network measurement for kreonet -flowscan- 2002.9.26이만희kisti/kreonet

Network Measurement for Network Measurement for KREONETKREONET

-FlowScan--FlowScan-

2002.9.262002.9.26

이만희이만희KISTI/KREONETKISTI/KREONET

목차목차

• Measurement Measurement 소개소개• FlowScan, FlowScan+?FlowScan, FlowScan+?

• FlowScan FlowScan 설치법설치법• 부록부록 : FlowScan+ : FlowScan+ 이용 해킹 보고서이용 해킹 보고서

Why Network Why Network Measurement?Measurement?

• Network Operators’ ViewNetwork Operators’ View– Is the network reliable?Is the network reliable?– How is the network used?How is the network used?– When should the network be upgraded?When should the network be upgraded?

• Network Users’ ViewNetwork Users’ View– How much do I use the network?How much do I use the network?– Should I invest more or not?Should I invest more or not?– Does the Service Provider abide by its Does the Service Provider abide by its

agreement?agreement?

Active MeasurementActive Measurement

• MethodMethod– inject measurement traffic into the inject measurement traffic into the

networknetwork

• MetricMetric– Round Trip Time, Packet loss, TopologyRound Trip Time, Packet loss, Topology

• ToolsTools– Ping, Traceroute, NIMI, Surveyor, Ping, Traceroute, NIMI, Surveyor,

PingER, AMPPingER, AMP

Passive MeasurementPassive Measurement

• MethodMethod– Do not inject traffic but observe trafficDo not inject traffic but observe traffic

• MetricMetric– Link Utilization, Traffic AnalysisLink Utilization, Traffic Analysis

• ToolsTools– Tcpdump, MRTG, FlowScan, CoralReefTcpdump, MRTG, FlowScan, CoralReef

What is FlowScan?What is FlowScan?• A Network Traffic Flow Reporting and A Network Traffic Flow Reporting and

Visualization Tool developed by Dave PlonkaVisualization Tool developed by Dave Plonka• FlowScanFlowScan 은 은 CISCO routerCISCO router 서 보내는 서 보내는 flow dataflow data

를 분석하여 유용한 정보를 얻어내는 를 분석하여 유용한 정보를 얻어내는 tool tool • FlowScanFlowScan 은 다음의 세 가지 은 다음의 세 가지 Perl script modulePerl script module

로 구성로 구성 – a flow collection engine (a patched version of a flow collection engine (a patched version of

cflowd) cflowd) – High performance database(Round Robin Database High performance database(Round Robin Database

- RRD) - RRD) – a visualization tool (RRDtool)a visualization tool (RRDtool)

• FlowScanFlowScan 은 은 networknetwork 의 의 border trafficborder traffic 을 을 측정하여 실시간에 거의 근접하게측정하여 실시간에 거의 근접하게 (5(5 분 단위분 단위 ) ) 그래프를 만들어 준다그래프를 만들어 준다 ..

HardwareHardware

• Netflow version 5Netflow version 5 가 가 export export 가능한 가능한 CISCO CISCO router, Cisco IOS Release 12.0 and later router, Cisco IOS Release 12.0 and later releasesreleases 는 대부분 지원는 대부분 지원

• RouterRouter 에서 에서 exportexport 된 된 flow flow 정보를 정보를 FlowScanFlowScan 이 설치된 컴퓨터에서 분석하여 이 설치된 컴퓨터에서 분석하여 트래픽 정보를 그래프로 그림트래픽 정보를 그래프로 그림

• FlowScan FlowScan 시스템시스템 : Sparc machine: Sparc machine 의 의 Solaris, Intel machineSolaris, Intel machine 의 의 GNU/Linux, *BSD GNU/Linux, *BSD 에 설치 가능에 설치 가능

• 가능한 좋은 성능의 시스템 사용 권장가능한 좋은 성능의 시스템 사용 권장 (Dual (Dual CPU, CPU, 고용량 고용량 SCSI SCSI 하드 디스크 등하드 디스크 등 ))

What is flow?What is flow?

• Packets with the same src ip & port, Packets with the same src ip & port, dst ip & port, protocol #dst ip & port, protocol #

• NetFlow – flow information exported NetFlow – flow information exported by CISCO routerby CISCO router

• FlowScan uses NetFlow data to FlowScan uses NetFlow data to analyze the traffic data.analyze the traffic data.

