent process and unprivileged child process. "flowd" stores the data in a compact binary format. The main feature is "flowd" provides the user-friendly interface by Perl and Python. Table 2.2: Free NetFlow collector tools Tool flow Flowd Script UNIX-liked, softflowd and pfflowd for OpenBSD. Software/ OS Input/Output NetFlow/Text NetFlow/ Compact binary format Functions/ Features Script for NetFlow-generating software traffic probe Simple, fast, and secure NetFlow collector
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
5 of 24
flowd NFDUMP
Flow collector (IPv4 and IPv6 transports) Support NetFlow V9 A set of tools to capture/record, dump, filter, and replay NetFlow (v5/v7/9) data Support various operating systems, make full use of POSIX threads A software running on normal PC hosts Translating captured traffic data into the NetFlow v.5 format. NetFlow Datagram Collector New NetFlow collector is a POSIX compliant portable collector for Cisco NetFlow datagram export for OpenBSD. NetFlow collector with support for NetFlow v9, IPv6, Multicast, and MPLS.
NEye pcNetFlow NDSAD Traffic Collector NFDC New NetFlow Collector pfflowd RENETCOL
Linux, Solaris, AIX, Irix, NetFlow v5/ ASCII, HP/UX, Mac OS X, Digital Unix, MySQL, SQLite Ultrix, Nextstep Linux, FreeBSD Windows, POSIX, Unix-liked N/A BSD-liked, Linux OpenBSD Linux NetFlow v5/ Text NetFlow/ Text NetFlow/ PostgreSQL NetFlow v5, v7/ Database or Text NetFlow/ Text NetFlow v5/ASCII and binary files
2.1.1.2 Examples of network traffic flow monitoring and analysis tools (FlowScan, Autofocus, and Fluxoscope)
In this section, the popular tools for network traffic flow monitoring and analysis are described. The tools generate the graph or function as the visualization tools, which provide the summarization and classification of network flow information. These tools generally use captured flow information from other flow collectors such as "FlowScan" (uses data from "cflowd") and "PRTG" (supports all three data acquisition methods). In table 2.3, it also shows other free NetFlow-like grapher tools with the main features, operating system compatibility, and input/ output. "AutoFocus" and "Fluxoscope" are other two popular tools for network traffic flow monitoring and analysis. We also listed other free network traffic flow monitoring and analysis tools in table 2.4 with their main features, operating system compatibility, input & output, and primary functionalities for flow collector. Some tools also include the report generator features. Since there are a lot of free NetFlow monitoring and analysis tools, a list of available tools with the brief definition and the software link information are made in Appendix 7 (Table 7.1). For commercial network traffic flow monitoring and analysis tools, table 2.5 shows commercial NetFlow reporting products by [Cisco NetFlow06a]. Most products are used primarily for traffic and security analysis. All companies' targets are enterprise users. "AdventNet" and "Crannog Software" are considered to be in lower price range and both of them support only Windows. Only "Cisco NetFlow Collector" and "HP" support Solaris and Linux. The rest of them support either Linux or Windows except "Arbor Networks" for BSD only and "Micromuse" for Solaris. One more observation is that if the operating system is Solaris, only NetFlow data can be used. Other than these, the list of other commercial tools is made with the software link information in Appendix 7 (Table 7.2). "FlowScan" [D. Plonka, 2000] is visualization tool used to generate a report in HTML format. "FlowScan" is a pack of Perl script modules, which bind a flow collection engine, high performance database, and visualization tool together. Instead of cflowd's "arts++" data aggregation features, "FlowScan" uses RRDtool to store numerical time-series data. RRDtool and RRGrapher modules are used to create an output such as graphs of IP traffic in GIF (Graphic Interchange Format) or PNG (Portable Network Graphics) format. "FlowScan" uses "cflowd" as a flow collector and "cflowd" components used by "FlowScan" are the "cflowdmux" and
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
6 of 24
"cflowd" programs. "cflowdmux" receives UDP NetFlow data from routers and passes them to "cflowd", which writes them to storage disks. Another module called "flowscan" (not "FlowScan") does the central processing in the system such as loading and executing report modules. The report module is a Perl module derived from the "FlowScan" class (FlowScan.pm). Another module called "flowdumper" is the utility module used to examine the raw flows manually. "FlowScan" provides an extra feature dealing with buffer management due to the very high traffic and flood-based DOS attack. It also supports a stateful inspection by the use of heuristics. By analyzing flow information, "FlowScan" can track the state of application session or series of sessions. As a result, "FlowScan" can classify the stateful traffic such as Napster application or passive mode of FTP file transfers. [D. Plonka, 2000]
Figure 2.2: Screen snapshot of FlowScan [D. Plonka, 2000] Next, Paessler Router Traffic Grapher (PRTG) [PRTG06] is a very powerful and low cost tool (starting from $100) for monitoring and bandwidth use for Windows. PRTG provides both free (with three sensors and academic and personal use) and commercial versions. This tool supports all three data acquisition methods: NetFlow-like, SNMP (Not only the bandwidth usage but also CPU usage, disk usage, and temperatures can be monitored.) and packet sniffer (running on promiscuous mode). The administrators can use either Window interface or web interface to configure and monitor the sensors and create reports.
