Network shunt-Network shunt TAP network traffic monitoring

Source: Internet
Author: User
Tags format definition snmp switches sflow ossim

As an important equipment of network security, Rongteng network shunt is the most critical equipment of network monitoring front-end in the whole network security field. Today we detailed network traffic monitoring! Network Splitter Tap

ATCA Network splitter supports multi-user high density

Network splitter DPI Detection five-tuple filter

Network Splitter image visualization traffic aggregation shunt
From the network architecture, network traffic is the basis. All the research on the network application and the behavior characteristics of the network can be obtained through the research of network traffic. The behavior characteristic of the network can be reflected by the dynamic characteristic of the traffic, so it can analyze the operation state of the network from these parameters to monitor the various parameters of the traffic in the network (such as receiving and sending datagram size, packet loss rate, datagram delay, etc.). By analyzing and studying the traffic characteristics carried on the network, it is possible to provide an effective way to explore the internal operation mechanism of the network.

In addition, the network traffic reflects the operation status of the network, is the key to determine whether the network operation is normal. If the network receives more traffic than its actual carrying capacity, it can cause network performance degradation. The flow measurement can not only reflect the normal work of network equipment (such as routers, switches, etc.), but also can reflect the resource bottleneck of the whole network operation. Therefore, the health of network traffic in the enterprise network is just as important as the blood in the human body.

First, Network monitoring key Technology | Rongteng Network Splitter Tap

1. Network Monitoring

Network monitoring is a monitoring network status, data flow, and information transmission on the Network management tool, its monitoring workflow is: The listener through a single probe or distributed probe {i.e., Network Splitter aka Core network Collector Tap}, collect the target network segment data flow, through the scheduled tunnel summary to the remote/local data center , and using the network Traffic/Protocol analysis system to complete the initial analysis and preprocessing of massive data, finally, according to the task demand, the key data of which to complete identification, location and evaluation, for further action to provide a basis. Network monitoring consists of two core technologies, namely data stream acquisition technology and network traffic/Protocol analysis technology. Data stream acquisition refers to the acquisition of data streams from monitored objects (including single or intranet segments) by deploying a network monitoring probe at a specific location, and usually refers to the use of computer AI and intelligence analysis experts to work together to identify the key information needed for a task from a mass of data. and strive to achieve the best balance of efficiency and accuracy.

Network Traffic/Protocol analysis technology can help network operation and maintenance personnel to fully understand and master the network traffic occupancy, application distribution, communication connection, packet original content and all network behavior, as well as the operation of the entire network, so that it can in the network problems, quickly and accurately analyze the cause of the problem, location key points, Fault points and threat points and handle them to ensure that the network is running as intended. It can help us figure out "the details of the operation inside the network."

2. Lack of SNMP protocol

SNMP is the predecessor of the RMON model. Currently, SNMP is based on TCP/IP and is widely used in Internet management protocols, which network administrators can use to monitor and analyze network operation, but SNMP also has some obvious shortcomings. SNMP uses polling to collect data, and polling in large networks generates huge network management messages that can cause network congestion. SNMP provides only general authentication and does not provide reliable security assurances. In addition, SNMP does not support distributed management, but centralized management. Because only the network management station is responsible for collecting data and analyzing data, the processing power of the network management workstation may become a bottleneck. In order to improve the effectiveness of the transmission management message, reduce the load of the network administration workstation, and meet the requirement of monitoring the performance, the IETF has developed rmon to solve the limitation of SNMP in the growing distributed interconnection.

3. Monitoring Key Technologies

The network monitoring system includes two core technologies: Data stream acquisition technology and network traffic/Protocol analysis technology. At the same time, there is another way to divide the industry, the key technology of network monitoring is summarized in the following three aspects:

Data stream acquisition technology solves the problem of how to get the data stream we need from different locations in the network. From the location of data acquisition, can be divided into network-based, host-based and hybrid acquisition of three kinds:

(1) Flow monitoring technology.

