If you say that network administrators have the most headaches, I am afraid everyone will answer that network bandwidth is scarce. Actually, this is true. With more and more network applications and network software, bandwidth resources are occupied. There are more and more services. How we should manage the network becomes a very serious issue. Software such as BT and P2P devours network bandwidth, and network viruses such as worms also deplete network applications. In a sense, bandwidth is money, so how can our network administrators effectively monitor and control the company's network traffic? The author introduces a rare tool for monitoring the network traffic: NTOP.
I. Why do I need to monitor traffic?
If you are an ordinary Internet user, when you are swimming in the vast Internet, no one will notice that the calm sea is actually undercurrent. In general, what network managers need to know is the usage of each network segment, the usage rate of bandwidth, and the bottleneck of network problems. When a network problem occurs, it must be able to quickly isolate the cause of the problem, quickly locate the line problem, network equipment problems, or the routing and arson wall settings. In a slightly smaller network, it is not difficult for an experienced manager to answer these questions, but if the network range it manages is too large, then an efficient network management system may be needed. In a busy business network, the network suddenly becomes slow, and the response time left to the system administrator is only a precious ten minutes or even minutes during the working hours of important data transactions. If you can't answer the network why is it slow? The answer must be found in scientifically sound calculations and statistics, and in a pre-established traffic analysis system.
Peer-to-Peer (Peer-to-Peer) is a new technology for file exchange that allows the creation of decentralized, dynamic, and anonymous logical networks over the Internet. P2P is a peer-to-peer connection or peer-to-peer network, peer-to-peer network technology, which can be applied to file sharing exchange, deep search, distributed computing and other fields. It allows individual PCs to share files over the Internet. With the popularity of P2P file exchange applications, ISPs are also facing new challenges and opportunities in maintaining and increasing the revenue of broadband networks. According to relevant statistics, more than 70% of the bandwidth in the existing network is occupied by P2P communication. P2P communication can cause abnormal traffic spikes and cause unexpected changes to network resources. The network congestion and performance degradation problems have affected normal network applications, such as WWW, Email, etc., slow web browsing and sending and receiving emails. Speed is more dissatisfied with ordinary users.
If you want to control P2P communication, you must effectively identify P2P communication. However, many P2P communication uses different communication technologies and protocols, and it is very difficult to identify them using traditional techniques. For example, many P2P protocols do not use fixed ports, but use ports dynamically, including ports that use well-known services. KaZaA can communicate using port 80 (usually used by http/web) to penetrate traditional IP and port-based firewalls and packet filters. Therefore, it is difficult to identify, track, or control such communications through simple IP- and port-based classification techniques (analysis of IP headers, IP addresses, port numbers, etc.).
In the past, some people used the monitoring of the 6881~6889 ports to identify BT (BitTorrent), but this practice has long since expired - BT no longer uses the fixed 6881~6889 ports to communicate, but Use ports dynamically. As P2P applications continue to grow, more communication protocols are used; the techniques for identifying and classifying P2P must be fast and simple to accommodate changes in this technology. Now, the method of identifying P2P communication is to analyze the data packet at the application layer to see if there is a signature of an application protocol, and then determine the type of communication. The basic method of analyzing the data packet by the application layer is that if the header of the application layer packet has a feature string of "220 ftp server ready", it can be determined that the ftp program is used; if there is a feature string of "HTTP/1.1 200 ok", It can be determined that the data is being transmitted using http.
When it comes to network traffic monitoring, I believe everyone is familiar with the MRTG tool. However, MRTG has many disadvantages:
1. Using a text-based database, data cannot be reused;
2. Data can only be viewed by day, week, month, year;
3. Only Draw two DSs (one line, one block);
4. No management function;
5. No detailed log system;
6. Can't learn more about the specific composition of traffic;
7. Can only be used on TCP/IP networks for SAN and iSCSI network traffic;
8. Cannot work on the command line;
9. Too much reliance on SNMP.
MRTG obtains information based on the SNMP protocol. MRTG can provide accurate statistics for port traffic, but it is unknown to more than three layers of information. And this is the strength of NTOP. NTOP can more intuitively display the network usage and the network bandwidth usage details of each node computer. Ntop is a network sniffer that plays an irreplaceable role in assisting in monitoring network data transmission and troubleshooting network failures. You can determine the various problems on the network, such as bottlenecks or performance degradation, by analyzing network traffic. It can also be used to determine if a hacker is attacking a network system. If you suspect that the network is under attack, the packets intercepted by the sniffer can determine what type of packets are being attacked by the system, and their source, so that they can respond in a timely manner or adjust the network accordingly. Ensure the efficiency and security of the network operation.