NetFlow entryNetFlow entry

FlowScan's Hardware FlowScan's Hardware Components Components

Software 1/3 - cflowdSoftware 1/3 - cflowd

• Original cflowd : cflowdmux, cflowd, Original cflowd : cflowdmux, cflowd, flowcollectorflowcollector

• FlowScan: cflowdmuxFlowScan: cflowdmux 와 와 cflowd cflowd 를 사용 를 사용 • RouterRouter 에서 에서 NetFlow version 5NetFlow version 5 로 로 UDP UDP

분석 분석 machinemachine 에 전송에 전송• cflowdmuxcflowdmux 가 이 정보를 받아 가 이 정보를 받아 cflowdcflowd 로 로

보내 줌보내 줌• cflowdcflowd 는 이 정보를 받아 미리 정의된 는 이 정보를 받아 미리 정의된

포맷으로 디스크에 기록포맷으로 디스크에 기록 , 5, 5 분 단위 분 단위

Software 2/3 – FlowScanSoftware 2/3 – FlowScan

• FlowScan.pm FlowScan.pm 이라는 이라는 Perl scriptPerl script 로 로 쓰여져 있음 쓰여져 있음

• FlowScanFlowScan 은 은 cflowdcflowd 에서 기록된 에서 기록된 flow flow dump dump 파일을 분석한 뒤 파일을 분석한 뒤 RRD(Round RRD(Round Robin Datase)Robin Datase) 에 기록에 기록

• DBDB 에는 에는 FlowFlow 의 몇 가지 통계적인 의 몇 가지 통계적인 정보를 저장하고 분석 정보를 저장하고 분석

Software 3/3 – RRDtoolSoftware 3/3 – RRDtool

• DBDB 의 정보를 이용해 의 정보를 이용해 time-series graphtime-series graph를 그림를 그림

• RRDtoolRRDtool 은 여러 개의 은 여러 개의 RRD fileRRD file 을 을 사용해 사용해 flowflow 의 통계 정보를 저장의 통계 정보를 저장

• RRDtoolRRDtool 과 과 RRGrapherRRGrapher 는 는 GIFGIF 나 나 PNGPNG형식의 포맷으로 형식의 포맷으로 graph graph 작성작성

Existing FlowScan GraphExisting FlowScan Graph

Existing FlowScan Graph (cont.)Existing FlowScan Graph (cont.)

What is FlowScan+?What is FlowScan+?• Goal: Improve FlowScan by attaching Goal: Improve FlowScan by attaching

query interface for detail analysis.query interface for detail analysis.– MotivationMotivation

•Lack of traffic measurement tool that supports real Lack of traffic measurement tool that supports real time visualization and detailed information on time visualization and detailed information on demand. demand.

•Provide flexibility in analyzing network traffic to Provide flexibility in analyzing network traffic to Network Engineers and Administrator.Network Engineers and Administrator.

– Why FlowScan?Why FlowScan?•FlowScan is open source program and provides FlowScan is open source program and provides

good visualization through the Web, yet does not good visualization through the Web, yet does not support query interface.support query interface.

– Who?Who?•KISTI, KAISTKISTI, KAIST

Advantages and DisadvantagesAdvantages and Disadvantages

• The Existing FlowScanThe Existing FlowScan– Provides real-time network status graph Provides real-time network status graph

and set of information to show the trend and set of information to show the trend of network status and usage. of network status and usage.

– More Possible information can be drawn More Possible information can be drawn from NetFlow data.from NetFlow data.•Amount of traffic used by certain host, inter Amount of traffic used by certain host, inter

AS traffic amount, packet distribution, etc…AS traffic amount, packet distribution, etc…

Major Improvement Point from Major Improvement Point from Existing FlowScanExisting FlowScan

• Using DBMS Using DBMS – for support flexibility when queryingfor support flexibility when querying– MySQL adoptedMySQL adopted

• Web supported query interfaceWeb supported query interface• More information on traffic data and More information on traffic data and

statistical analysis can be obtained by statistical analysis can be obtained by demand.demand.

We named the improved version of We named the improved version of FlowScan,FlowScan, FlowScan+ FlowScan+

Query interfaceQuery interface

Predefined query(by user interface)Predefined query(by user interface)to raw flowsto raw flows

• Total traffic statisticTotal traffic statistic• All flows in specific time periodAll flows in specific time period• Trace traffic used by specific userTrace traffic used by specific user• Protocol statisticProtocol statistic• Port statisticPort statistic• As statisticAs statistic• Nexthop statisticNexthop statistic• Packet , flow distributionPacket , flow distribution

Data AggregationData Aggregation

Front table

netflow

……...