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
7 of 24
Figure 2.3: Screen snapshot of PRTG [PRTG06] "AutoFocus" is a traffic analysis and visualization tool. "AutoFocus" analyzes the traffic pattern and provides both textual reports (measured in bytes, packets and flows) and time series plots. The extra feature is that it generates the report with traffic cluster aggregation of the mix of traffic. The traffic mix is defined using the source and destination IP address, source and destination ports and protocol field. RRDtool is used to produce time series plots of the traffic mix. "AutoFocus" can produce reports and plots for various time periods ranging from weeks to half hour intervals. It also supports the user filter. "AutoFocus" supports two types of input: packet header traces and NetFlow data. The flow sampled with both inputs can be applied, but "AutoFocus" only compensates for the sampling in the reports that measure the traffic in bytes and packets, and not for the traffic in flows. [Cristian Estan et all., 2003]
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
8 of 24
Figure 2.4: Screen snapshot of Autofocus [http://ial.ucsd.edu/AutoFocus/] "Fluxoscope" (formerly NetFlow listener) is an aggregation and analysis software written in Common Lisp. The main feature provides not only the various types of graphical and textual reports, an interactive Web-based tool, but also the NetFlow accounting processor with an SNMP agent, which can be used to access statistics on the processing of accounting data. It can support multiple NetFlow accounting streams. A "Listener" module in "Fluxoscope" is used to collect accounting data sent. It provides an aggregation functions to all flows and splits them into time slices, and finally periodically writes data out to files. Like general NetFlow collector, "listener" is better placed near the routers to reduce load and to avoid the data loss. "Data collection and maintenance module" periodically accesses the files that are generated by the "Listener". It also makes a copy of them to the central storage. It supports the data compression and the data over the long period can be summed up. Finally, "Data analysis module" analyzes the data from the central storage in order to generate several kinds of reports, such as tabular data and graphical representations for network monitoring and long-term traffic analysis purpose. [S. Leinen, 2000]
Figure 2.5:Screen snapshot of Fluxoscope [S. Leinen, 2000] Table 2.3: Free NetFlow grapher tools Tool F.L.A.V.I.O. Software/ OS UNIX-liked Requirements Web/ Perl, MySQL Functions/ Features A data grapher for NetFlow data export compatible devices
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
9 of 24
Flow Viewer
N/A
Web/ Perl, GD, RRDTool Web/ RRDTool Web/ PHP, Perl, RRDTool Web/ Perl Web N/A Web/ PostgreSQL
Web-interface to Flow-tools WAN-traffic monitoring a graphical web based front end for the nfdump tools Weekly human-readable reports from raw NetFlow v5 data Network traffic probe that shows the network usage, similar to what the popular top Unix command. Support NetFlow V9 A netgraph kernel module. A system for aggregation and presentation of network statistics from the Flow-tools package.