The ntop network administrator can also easily determine which traffic belongs to a specific network protocol, which host is the main traffic, which host is the destination of each communication, and the packet transmission time. The interval between packet delivery between hosts. This information provides valuable information for network administrators to determine network problems and optimize network performance. Ntop provides the following features:
1. Automatically identify useful information from the network;
2. Convert the intercepted packets into an easily identifiable format;
3. For the network environment Communication failure analysis;
4. Detecting communication bottlenecks in the network environment;
5. Record network communication time and process;
6. Automatically identify the operating system the client is using;
7. It can be run in both command line and web mode.
Points of Traffic Analysis
Connectivity Also known as availability, connectivity, or reachability, it should be strictly the basic capabilities or attributes of the network. The emergence of the Internet and the increased productivity brought about by the adoption of new technologies have led to a need for higher bandwidth and services. Enterprises need customized services with higher bandwidth; consumers need services like broadband connections and video on demand; operators must balance their target market needs with the reality of their business; these must be connected to the network. Based on and guaranteed.
Delay Defines the time elapsed for an IP packet to traverse one or more network segments. The delay consists of two parts: fixed delay and variable delay. The fixed delay is basically unchanged, and consists of propagation delay and transmission delay. The variable delay consists of two parts: the intermediate router processing delay and the queue waiting delay.
Packet loss rate refers to the ratio of lost IP packets to all IP packets. Many factors can cause packets to be dropped when they are transmitted over the network, such as the size of the packet and the congestion of the link when the data is sent. Different services have different sensitivities to packet loss. In multimedia services, packet loss is the root cause of image quality degradation and frame breakage.
Bandwidth is generally divided into bottleneck bandwidth and available bandwidth. Bottleneck bandwidth refers to the maximum throughput that the network can provide when there is no other background traffic in a path (path). Available bandwidth refers to the maximum throughput that can be provided to a service in the presence of background traffic on the network path (path). On a complex network system, different applications occupy different bandwidths, and do important applications get the best bandwidth? What is the proportion of it? Does queue setup and network optimization take effect? Network traffic analysis, such as MRTG, makes it more explicit and displays it to the user as a graphical HTML document, showing the traffic load in a very intuitive form.
Proactive analysis to avoid abnormal traffic
In the face of abnormal traffic, we should establish an analysis system that supports abnormal traffic discovery and alarms, and can automatically learn historical data over a period of time. Obtain multiple network traffic measures including overall network traffic level, traffic fluctuations, traffic hopping, etc., and automatically establish a confidence interval for the current traffic as the basis for traffic anomaly monitoring.
If you build your own active network analysis system, it usually includes: measurement node, central server, database and analysis server. But it is more difficult for SMEs. Active analysis is based on a productization and integration measurement tool, purposefully injecting monitoring points into the production network, and analyzing the performance of the network based on the measurement data flow. Although these monitoring points also occupy bandwidth, they are insignificant compared to the available bandwidth occupied by P2P downloads. After eliminating viruses and blocking P2P, the top two applications for bandwidth usage are based on online audio and online video on the website page. In order to save bandwidth, we should limit and block it during working hours.
Compared with MRTG, ntop is simpler to install than the MRTG, and can be used without a web server. Currently, the network-managed switches and routers on the market support the SNMP protocol. Ntop supports a simple network management protocol, so network traffic monitoring can be performed. Ntop can monitor almost all protocols on the network: TCP/UDP/ICMP, (R)ARP, IPX, Telnet, DLC, Decnet, DHCP-BOOTP, AppleTalk, Netbios, TCP/UDP, FTP, HTTP, DNS, Telnet, SMTP /POP/IMAP, SNMP, NNTP, NFS, X11, SSH, and P2P-based protocols eDonkey, Overnet, Bittorrent, Gnutella (Bearshare, Limewire, etc), (Kazaa, Imesh, Grobster). (Z101)
The first part of the basic environment configuration First, a brief introduction
At present, there are more and more schools using Windows 2003 as a web server. However, for users w
Each time the server receives a request, it must be processed by IIS. This is not
Lin Xin: I recently installed the Vista operating system on my desktop and laptop
A case where the server security dog caused an ASP.NET website to run incorrectly
Linux server configuration scheme MySQL (on)
Mail server erection - dual hot standby solution
Preventing database files from being downloaded by safely configuring IIS
What should I do if apache is installed and cannot be started?
Tcpsvcs.exe uses super high virtual memory solution
Implement remote configuration of the DNS system under Linux
SQL Server log file is lost. Recovery method
Two modes of Windows 8 System Task Manager
XP system download system ported to virtual machine
Windows 10 Build 10158 SDK version released
How does Win7 automatically detect settings browser update
How to use Linux to periodically delete expired files using the command
WinXP: System 8 startup mode details
Windows10 Custom Start Menu Program Tutorial
The magic of the Windows XP taskbar