Protocol Table

Top User

Table

Port

Table

AS

Table

Rawflows

Bypass Aggregation

Data AggregationData Aggregation (cont’d)(cont’d)

• First, all incoming NetFlow data are inserted to First, all incoming NetFlow data are inserted to front tablefront table

• Aggregation module is automatically called every Aggregation module is automatically called every 15 minute15 minute

• After finishing all aggregation, all data in front After finishing all aggregation, all data in front table are moved to raw flows tabletable are moved to raw flows table

• In some aggregation, preserve 90% information In some aggregation, preserve 90% information but only save 20% aggregated databut only save 20% aggregated data

• Query time is reduced (very much)Query time is reduced (very much)• Eventually, old data of raw flows in table Eventually, old data of raw flows in table

‘rawflows’ will be deleted due to storage ‘rawflows’ will be deleted due to storage shortage. But aggregated data will be stored shortage. But aggregated data will be stored foreverforever

ProblemsProblems

• Amount of data (under no sampling on Amount of data (under no sampling on KOREN/KREONet2 – STAR TAP router)KOREN/KREONet2 – STAR TAP router)– 45Mbps 45Mbps 링크에서 링크에서 50% 50% 정도 정도 usage usage 있을 때있을 때– 약 약 115414 flows/5 min, 6MB/5min, 115414 flows/5 min, 6MB/5min,

1.7GB/day1.7GB/day– DDoS DDoS 공격시공격시 , 30~50MB/5min, 10GB/day, 30~50MB/5min, 10GB/day

• Reporting time : more than 1 minute, Reporting time : more than 1 minute, sometimes over 10 minutessometimes over 10 minutes

• KISTI and KAIST mending nowKISTI and KAIST mending now

FlowScan+ ArchetectureFlowScan+ Archetecture

FlowScan FlowScan+

FlowScan vs FlowScan +FlowScan vs FlowScan +

• FlowScan providesFlowScan provides– Traffic analysis by amount Traffic analysis by amount

of bytes, packets, and of bytes, packets, and flows.flows.

– Traffic by IP Protocol, Traffic by IP Protocol, applicationapplication

– Top inbound/outbound ASTop inbound/outbound AS– Top inbound/outbound path Top inbound/outbound path

ASAS– Specific vs TotalSpecific vs Total

• FlowScan+ provides– All that FlowScan provides. – Analysis by desired time

period.– Detailed Information on

traffic between AS’s– Nexthop

• One can use FlowScan to see the trend of network traffic, and then use FlowScan+ module to analyze certain aspect in detail.

Deployment of FlowScan+Deployment of FlowScan+

• KOREN/KREONet2-STARTAP KOREN/KREONet2-STARTAP International LinkInternational Link– 45 Mbps International Link45 Mbps International Link– http://flowscan.kreonet2.net http://flowscan.kreonet2.net

• Campus Network-KAISTCampus Network-KAIST– On weather map of KAISTOn weather map of KAIST– http://moran.kaist.ac.krhttp://moran.kaist.ac.kr

Traffic From KREONET-STARTAP Traffic From KREONET-STARTAP by Services (application)by Services (application)

Traffic From KREONET-STARTAP Traffic From KREONET-STARTAP Links (by Flows)Links (by Flows)

2002.1.23 KREONET-STARTAP

Using FlowScan+ to analyze Using FlowScan+ to analyze abnormality in the Networkabnormality in the Network

• Possible detection of DoS attackPossible detection of DoS attack

Other AnomaliesOther Anomalies

• Network Worm Virus• When there is large portion of sudden smtp

traffic is shown, one can suspect the possible existence of worm virus over the network.

• Code Red, Nimda?

• Port Scanning• Hacking/Cracking Trials• Etc..

FlowScan FlowScan 설치 설치 GuideGuide

•라우터 환경 설정라우터 환경 설정•FlowScan FlowScan 시스템 설정시스템 설정

라우터 환경 설정라우터 환경 설정

• CISCO 7507 CISCO 7507 라우터 라우터 IOS 12.0(15)S3IOS 12.0(15)S3• #config terminal#config terminal• (config)#ip flow-cache timeout inactive 300(config)#ip flow-cache timeout inactive 300• (config)#ip flow-cache timeout active 1 (config)#ip flow-cache timeout active 1 또는 또는 ip flow-cache ip flow-cache

active-timeout 1active-timeout 1• (config)#ip flow-export version 5 (config)#ip flow-export version 5 • (config)#ip flow-export destination 150.183.235.100 2055(config)#ip flow-export destination 150.183.235.100 2055• (config)#ip cef <distributed> //VIP(config)#ip cef <distributed> //VIP 가 있는 라우터에서 각 가 있는 라우터에서 각

인터페이스에서 각각 수행하도록 함인터페이스에서 각각 수행하도록 함• Ingress interfaceIngress interface 에 대해서 아래 명령 수행에 대해서 아래 명령 수행• (config)#interface Ethernet1(config)#interface Ethernet1• (config-if)#ip route-cache flow(config-if)#ip route-cache flow

FlowScan FlowScan 환경 설정 준비환경 설정 준비

• FreeBSD 4.3 FreeBSD 4.3 기본 기본 package package 설치설치 ((이상 버전도 가능이상 버전도 가능 , linux, linux 도 설치 도 설치 가능하지만 가능하지만 package package 설치가 간단하여 설치가 간단하여 FreeBSDFreeBSD 를 많이 선호함를 많이 선호함 ))

