Discussion:
Networking question....
Nevyn
2011-09-08 09:08:46 UTC
Permalink
Hi,

I was asked about a solution for monitoring network traffic. I'm not
terribly comfortable with it so I've had to turn down the offer for
the job but it doesn't stop me from being curious. You could drive
several humvees through my knowledge of networking.

Assuming you've got a trunk, it comes in through a "box" (box1). Box1
then splits the connection 3, 4 (however many) ways. Each of those
connections go out to whatever destination which terminate with an
external IP. So:

----trunk---|
|-------|
|box1|
|____|
| | |
con1__| | |__con3
| | |
extIP1 extIP2 extIP3

I know this can't be a hard problem. This is essentially what ISP's do
right? What does box1 do in order to present those external IP
addresses to different terminating points?

What would be the best way of monitoring the amount of traffic going
through each device from box1?

Regards,
Nevyn
http://nevsramblings.blogspot.com/

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Steve Holdoway
2011-09-08 09:40:26 UTC
Permalink
Post by Nevyn
Hi,
I was asked about a solution for monitoring network traffic. I'm not
terribly comfortable with it so I've had to turn down the offer for
the job but it doesn't stop me from being curious. You could drive
several humvees through my knowledge of networking.
Assuming you've got a trunk, it comes in through a "box" (box1). Box1
then splits the connection 3, 4 (however many) ways. Each of those
connections go out to whatever destination which terminate with an
----trunk---|
|-------|
|box1|
|____|
| | |
con1__| | |__con3
| | |
extIP1 extIP2 extIP3
I know this can't be a hard problem. This is essentially what ISP's do
right? What does box1 do in order to present those external IP
addresses to different terminating points?
What would be the best way of monitoring the amount of traffic going
through each device from box1?
Regards,
Nevyn
http://nevsramblings.blogspot.com/
If you're just talking about traffic volumes, read up on Tomas Oetiker,
MRTG, and all the projects that it spawned.

Personally, I use Munin.

Cheers,

Steve
--
Steve Holdoway <***@greengecko.co.nz>
http://www.greengecko.co.nz
MSN: ***@greengecko.co.nz
Skype: sholdowa


_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Glenn Enright
2011-09-08 11:54:01 UTC
Permalink
Say box1 is a switch (ie not a broadcast hub). Those non trunk ports
usually filter traffic based on an arp table, iow a data structure
including mac/ip/port information.
http://en.wikipedia.org/wiki/Address_Resolution_Protocol

One common method of metering traffic is to use netflow
http://en.wikipedia.org/wiki/Netflow
Post by Nevyn
Hi,
I was asked about a solution for monitoring network traffic. I'm not
terribly comfortable with it so I've had to turn down the offer for
the job but it doesn't stop me from being curious. You could drive
several humvees through my knowledge of networking.
Assuming you've got a trunk, it comes in through a "box" (box1). Box1
then splits the connection 3, 4 (however many) ways. Each of those
connections go out to whatever destination which terminate with an
----trunk---|
           |-------|
           |box1|
           |____|
           |    |   |
 con1__|   |    |__con3
   |            |            |
extIP1    extIP2    extIP3
I know this can't be a hard problem. This is essentially what ISP's do
right? What does box1 do in order to present those external IP
addresses to different terminating points?
What would be the best way of monitoring the amount of traffic going
through each device from box1?
Regards,
Nevyn
http://nevsramblings.blogspot.com/
_______________________________________________
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Nevyn
2011-09-08 11:59:05 UTC
Permalink
Post by Glenn Enright
Say box1 is a switch (ie not a broadcast hub). Those non trunk ports
usually filter traffic based on an arp table, iow a data structure
including mac/ip/port information.
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
One common method of metering traffic is to use netflow
http://en.wikipedia.org/wiki/Netflow
I'm silly... I had two NICs on a computer at home and so decided to
bridge them for redundancy - had this for around 2 years for no other
reason than I hate having to fiddle with cables. It didn't occur to me
that bridging can be set up between networks.