JKFlow (XML Linux/ Solaris based) NfSen nfstat Ntop ng_NetFlow Stager BSD-liked UNIX-liked UNIX-liked, Linux, BSD-liked, Solaris, MacOS, Windows Apple Mac OS X, Linux, BSD-liked, UNIX-liked Unix-liked
Table 2.4: Free NetFlow monitoring and analysis tools Tool Hardware(H)/ Software(S) (S) Linux, Solaris, FreeBSD, MAC, OpenBSD, NetBSD (S) N/A N/A (S) Java (S) Unix-liked, FreeBSD (S) Linux, FreeBSD (S) Unix-liked, Debian (S) Linux, MAC, Solaris, Windows (S) Unix-liked, Linux, FreeBSD (S) BSD-liked, Linux, FreeBSD, HP-UX (S) BSD-liked, Linux, FreeBSD, Solaris, Unix-liked Input Output Monitor(M)/ Capture(C)/ Analysis(A) Real Time(R)/ Offline(O) R, O O R, O R R
packet capture files, M, C, A: report/ Text (log files) data from a live audit interface packet header traces, NetFlow NetFlow SNMP and NetFlow flow-export data from one or more Cisco routers NetFlow and other traffic capture sources NetFlow NetFlow ATM Traffic live SNMP GUI (Web*) visualization GUI (Web*) GUI Tabular summaries N/A Text GUI GUI GUI (Web*) A M, C, A M, C M,C, A
R R R O O
dbFlowc
NetFlow
Text
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
10 of 24
EHNT FlowScan Flow-tools (like cflowd) Fluxoscope Flamingo Flowc Java NetFlow Collect-Analyzer JNFA NetFlow Monitor
(S) BSD-liked, Linux, FreeBSD, UNIX-liked (S) UNIX-liked (S)Linux (S) N/A (S) N/A (S) Linux, FreeBSD (S) Java (S) Java (S) Linux
NetFlow
Text
R O R, O R, O R, O R, O R, O R, O R, O R, O R, O
cflowd-format raw GUI (Web*) NetFlow NetFlow NetFlow NetFlow Text GUI, 3D visualization GUI, 3D visualization SQL, GUI (Web)
NetFlow or nProbe Raw, JDBC data NetFlow NetFlow SQL GUI (Web) GUI
NeTraMet (link is no (S) Unix-liked, DOS NetFlow, SNMP longer valid Netpy (S) Linux NetFlow
GUI (python) M, C, A
*based on RRDtool files Table 2.5: Commercial NetFlow Reporting Products [Cisco, NetFlow06b] Product Name Cisco NetFlow Collector Cisco CS-Mars AdventNet Apoapsis Arbor Networks Caligare Crannog Software *CA Software *Evident Software *HP IBM Aurora InfoVista (Crannog) Primary Use Traffic Analysis Security Monitoring Traffic Analysis Traffic Analysis Security/Traffic Analysis Traffic/Security Analysis Traffic Analysis Traffic Analysis Traffic Analysis, Billing Traffic Analysis Traffic Analysis/Security Traffic Analysis Primary User Enterprise, Service Provider Enterprise, SMB Enterprise, SMB Enterprise Enterprise, Service Provider Enterprise, Service Provider Enterprise, SMB Enterprise, Service Provider Enterprise Enterprise, Service Provider Enterprise, Service Provider Enterprise, Service Provider Operating System Linux, Solaris Linux Windows Linux BSD Linux Windows Windows Linux Linux, Solaris Linux Windows Starting Price Range Medium Medium Low Medium High Medium Low High High High Medium High
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
11 of 24
Traffic Analysis Traffic Analysis Traffic/Security Analysis Traffic Analysis Traffic Analysis
Enterprise, Service Provider Enterprise, Service Provider Enterprise Enterprise Enterprise * Use Cisco NetFlow Collector
2.2 Network traffic flow information (by SNMP) (MRTG and Cricket)
Simple Network Management Protocol (SNMP) is defined by IETF. SNMP is an application layer protocol used to monitor network-attached devices. SNMP works as the manager/agent model. The manager and agent use a Management Information Base (MIB) and a relatively small set of commands to exchange information. The MIB is
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
12 of 24
organized in a tree structure with individual variables, represented as leaves on the branches. A long numeric tag or object identifier (OID) is used to distinguish each variable uniquely in the MIB and in SNMP messages. SNMP uses five basic messages (GET, GET-NEXT, GET-RESPONSE, SET, and TRAP) to communicate between the manager and the agent. The GET and GET-NEXT messages allow the manager to request information for a specific variable. The agent, upon receiving a GET or GET-NEXT message, will issue a GET-RESPONSE message to the manager with either the information requested or an error indication as to why the request cannot be processed. A SET message allows the manager to reconfigure to the value of a specific variable. The agent will acknowledge with a GET-RESPONSE message to indicate the change or provide an error message to why the change cannot be made. The TRAP message allows the agent to inform the manager of an important event. [DPS Telecom06] Each SNMP element manages specific objects with each object. Each object / characteristic has a unique object identifier (OID). The OIDs are the combination of numbers separated by decimal points such as "1.3.6.1.4.1.2682.1". The