NetFlowNetFlow Very useful for traffic analysisVery useful for traffic analysis

Standard sampler: Standard sampler: – Cisco NetflowCisco Netflow– Juniper Traffic SamplingJuniper Traffic Sampling

Parameters: Parameters: – Flow export timer (Determines when current flow info is written to disk)Flow export timer (Determines when current flow info is written to disk)– Sampling scheme (Deterministic, Stratified, Simple random)Sampling scheme (Deterministic, Stratified, Simple random)– Sampling rateSampling rate

Available resources:Available resources:– GEANT network routers in EuropeGEANT network routers in Europe 1/1000 deterministic + 1/1000 deterministic +

UnanonymizedUnanonymized– Abilene (Internet2) routers in USAbilene (Internet2) routers in US 1/100 deterministic + Anonymized1/100 deterministic + Anonymized– GT ingress/egress (Dr.Russ Clark)GT ingress/egress (Dr.Russ Clark) Unsampled + AnonymizedUnsampled + Anonymized

NetFlow (contd.)NetFlow (contd.) Netflow format:Netflow format:

– unix_secs, unix_nsecs, sysuptime, exaddr, dpkts, doctets, first, last, unix_secs, unix_nsecs, sysuptime, exaddr, dpkts, doctets, first, last, engine_type, engi ne_id, srcaddr, dstaddr, nexthop, input, output, engine_type, engi ne_id, srcaddr, dstaddr, nexthop, input, output, srcport, dstport, prot, tos, tcp_flags, sr c_mask, dst_mask, src_as, srcport, dstport, prot, tos, tcp_flags, sr c_mask, dst_mask, src_as, dst_asdst_as

NetFlow data Example:NetFlow data Example:1070236831,0,3175466240,198.32.11.5,1,1500,3175436989,3175436989,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175436989,3175436989,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,3,1884,3175408565,3175433201,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,3,1884,3175408565,3175433201,0,0,130.74.208.0,169.232.72.0,198.32.11.4,33,35,1373,4753,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,628,3175448463,3175448463,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3855,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,628,3175448463,3175448463,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3855,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175442525,3175442525,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3864,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175442525,3175442525,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3864,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175451974,3175451974,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,1,1500,3175451974,3175451974,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,16,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,6,3768,3175398562,3175449061,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,24,16,16,25656,52 1070236831,0,3175466240,198.32.11.5,6,3768,3175398562,3175449061,0,0,130.74.208.0,169.232.112.0,198.32.11.4,33,35,1373,3831,6,0,24,16,16,25656,52 1070236836,0,3175471250,198.32.11.5,1,92,3175454577,3175454577,0,0,130.18.248.0,202.28.48.0,198.32.11.4,18,35,0,0,1,0,0,16,24,10546,4621 1070236836,0,3175471250,198.32.11.5,1,92,3175454577,3175454577,0,0,130.18.248.0,202.28.48.0,198.32.11.4,18,35,0,0,1,0,0,16,24,10546,4621 1070236836,0,3175471250,198.32.11.5,1,92,3175414202,3175414202,0,0,130.18.248.0,165.132.224.0,198.32.11.4,18,35,0,0,1,0,0,16,16,10546,4665 1070236836,0,3175471250,198.32.11.5,1,92,3175414202,3175414202,0,0,130.18.248.0,165.132.224.0,198.32.11.4,18,35,0,0,1,0,0,16,16,10546,4665 1070236836,0,3175471250,198.32.11.5,1,92,3175433202,3175433202,0,0,130.18.248.0,210.103.24.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 1070236836,0,3175471250,198.32.11.5,1,92,3175433202,3175433202,0,0,130.18.248.0,210.103.24.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768 1070236836,0,3175471250,198.32.11.5,1,92,3175403033,3175403033,0,0,130.18.248.0,211.248.144.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,97681070236836,0,3175471250,198.32.11.5,1,92,3175403033,3175403033,0,0,130.18.248.0,211.248.144.0,198.32.11.4,18,35,0,0,1,0,0,16,17,10546,9768