Regards,
Nevyn
http://nevsramblings.blogspot.com/

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Cliff Pratt
2011-09-08 21:24:51 UTC
Permalink
Post by Nevyn
Post by Glenn Enright
Say box1 is a switch (ie not a broadcast hub). Those non trunk
ports usually filter traffic based on an arp table, iow a data
structure including mac/ip/port information.
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
One common method of metering traffic is to use netflow
http://en.wikipedia.org/wiki/Netflow
I'm silly... I had two NICs on a computer at home and so decided to
bridge them for redundancy - had this for around 2 years for no
other reason than I hate having to fiddle with cables. It didn't
occur to me that bridging can be set up between networks.
I wouldn't say bridging (in a technical sense) is a common way to
*connect* networks. It's a way of *merging* networks.

A better way to think of (TCPIP) networks is that all devices attached
to a 'box' where box is a switch (or less commonly a hub) are a single
isolated network. Two switches or hubs connected together extend this
single isolated network. A switched network it usually shown as a
straight line with the devices attached by short lines at right angles.
The switches or hubs don't appear on the diagram - they are transparent.
All devices on a network as described above have at least one IP address
except the switches and hubs which don't (I'm ignoring a lot of
technicalities like VLANs and in-built monitoring ports).

All devices on a single isolated network can talk to others on the
network. They are all essentially equal. They get IP addresses either
automatically (DHCP) or by manual configuration.

Special devices called routers connect isolated networks. Each network
has its own network address range and this must be different between two
networks connected by a router. A router has one IP address on one
network and another IP address on the other. It can move packets between
networks.

If device A on network 1 wants to talk to device B on network 2 it sends
its packets to the router. It may do this by merely putting its packet
on the network and the router picking it up. All other devices ignore
the packet. Or it may send it point to point to the router.

The router determines that the packet is for the other network and
either broadcasts it to the other network or sends it point-to-point to
B. The point here is that the router is just a device on the network to
all the devices on a particular network and it connects to one or more
networks. On a single network all devices are peers from a TCPIP network
point of view, but the router has an additional ability to connect to
two networks.

A router can do more of course that I've omitted. But one of the things
that it can do is make all devices on both networks appear to be peers
on a single large network, all in the same TCPIP subnet. This is called
bridging.

Now imagine a lot of isolated networks all connected together by routers
(doing routing, not bridging). That's called the Internet.

Routers can count the packets that go through them. To monitor a network
you can either ensure all traffic goes through a single router or you
can gather and consolidate traffic stats from all routers possibly by
grabbing the stats from a central monitoring devices.

Cheers,

Cliff



_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Jim Cheetham
2011-09-08 21:50:36 UTC
Permalink
Post by Nevyn
What would be the best way of monitoring the amount of traffic going
through each device from box1?
It all depends on what box1 is in your diagram (and to a certain
extent what you meant by "a trunk"). If it is an Ethernet device, and
it has management software on it (i.e. a Cisco box, or a Linux/BSD
machine), you can probably do a lot of things.

"Amount of traffic" is answered by just looking at the packet
statistics per-interface on a regular basis. MRTG and friends will
make this easy. Most devices with SNMP facilities will make this easy
for you.

If you have a spare interface on the box, you have a couple more
choices (depending on the management software of course). The first is
Netflow, which will shout out over that spare interface telling you of
the existence of each connection (source, destination, total size,
time taken).

The second is a mirrored port, which can replicate *all* traffic seen
on the other interfaces like the old hubs used to do. This is ideal
for sending to an intrusion detection system, or any other
monitoring/accounting system that you want. This is where the largest
potential is for misuse of data, so be careful to collect only what
you need for the job and not to retain data longer than strictly
necessary.

In general, a large organisation that is actively monitoring the
content of traffic flowing through its network will keep Netflow (and
any proxies like squid &c) records "forever" and mirrored data only
long enough for an IDS or content inspection system to make a
decision, potentially preserving certain types of "assumed verboten"
data connections for manual inspection.

If box1 is actually a full general purpose OS like BSD or Linux, you
can do far more than that, or course.

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

Continue reading on narkive:
Loading...