OIDs form a tree structure. The MIB associates each OID with a readable label such as "dpsRTUAState" and various other parameters related to the object. The MIB then serves as a data dictionary used to assemble and interpret SNMP messages. [DPS Telecom06] SNMP GET message allows the Network Monitor Engine to request information about a specific variable remotely. Upon receiving a GET message, the agent will issue a GET-RESPONSE message to the Network Monitor Engine with either the information requested or an error indication as to why the request cannot be processed. "snmpget" [snmpget05] by Net-SNMP implementation is a snmp get command-line tool for Unix-liked operating systems and Windows. It requests the network entity information and displays the output in text format. "SNMPGet" [SNMPGet03] is another free snmpget tool but provide the user-friendly interface. As we described above, the network information can be retrieved from the networking device by SNMP, like the network traffic flow information. However, unlike NetFlow-like devices, these devices cannot store all flow and packet information. The network traffic flow information in this category are link utilization, interface bandwidth, and some other information if the device provides. Though the information is just the interface bandwidth, this is very important information since the administrators can monitor the availability of the link, the link usage, and the network usage behavior. "MRTG" (Multi Router Traffic Grapher) is a visualization tool for SNMP data quires. To generate the output via SNMP agent, input and output object identifiers are queried regularly (the default is 5 minutes). Then, a HTML is created as the output. All figures are in GIF or PNG format. "MRTG" version 3 logs data in RRD (Round Robin Database) in order to limit the amount of log size and also increase the information retrieval efficiency (binary logging). Because of the use of RRD and core C program instead of just Perl in previous version, the limitation of "MRTG" version 3 is about the SNMP performance and so far, it supports up to 600 router ports per 5 minutes. [Tobias Oetiker, 1998]
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
13 of 24
Figure 2.6: Screen snapshot from MRTG "Cricket" [Cricket06] is a free high performance system for monitoring trends in time-series data written in Perl. "Cricket" has two components, a collector and a grapher. Like "MRTG", "Cricket" collector (snmpget-liked) runs from "cron" (daemon to execute scheduled commands) and stores data into a datastructure RRD. A web-based interface can be used to view graphs of the data. "Cricket" is developed on Solaris under Apache but it works on Linux, HP-UX, variants of BSD, and Windows. "Interface Traffic Indicator" (Inftraf) by Carsten Schmidt [Inftraf 05]is another free network traffic monitoring tool running over SNMP for Windows. "Inftraf" is a tool that requests in and out data (MIB2) from SNMP-capable network interfaces and graph out the incoming and outgoing traffic on an interface in bits per second/ bytes per second or utilization.
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
14 of 24
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
15 of 24
Figure 2.7: Screen snapshot by Wireshark [http://www.wireshark.org/docs/wsug_html] Most sniffer is for free and provide high performance; however, there are also commercial "sniffer" products which they offer more material and full support with more user-friendly interface and more media supported. As a result, the cost is quite low compared to other kinds of network monitoring tools, i.e. about $200 for "LANWatch". "LANWatch" by Sanstorm Enterprise [LANWatch06] offers the software sniffer with more analysis features and protocol supported such as NetWare, SNA, AppleTalk, VINES, ARP, and NetBIOS. Due to the prevalent of mobile computers, the new target for most commercial "sniffer" is on wireless networks, since there are not many free "sniffer" applications for wireless networks. For example, although "Wireshark" offers a free sniffer for wired-network, it provides the product called "AirPcap". "AirPcap" is a USB 2.0 wireless capture adapter for Windows system that enables wireless capture with Wireshark. It supports WLAN 802.11b/g. With the external adapter, "AirPcap" can run up to 480Mbps (USP 2.0 bandwidth) with just $200. "OmniAnalysis" [OmniAnalysis06], "WildPackets" offers a complete platform to do a real-time network analysis. The protocol analyzer can support in both wired (EtherPeek) and wireless (AiroPeek) network. This products support Gigabit, 10/100, 802.11 wireless, VOIP, and WAN links diagnostics in real time.