TCPDump data Example:TCPDump data Example:1144154983.524877 IP 220.135.232.0.61606 > 130.207.208.0.32459: . ack 2904096123 win 655351144154983.524877 IP 220.135.232.0.61606 > 130.207.208.0.32459: . ack 2904096123 win 655351144154983.524950 IP 140.247.56.0.443 > 199.77.128.0.39948: . 1448:2896(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>1144154983.524950 IP 140.247.56.0.443 > 199.77.128.0.39948: . 1448:2896(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>1144154983.524985 IP 216.77.184.0.37169 > 130.207.240.0.119: . 2920:4380(1460) ack 1 win 496401144154983.524985 IP 216.77.184.0.37169 > 130.207.240.0.119: . 2920:4380(1460) ack 1 win 496401144154983.525037 IP 64.215.168.0.80 > 199.77.200.0.50643: . 747182892:747184340(1448) ack 742379073 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525037 IP 64.215.168.0.80 > 199.77.200.0.50643: . 747182892:747184340(1448) ack 742379073 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525039 IP 217.129.248.0.2585 > 130.207.160.0.443: . ack 4289220173 win 652011144154983.525039 IP 217.129.248.0.2585 > 130.207.160.0.443: . ack 4289220173 win 652011144154983.525064 IP 64.215.168.0.80 > 199.77.200.0.50643: . 1448:2896(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525064 IP 64.215.168.0.80 > 199.77.200.0.50643: . 1448:2896(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525066 IP 65.196.176.0.80 > 199.77.200.0.64548: R 0:0(0) ack 1 win 01144154983.525066 IP 65.196.176.0.80 > 199.77.200.0.64548: R 0:0(0) ack 1 win 01144154983.525079 IP 140.247.56.0.443 > 199.77.128.0.39948: . 2896:4344(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>1144154983.525079 IP 140.247.56.0.443 > 199.77.128.0.39948: . 2896:4344(1448) ack 1 win 13228 <nop,nop,timestamp 2864050384 2258273448>1144154983.525092 IP 64.215.168.0.80 > 199.77.200.0.50643: . 2896:4344(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525092 IP 64.215.168.0.80 > 199.77.200.0.50643: . 2896:4344(1448) ack 1 win 14416 <nop,nop,timestamp 4096146186 3508922431>1144154983.525105 IP 64.215.168.0.80 > 199.77.200.0.50643: . 5792:7240(1448) ack1144154983.525105 IP 64.215.168.0.80 > 199.77.200.0.50643: . 5792:7240(1448) ack

ns2ns2 Important components:Important components:

– Basic ns2 code downloaded from Basic ns2 code downloaded from http://www.isi.edu/nsnamhttp://www.isi.edu/nsnam– TCL script to setup and simulate the test environmentTCL script to setup and simulate the test environment– Topology generator (Ex: GT-ITM)Topology generator (Ex: GT-ITM)

Example TCL script:Example TCL script:

#Create links between the nodes#Create links between the nodes$ns duplex-link $n0 $n2 1Mb 10ms $ns duplex-link $n0 $n2 1Mb 10ms DropTailDropTail$ns duplex-link $n1 $n2 1Mb 10ms $ns duplex-link $n1 $n2 1Mb 10ms DropTailDropTail$ns duplex-link $n3 $n2 1Mb 10ms SFQ$ns duplex-link $n3 $n2 1Mb 10ms SFQ

$ns duplex-link-op $n0 $n2 orient right-$ns duplex-link-op $n0 $n2 orient right-downdown$ns duplex-link-op $n1 $n2 orient right-$ns duplex-link-op $n1 $n2 orient right-upup$ns duplex-link-op $n2 $n3 orient right$ns duplex-link-op $n2 $n3 orient right

#Monitor the queue for link between node #Monitor the queue for link between node 2 and 32 and 3$ns duplex-link-op $n2 $n3 queuePos 0.5$ns duplex-link-op $n2 $n3 queuePos 0.5

#Create a UDP agent and attach it to #Create a UDP agent and attach it to node n0node n0set udp0 [new Agent/UDP]set udp0 [new Agent/UDP]$udp0 set class_ 1$udp0 set class_ 1$ns attach-agent $n0 $udp0$ns attach-agent $n0 $udp0

# Create a CBR traffic source and attach # Create a CBR traffic source and attach it to udp0it to udp0set cbr0 [new Application/Traffic/CBR]set cbr0 [new Application/Traffic/CBR]$cbr0 set packetSize_ 500$cbr0 set packetSize_ 500$cbr0 set interval_ 0.005$cbr0 set interval_ 0.005$cbr0 attach-agent $udp0$cbr0 attach-agent $udp0

#Create a UDP agent and attach it to #Create a UDP agent and attach it to node n1node n1set udp1 [new Agent/UDP]set udp1 [new Agent/UDP]$udp1 set class_ 2$udp1 set class_ 2$ns attach-agent $n1 $udp1$ns attach-agent $n1 $udp1

#Create a simulator object#Create a simulator objectset ns [new Simulator]set ns [new Simulator]

#Define different colors for #Define different colors for flowsflows$ns color 1 Blue$ns color 1 Blue$ns color 2 Red$ns color 2 Red

#Open the nam trace file#Open the nam trace fileset nf [open out.nam w]set nf [open out.nam w]$ns namtrace-all $nf$ns namtrace-all $nf