The flow monitoring technology mainly includes SNMP-based traffic monitoring and NetFlow-based traffic monitoring. SNMP-based traffic information acquisition. Collect some specific devices and variables related to traffic information by extracting the MIB provided by the network device agent. The network traffic information collected based on SNMP includes the number of bytes lost, the number of broadcast packets, the number of packets lost, and the length of the Output Captain column.

(2) based on NetFlow traffic information collection.

Based on the NetFlow mechanism provided by network equipment, the data collection efficiency and effect can meet the need of network traffic anomaly monitoring. Based on the above flow detection technology, there are many traffic monitoring and management software, this kind of software is an effective tool to judge the flow of abnormal traffic, through the monitoring of traffic size change, can help network management personnel to find abnormal traffic, especially the flow of abnormal traffic flow, so as to further find the source address and destination address of abnormal traffic.

(3) Protocol analysis technology.

Protocol analysis technology is used to solve the understanding of what protocols and applications users use, including protocol and application identification, packet decoding analysis and so on.

4 the difference between NetFlow and Sflow

Current traffic-based solutions are mainly divided into sflow and NetFlow two kinds. Sflow is jointly developed by HP and foundry networks it uses random data stream acquisition technology, can adapt to ultra-large network traffic such as in the million-gigabit traffic environment, carry out analysis network transmission, but support sflow hardware devices are not many, There are currently equipment support from HP and Foundrynetworks as well as extreme networks manufacturers. NetFlow is Cisco's technology is currently widely used in a variety of medium and high-end devices are supported, but the current support for the million-gigabit traffic is not ideal, it uses timed sampling data acquisition. The NTOP tool's plug-in provides support for Sflow and NetFlow traffic capture.

5. Protocol and application identification

According to the content of the data datagram header, using the protocol automata-based traffic recognition technology, the comprehensive analysis includes IP address, port number, key word, message format, transmission layer protocol, etc., classify the traffic and complete the accurate recognition of various application layer protocols, such as database protocol, The use of dynamic port allocation of peer-to, encrypted or non-encrypted instant communication, virtual tunneling applications, etc. will be hidden.

Analysis based on packet decoding. First, the collected data is decoded into a readable data segment according to the message format definition, and then the intelligent state pattern is matched to the massive data segment. The principle of this technique is to decode in the same way as the client or server side of the session, and each protocol component searches for the information pattern after identifying the various parts of the communication data according to the rules defined by the RFC, in some cases by pattern matching in a particular protocol domain, Others need to adopt more advanced techniques or introduce manual intervention, such as testing based on certain variables, such as the length of a domain or the number of independent variables.

6. Network data Stream acquisition technology {hardware probe i.e. network shunt and core network collector tap}

Network Splitter Tap is also divided into fixed network shunt and mobile Internet signaling collector!

ATCA devices support 480 x 10G and 76 x 100G

Network Splitter cartridge 1U support 48 x 10G

Mobile Signaling Grabber supports 160 x 10G and 20 100G

The best way to control network traffic is to take a full collection of network data streams. At present, there are two kinds of hardware probes and software agents. Network probes (Sensor) typically use devices such as the hub/switch/tap, such as the Common Switch Port Analyzer (SPAN) feature, which is used in the monitoring section of this book, as well as the way in which tap devices are threaded in a network segment; using Hubs (hub) As a network hub switching device, the network is a shared network, and the hub works in a shared bandwidth, and all devices connected to the hub are in a conflict domain, so if the central switching device of the user's network is a hub, you can capture all data traffic in the entire subnet by simply connecting the listening device to the hub.