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
16 of 24
such as the disk I/O and memory bandwidth or the operating system call. Thus, the need for monitor and analyzer in enterprise network such as 10Gbps and ATM, hardware sniffer might be required. The hardware sniffer components such as network adapter, memory/disk bandwidth, and buffer management are optimized to do only network monitor and analysis jobs. "Sniffer" [Sniffer06] by Network Associates, Inc. is an example of the hardware sniffer. It provides the visibility to multi-topology 10/100/1000 Ethernet, 10GbE, WAN, and ATM networks to identify, monitor, measure, and analysis of network problems. "Sniffer" supports real-time analysis, back-in-time analysis, and historical analysis. The logging storage can also be supported for up to four terabytes of storage. Web-based user interface feature allow the administrator do online monitoring remotely. However, since the performance of personal computer and peripheral such as CPU, memory, and disk have been increasing, the software sniffer is more convenient and popular. From [CAIDA06], there are a few hardware sniffers. However, it seems that only "Sniffer" and "Protocol Analyzer & Exerciser for Advanced Switching Interconnect" by HP are available. "LinkView" and "Shomiti" have no longer access. Back to Table of Contents
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
17 of 24
IP/ICMP/UDP/TCP IPX Appletalk Layer2: Input/Output interface Input/Output priority Input/Output VLAN Layer3: Source subnet/prefix Destination subnet/prefix Next hop BGP4 Source AS Destination AS Destination Peer AS Communities AS Path Real-time data collection Configuration via SNMP Low Cost Scalable
Y Y Y Y Y Y Y Y N N N N N N Y N Y N
N N N N N N N N N N N N N N Y N Y Y P
Y Y Y N N N N N N N N N N N Y N Y N N
Y N N Y N N Y Y Y P P P N N P Y N N N
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
Y Y P P Y Wire-speed N: Feature not supported, P: Feature partially supported, Y: Fully supported Back to Table of Contents
4. Summary
As the network keeps growing, the need of network monitoring and analysis tools have been increasing. The administrators' jobs are to not only monitor if there is a network failure and fix the network problem on time, but also avoid the network failure because of network overload or outside threat. The network traffic information is used to meet the administrators need. For example, network utilization and network traffic characteristics can detect security vulnerabilities. And, the type of application consuming bandwidth can be used for network planning. In this paper, we categorized network traffic into three categories: network traffic from NetFlow-like devices, network traffic from SNMP, and local traffic from packet sniffers. Some popular free and commercial tools are described with their features and operating system compatibility detail. A comparison based on these categories has been made that uses each technique depending on what the administrators want. For example, SNMP is more suitable for remote management and configuration, but less information can be retrieved to do further network traffic analysis. A packet sniffer is a local tool where the device is attached. NetFlow-like information is very useful for further analysis, but the limitations remain, such as high cost implementation and privacy concerns. Back to Table of Contents
5. References
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind... 18 of 24