#Define a 'finish' procedure#Define a 'finish' procedureproc finish {} {proc finish {} {

global ns nfglobal ns nf$ns flush-trace$ns flush-trace

#Close the trace file#Close the trace fileclose $nfclose $nf

exit 0exit 0}}#Create four nodes#Create four nodesset n0 [$ns node]set n0 [$ns node]set n1 [$ns node]set n1 [$ns node]set n2 [$ns node]set n2 [$ns node]set n3 [$ns node]set n3 [$ns node]

# Create a CBR traffic source and# Create a CBR traffic source and# attach it to udp1# attach it to udp1set cbr1 [new set cbr1 [new Application/Traffic/CBR]Application/Traffic/CBR]$cbr1 set packetSize_ 500$cbr1 set packetSize_ 500$cbr1 set interval_ 0.005$cbr1 set interval_ 0.005$cbr1 attach-agent $udp1$cbr1 attach-agent $udp1

#Create a Null agent (a traffic #Create a Null agent (a traffic sink)sink)# and attach it to node n3# and attach it to node n3set null0 [new Agent/Null]set null0 [new Agent/Null]$ns attach-agent $n3 $null0$ns attach-agent $n3 $null0

#Connect the traffic sources with#Connect the traffic sources with# the traffic sink# the traffic sink$ns connect $udp0 $null0 $ns connect $udp0 $null0 $ns connect $udp1 $null0$ns connect $udp1 $null0

# Schedule events for the CBR # Schedule events for the CBR agentsagents$ns at 0.5 "$cbr0 start"$ns at 0.5 "$cbr0 start"$ns at 1.0 "$cbr1 start"$ns at 1.0 "$cbr1 start"$ns at 4.0 "$cbr1 stop"$ns at 4.0 "$cbr1 stop"$ns at 4.5 "$cbr0 stop"$ns at 4.5 "$cbr0 stop"#Call the finish procedure after #Call the finish procedure after # 5 seconds of simulation time# 5 seconds of simulation time$ns at 5.0 "finish"$ns at 5.0 "finish"

#Run the simulation#Run the simulation$ns run$ns run

ns2 (contd.)ns2 (contd.) TopologyTopology

– Create Spec file (“Geo” is used for Intra-domain topologies. Use “ts” for Create Spec file (“Geo” is used for Intra-domain topologies. Use “ts” for inter-domain transit-stub topologies):inter-domain transit-stub topologies):

## Comments :## Comments :## <#method keyword> <#number of graphs> [<#initial seed>]## <#method keyword> <#number of graphs> [<#initial seed>]

## <#stubs/xit> <#t-s edges> <#s-s edges>## <#stubs/xit> <#t-s edges> <#s-s edges>## <#n> <#scale> <#edgemethod> <#alpha> [<#beta>] [<#gamma>]## <#n> <#scale> <#edgemethod> <#alpha> [<#beta>] [<#gamma>]## number of nodes = 1*8* (1 + 4*6) = 200 ## number of nodes = 1*8* (1 + 4*6) = 200 geo 5 100 10 3 0.5geo 5 100 10 3 0.5

– Execute command: itm <spec file>Execute command: itm <spec file>– Generates topology in Stanford Graph Base formatGenerates topology in Stanford Graph Base format

* GraphBase graph (util_types ZZZIIZIZIZZZZZ,9V,102A) * GraphBase graph (util_types ZZZIIZIZIZZZZZ,9V,102A)

"geo(0,{5,10,3,1.000,0.000,0.000})",5,20,10 "geo(0,{5,10,3,1.000,0.000,0.000})",5,20,10

* Vertices * Vertices

"0",A6,3,2 "0",A6,3,2

"1",A12,9,9 "1",A12,9,9

"2",A16,2,4 "2",A16,2,4

"3",A18,8,4 "3",A18,8,4

"4",A19,2,1 "4",A19,2,1

"",0,0,0 "",0,0,0

"",0,0,0 "",0,0,0

"",0,0,0 "",0,0,0

"",0,0,0"",0,0,0

– Convert SGB to NS format using sgb2ns commandConvert SGB to NS format using sgb2ns command

* Arcs * Arcs V1,0,9,V1,0,9,0 0 V0,0,9,V0,0,9,0 0 V2,A0,2V2,A0,2,0 ,0 V0,0,2,V0,0,2,0 0 V3,A2,5V3,A2,5,0 ,0 V0,0,5,V0,0,5,0 0 V4,A4,1V4,A4,1,0 ,0 V0,0,1,V0,0,1,0 0 V2,A1,9V2,A1,9,0,0V1,A3,9V1,A3,9,0,0