Analysis of common network traffic collection techniques

Analysis of common network traffic collection techniques

Traffic collection is one of the key technologies used to monitor network traffic and provides data sources for traffic analysis. In order to effectively analyze network traffic in complex enterprise networks, this article describes the Common Four-Weight Network Traffic collection technology, and analyzes the advantages and disadvantages of different traffic collection methods. 1. SnifferThe sniffing method is a common network technology that captures data packets by setting data collection points on the mirror port of the switch. This method collects the most comprehensive information, data packets in the network can be completely copied. However, the application of Sniffer technology is also limited. Most manufacturers' devices do not support cross-VLAN or cross-module image data. Therefore, you may need to install probes in multiple network segments, the deployment is complex. Generally, the enterprise has a large number of network VLANs, and it is generally impossible to monitor all VLANs. The use of port images in a network with large traffic may also affect the performance of network devices, and it is difficult to collect all datagram files in a network with high throughput. 2. SNMPSnmp is an active collection method. The collection program needs to regularly retrieve the IPAccounting records in the vro memory and clear the corresponding memory records to continue collecting subsequent data, this has a big impact on the performance of the router. The obtained data only contains the data at the port layer, without the MAC address information. It is powerless to forge the worm virus at the source port address. 3. NetflowNetflow is a proprietary technology of Cisco. in earlier versions of Netflow, all network data packets need to be counted. Therefore, Netflow has a great impact on the performance of network devices. Versions later than v8 provide the sampling function, however, Netflow data only contains stream-based statistics. It only records data such as ports and ports, and does not contain MAC addresses. 4. SFlowSflow uses sampling to capture data by setting a certain sampling rate, which has little impact on the performance of network devices. SFlow agent generally collects the first 128 bytes of data packets and sends them to sFlow receiver after encapsulation, the datagram text includes the complete source and target MAC address, protocol type, TCP/UDP, port number, application layer protocol, and even URL Information.

This article is from the blog "Li chengguang's original technology blog!