[Cisco, NetFlow06a] Cisco Systems, "Cisco CNS NetFlow Collection Engine". http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html [Cisco, NetFlow06b] Cisco Systems, "Cisco NetFlow site reference". http://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd80406232.shtml [Wikipedia, NetFlow06] Wikipedia, "NetFlow," Free encyclopedia 2006. http://en.wikipedia.org/wiki/NetFlow [sFlow03] sFlow, "Traffic Monitoring using sFlow", 2003. http://www.sflow.org/ [RFC3176, 2001] P. Phaal, S. Panchen, and N. McKee, "InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks", Request for Comments: 3176, September 2001. http://www.rfc-archive.org/getrfc.php?rfc=3176 [Wikipedia, sFlow06] Wikipedia, "sFlow", Free encyclopedia 2006. http://en.wikipedia.org/wiki/SFlow [S. Romig et all., 2000] S. Romig, M. Fullmer, and R. Luman., "The OSU flowtools package and CISCO NetFlow logs", In Proceedings of the 14th Systems Administration Conf, LISA 2000. http://www.usenix.org/events/lisa00/full_papers/fullmer/fullmer_html/ [cflowd98] CAIDA, "cflowd: Traffic Flow Analysis Tool". http://www.caida.org/tools/measurement/cflowd/design/design-1.html [flowd06] "Flowd" http://www.mindrot.org/projects/flowd/ [IETF charters (ipfix)06] IETF charters, "Internet Protocol Flow Information eXport", 2006. http://www.ietf.org/html.charters/ipfix-charter.html, http://tools.ietf.org/wg/ipfix/ [D. Plonka, 2000] D. Plonka, "Flowscan: A network traffic flow reporting and visualization tool", In USENIX LISA, December 2000. http://www.usenix.org/events/lisa00/full_papers/plonka/plonka_html/index.html [PRTG06] "Paessler Router Traffic Grapher". http://www.paessler.com/ [S. Leinen, 2000] S. Leinen, "Fluxoscope - A System for Flow-based Accounting", Deliverable ID: CATI-SWI-IM-P-000-0.4, March 2000. http://www.tik.ee.ethz.ch/~cati/deliv/CATI-SWI-IM-P-000-0.4.pdf [Cristian Estan et all., 2003] Cristian Estan, Stefan Savage, and George Varghese, "Automatically Inferring Patterns of Resource Consumption in Network Traffic". SIGCOMM 2003. http://www.cs.ucsd.edu/users/cestan/papers/p0403-estan.pdf [R. Sabatino, 1998] R. Sabatino, "Traffic Accounting using NetFlow and Cflowd", Fourth International Symposium on Interworking, Ottawa, Canada, July 1998. http://archive.dante.net/pubs/dip/32/32.pdf [Tobias Oetiker, 1998] Tobias Oetiker, "MRTG: The Multi Router Traffic Grapher", LISA 1998. http://www.usenix.org/publications/library/proceedings/lisa98/full_papers/oetiker/oetiker.pdf [Net::sFlow06] Elisa Jasinska, "Net::sFlow - decode sFlow datagrams". http://search.cpan.org/~elisa/Net-sFlow-0.05/sFlow.pm [sFlow Toolkit06] InMon Cooperation, "sFlow Toolkit". http://www.inmon.com/technology/sflowTools.php [pmacct06] "pmacct now integrates sFlow and NetFlow probes". http://www.pmacct.net/ [Lancope06] Lancope Network Behavior Analysis (NBA) and response http://www.lancope.com/ [Infosim StableNet06] Infosim StableNet Network Management made Easy http://www.infosim.net/ [InMon Traffic Sentinel06] "InMon Traffic Sentinel Complete network visibility and control".
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
19 of 24
http://www.inmon.com/products/trafficsentinel.php [Wikipedia RMON06] Wikipedia, "RMON", Free encyclopedia 2006. http://en.wikipedia.org/wiki/Rmon [RFC2819, 2001] PS. Waldbusser, "Remote Network Monitoring Management Information Base", Request for Comments: 2819, May 2000.http://www.rfc-editor.org/rfc/std/std59.txt [DPS Telecom06] DPS Telecom http://www.dpstele.com/library/#tutorials [snmpget05] "snmpget - communicates with a network entity using SNMP GET requests". http://net-snmp.sourceforge.net/docs/man/snmpget.html [SNMPGet03] "CCSchmidt Software Network Monitoring Software and Utilities". http://software.ccschmidt.de/index.html [Inftraf05] "CCSchmidt Software Network Monitoring Software and Utilities". http://software.ccschmidt.de/ [Cricket06] "Cricket: high performance, extremely flexible system for monitoring trends in time-series data". http://cricket.sourceforge.net/ [Sniffer06] Sniffer InfiniStream.http://www.networkgeneral.com/Products_details.aspx?PrdId=20046117180712 [OmniAnalysis06] OmniAnalysis. http://www.wildpackets.com/products/omni/overview [tcpdump06] "tcpdump". http://www.tcpdump.org/ [WinPcap06] "WinPcap". http://www.winpcap.org/ [WinDump06] "WinDump". http://www.winpcap.org/windump/install/ [MNN06] "Microsoft Network Monitor". http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmon/netmon/network_monitor.asp [nettl/ netfmt00] "HOW TO TAKE A NETWORK TRACE ON HP-UX". http://www.compute-aid.com/nettl.html [snoop05] "snoop". http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqh9?a=view [tcpdump2ASCII04] "tcpdump2ASCII". http://www.Linux.org/apps/AppId_2072.html [tcpshow05] "tcpshow: Network Security Tools". http://www.tcpshow.org/ [tcptrace04] "tcptrace". http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html [tcpstat04] "tcpstat". http://www.frenchfries.net/paul/tcpstat/ [Wireshark06] "Wireshark". http://www.wireshark.org/ [Softflowd06] "Softflowd". http://www.mindrot.org/softflowd.html [fprobe06] "fprobe". http://sourceforge.net/projects/fprobe/ [nProbe06] "nProbe". http://www.ntop.org/nProbe.html [Deri, L. and Suin, S. et all., 2000] Deri, L. and Suin, S., "Effective traffic measurement using ntop", Finsiel SpA, Italy, Communications Magazine, IEEE Volume: 38, Issue: 5, On page(s): 138-143, May 2000. http://citeseer.ist.psu.edu/337108.html [V. Jacobson et all., 1993] V. Jacobson, C. Leres, and S. McCanne, "tcpdump dump traffic on a network", UNIX man page, 1993. http://www.tcpdump.org
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
20 of 24
[Pande, Bet all., 2005] Pande, B., Gupta, D., Sanghi, D., and Jain, S.K., "The network monitoring tool PickPacket," Information Technology and Applications, 2005. ICITA 2005. Third International Conference, Volume 2, Page(s):191 - 196 vol.2 4-7 July 2005.http://citeseer.ist.psu.edu/687576.html [Hong, J.W., 2004] Hong, J.W. "Internet traffic monitoring and analysis using NG-MON", POSTECH, Advanced Communication Technology, 2004. The 6th International Conference, Volume: 1, page(s): 100- 120, 2004. http://ieeexplore.ieee.org/iel5/9073/28786/01292840.pdf [Junejo, N., 2004] Junejo, N., Junejo, N.A., and Unar, M.A., "MENeT a monitoring and protocol analysis tool for LAN", Advances in Wired and Wireless Communication, page(s):63 - 66, 2004. http://ieeexplore.ieee.org/iel5/9131/28948/ [Ioannidis, S et all., 2002] Ioannidis, S., Anagnostakis, K.G., Ioannidis, J., and Keromytis, A.D., "xPF: packet filtering for low-cost network monitoring", Department of Computer and Information Science, Pennsylvania Univ., Philadelphia, PA, USA, High Performance Switching and Routing, 2002. Merging Optical and IP Technologies, page(s): 116- 120, 2002. http://www1.cs.columbia.edu/~angelos/Papers/xpf.pdf [Priyantha Pushpa Kumara and Gihan V Dias, 2002] Priyantha Pushpa Kumara and Gihan V Dias, "LEARNStat: A Network Traffic Monitoring Utility", INET2002. http://www.inet2002.org/CD-ROM/lu65rw2n/papers/p06.pdf [Costas Courcoubetis and Vasilios A. Siris, 2002] Costas Courcoubetis and Vasilios A. Siris, "Procedures and Tools for Analysis of Network Traffic Measurements", 2002. http://citeseer.ist.psu.edu/courcoubetis02procedures.html [Wu-chun Feng et all., 2001] Wu-chun Feng, Hay, J.R., and Gardner, M.K., "MAGNeT: monitor for application-generated network traffic", Computer and Computational Science Division, Los Alamos Nat. Lab., NM, Computer Communications and Networks, 2001. Proceedings. Tenth International Conference, page(s): 110-115, 2001. http://ieeexplore.ieee.org/iel5/7587/20684/00956227.pdf [Malgosa-Sanahuja, J et all., 2001] Malgosa-Sanahuja, J., Cano, M.D., Cerdan, F., and Garcia-Haro, J., "TAT: traffic analysis tool for the statistical study of IP networks", Department of Infomation Technology and Communication, Polytech. University of Cartagena; Communications, Computers and signal Processing, 2001. PACRIM. 2001 IEEE Pacific Rim Conference, Volume: 2, page(s): 579-582 vol.2, 2001. http://citeseer.ist.psu.edu/737234.html [McGregor, T et all., 2000] McGregor, T., Braun, H.-W., and Brown, J., "The NLAMR network analysis infrastructure", Waikato University, Hamilton, Communications Magazine, IEEE Volume: 38, Issue: 5, page(s): 122-128, May 2000. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=841836
Tool Collections