The Switch Port Analyzer (commonly known as span) is a common and network data stream acquisition port that acts on the switch. The network administrator configures a port on the switch as the span port, and the switch copies and sends the traffic of its specified port/vlan to the span port, which is used to listen for network traffic. Of course, there is a span method also has its shortcomings, it works at the expense of the performance of the switch at the cost of switching (under normal circumstances to enable the switch CPU utilization under 10%, if more than half then can not use the span scheme), in order to solve this problem, In the gigabit rate above the network to try to test the flow of data collection and analysis, it is necessary to use the hardware acceleration technology, at present, the better is the Endace company developed gag series detection card, interested readers can be in-depth query online.

7. Limitations of Span

Span technology is used in all of the cases in the open source security dimensional plane-ossim best practices, but it should be noted that Cisco,  and other vendors have some limitations in span:

There can only be one destination port in a span session;

There can be only one port for a different span session destination;

Generally mid-range Cisco devices typically support only one session;

Where security levels and requirements are high (for example, multiple IDs systems and multiple traffic analysis systems are used in parallel), it will require more than 2 security devices or traffic analysis devices, due to the limit on the number of switch span ports, can not meet the requirements, As a result, users typically consider using private traffic analysis to access device-TAP (Test access point), which can be supplemented by traditional spans. Tap-based traffic replication/aggregator, which is a hardware device that supports multi-port traffic aggregation and enables true full-line speeds, which can be fully replicated to multiple listening ports for use by multiple sets of analysis systems. Why it can be so tough, because the TAP device uses a hardware ASIC to replicate the switching engine, so that the gigabit full-speed replication monitoring. It is usually deployed by concatenating the tap device between the firewall and the core switch, and then connecting multiple security devices, such as Ids/ips, to the designated port of tap to achieve the simultaneous operation of several security devices. The following table 1, let the reader have a clear understanding of the three gifted lack

Tap Equipment The biggest problem is the high cost, but can achieve full-flow acquisition, the use of parallel or in series, the network can achieve no interference or minimal impact! Rongteng Network focuses on high-density high-speed large traffic cost-effective mode! Hardware and system integration strength industry-collar-first!

Network shunt device

Network shunt device
In some large-scale network applications, the installation of user background using IBM WebSphere application, when the problem is, OPS will create a span port on multiple switches, we know that the CISCO6500 series switches can only set 2 span ports, At this time, if there are multiple sets of monitoring system can not be used simultaneously. Also, when the load is large, span cannot be used, and a matrix switch is used to ensure that the monitoring tool is functioning properly. And more network sniffer tools can be connected to the above analysis. The matrix switch uses the built-in filtering functionality more than tap, allowing OPS to select specific data flows over the specified tool. Imagine that in a tap interface that cannot be filtered, a single burst of data from the million-gigabit channel will be washed out. Using the filter function of the matrix switch does not overload the sniffer tool.

Second, analyze network abnormal traffic with NetFlow

As a result of the rapid increase of various network applications, resulting in a proliferation of network traffic. How do Internet users behave in these traffic? How are the various types of traffic distributed? In this case, you can use NetFlow as an effective tool to meet the needs of network traffic management, the tool is NetFlow. Originally NetFlow was developed by Cisco, and because of its wide use, many manufacturers now can implement similar NetFlow functions, such as: Juniper, Extreme, Foundry, h3c. For Cisco, NetFlow has several versions, such as: V5, V7, V8, V9. At present NetFlow V5 is the mainstream. So this article is focused on NetFlowV5, what are the basic elements of this version of the packet, first from flow. For more information, see the open source secure operation dimensional plane-ossim best practices. In the book not only describes how to deploy the NetFlow system, how to use it to analyze abnormal traffic, but also the use of another open source tool to analyze the application layer of traffic, and finally in the introduction of how to prevent sniffing technology, fully meet your needs!
Above for personal simple analysis, I would like to refer only!

-----------------Network Splitter-Mobile internet collector signaling Acquisition-smart card-gepon Series-UAV Jamming system

Gepon Series

Multi-core data processing board based on NPS400

Server down-load DPI acceleration Smart card

Network shunt-Network shunt TAP network traffic monitoring

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.