[1] ESnet Network Monitoring Task Force (NMTF), "Network Monitoring Tools". http://www.slac.stanford.edu/xorg/nmtf/, http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html [2] CAIDA, "CAIDA Measurement and Analysis Tools". http://www.caida.org/tools/measurement/, http://www.caida.org/tools/taxonomy/, http://www.caida.org/tools/taxonomy/workload.xml [3] "Network traffic monitoring software". http://www.topology.org/comms/netmon.html [4] SWITCH, The Swiss Education & Research Network, "Network Monitoring and Analysis : Flow-Based Accounting". http://www.switch.ch/tf-tant/floma/, http://www.switch.ch/tf-tant/floma/software.html [5] "Network Monitoring/Management". http://www.cotse.com/tools/netman.htm [6] "Network Traffic Monitoring". http://www.monitortools.com/traffic/ (http://www.monitortools.com/) [7] Advanced Laboratory Workstation System, "Network and Network Monitoring Software". http://www.alw.nih.gov/Security/prog-network.html
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
21 of 24
[8] Comlab, "Tools for modeling the user-traffic". http://www.comlab.uni-rostock.de/research/tools.html [9] "Traffic Monitoring Software". http://www.programurl.com/software/traffic-monitoring.htm [10] "Traffic Monitor and Analyzer Tools".http://traffic-analyzer.qarchive.org/, http://traffic-monitor.qarchive.org/ [11] "Tucows.com". http://tucows.com/ (search for network traffic monitoring, network traffic analyzer) [12] "Download.com". http://www.download.com/ (search for network traffic monitoring, network traffic analyzer)
Research Laboratories
[13] Bell Labs Internet Traffic Research. http://cm.bell-labs.com/cm/ms/departments/sia/InternetTraffic/index.html [14] Universita' degli Studi di Napoli ''Federico II'' (Italy), "Network Tools and Traffic Traces". http://www.grid.unina.it/Traffic/index.php [15] LBNL's Network Research Group. http://ee.lbl.gov/ Back to Table of Contents
6. List of Acronyms
HTML WMI ATM Gbps Mbps NMTF RMON SNMP NMP CAIDA LAN WAN UDP TCP SCTP FTP IP IPFIX AS BGP MPLS CPU RFC VLAN ICMP HyperText Markup Language Windows Management Instrumentation Asynchronous Transfer Mode Gigabit per second Megabit per second Network Monitoring Task Force Remote Monitoring Simple Network Management Protocol Network Monitoring Platforms Cooperative Association for Internet Data Analysis Local Area Network Wide Area Network User Datagram Protocol Transport Control Protocol Stream Control Transmission Protocol File Transfer Protocol Internet Protocol Internet Protocol Flow Information eXport Autonomous System Border Gateway Protocol Multiprotocol Label Switching Central Processing Unit Request for Comments Virtual Local Area Network Internet Control Message Protocol
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
22 of 24
Internetwork Packet Exchange IPX Internet Engineering Task Force IETF Management Information Base MIB Protocol Data Unit PDU NMTF Network Monitoring Task Force RRDtool Round Robin Database Tool Voice Over Internet Protocol VOIP Graphic User Interface GUI Portable Network Graphics PNG Object identifier OID EBCDIC Extended Binary-Coded Decimal Interchange Code ASCII American Standard Code for Information Interchange Internetworking Operating System IOS Back to Table of Contents
Linux, Solaris, A collection of NetFlow tools (by CERT/NetSA (Network Situational OpenBSD, Mac OS Awareness)) to assist the security analysis in large networks X N/A Linux, FreeBSD A redistribution NetFlow data stream to multiple receivers This NetFlow processing framework for real-time processing
The tables below are tools, the lists are made from [1] to [10] but only for network traffic monitoring and analysis purpose from [1] to [10]. All descriptions are from the references. Please Click Here to go to Table 7.2 to 7.7 Table 7.2: Free network monitoring and analysis tools Table 7.3: Free network utility tools Table 7.4: Free network monitoring and analysis tools (protocol specific) Table 7.5: Commercial NetFlow monitoring and analysis tools Table 7.6: Commercial network monitoring and analysis tools Table 7.7: Commercial network monitoring and analysis tools (protocol specific) Back to Table of Contents This report is available on-line at http://www.cse.wustl.edu/~jain/cse567-06/net_traffic_monitors3.htm
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
23 of 24
List of other reports in this series Back to Raj Jain's home page
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_traffic_monitors3/ind...
24 of 24