• Package Package 설치법설치법 : /stand/sysinstall -> : /stand/sysinstall -> Configure-> packages->CD-ROM or Configure-> packages->CD-ROM or ftp ftp 선택 선택 -> all or -> all or 해당 그룹 선정해당 그룹 선정 -->install>install

Package Install Screen Package Install Screen

FlowScan FlowScan 환경 설정 환경 설정 11

• perl5(perl5( 기본으로 설치되어 있음기본으로 설치되어 있음 ))

• arts++-1-1-a8_1arts++-1-1-a8_1

• autoconf-2.13autoconf-2.13

• GNU bison-1.28GNU bison-1.28

• gmake-3.79.1gmake-3.79.1

• pdksh-5.2.14pdksh-5.2.14

FlowScan FlowScan 환경 설정 환경 설정 22• Cflowd, cflowd patchCflowd, cflowd patch

– http://net.doit.wisc.edu/~plonka/cflowd/?M=Dhttp://net.doit.wisc.edu/~plonka/cflowd/?M=D– cflowd-2-1-b1.tar.gz cflowd-2-1-b1-djp.patch cflowd-2-1-b1.tar.gz cflowd-2-1-b1-djp.patch 를 다운 받음를 다운 받음

• 각 파일을 같은 디렉터리 상에 복사한 뒤각 파일을 같은 디렉터리 상에 복사한 뒤 , , 다음의 절차를 거쳐 다음의 절차를 거쳐 patchpatch와 설치 와 설치 – patch patch 방법 방법

# gunzip -c cflowd-2-1-b1.tar.gz |tar xf –# gunzip -c cflowd-2-1-b1.tar.gz |tar xf –# cd cflowd-2-1-b1# cd cflowd-2-1-b1# patch -p0 < ../cflowd-2-1-b1-djp.patch# patch -p0 < ../cflowd-2-1-b1-djp.patch# autoconf # optional# autoconf # optional

– cflowd cflowd 설치 방법설치 방법# ./configure --with-artspp=/usr/local# ./configure --with-artspp=/usr/local# make# make# make install# make install

• 쉘 설정 파일 내에 다음 쉘 설정 파일 내에 다음 pathpath 를 추가를 추가set path = (… /usr/local/arts/bin /usr/local/arts/sbin) set path = (… /usr/local/arts/bin /usr/local/arts/sbin) #rehash#rehash


• RRD RRD 설치설치– http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/pub/http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/pub/– PackagePackage 에도 있지만 에도 있지만 source compilesource compile 을 권장을 권장

• 설치 방법설치 방법# gunzip –c rrdtool-1.0.33.tar.gz | tar xf –# gunzip –c rrdtool-1.0.33.tar.gz | tar xf –# cd rrdtool-1.0.33# cd rrdtool-1.0.33# ./configure --enable-shared # ./configure --enable-shared # make install site-perl-install# make install site-perl-install

• 쉘 설정 파일 내에 다음 쉘 설정 파일 내에 다음 pathpath 를 추가를 추가set path = (… /usr/local/rrdtool-1.0.33/bin)set path = (… /usr/local/rrdtool-1.0.33/bin)# rehash# rehash


• Perl Perl 모듈 설치모듈 설치– /stand/sysinstall/stand/sysinstall 에서 에서 package package 형태로 형태로

설치설치– p5-Boulder-1.20p5-Boulder-1.20– p5-Cflow-1.03p5-Cflow-1.03– p5-ConfigReader-0.5_1p5-ConfigReader-0.5_1– p5-HTML-Table-1.07bp5-HTML-Table-1.07b– p5-Net-Patricia-1.010p5-Net-Patricia-1.010


• FlowScan-1.006FlowScan-1.006 설치설치– http://net.doit.wisc.edu/~plonka/FlowScan/http://net.doit.wisc.edu/~plonka/FlowScan/

• 설치 방법설치 방법 ::# ./configure --prefix=/usr/flows# ./configure --prefix=/usr/flows– (configure(configure 에서 에서 rrdtoolrrdtool 이 없다는 이 없다는 error error 나면 나면 configure configure 화일 화일

편집하여편집하여 ac_cv_path_RRDTOOL_PATH='/usr/local/rrdtool-ac_cv_path_RRDTOOL_PATH='/usr/local/rrdtool-1.0.33' 1.0.33' 를 추가를 추가 ))

# make# make# make -n install# make -n install# make install# make install# mkdir –p /usr/flows/graphs # mkdir –p /usr/flows/graphs

• 쉘 설정 파일 내에 다음 쉘 설정 파일 내에 다음 pathpath 를 추가한다를 추가한다 ..set path = (… /usr/flows/bin)set path = (… /usr/flows/bin)# rehash# rehash


• clfowd clfowd 환경 셋업환경 셋업– cpcp /usr/local/arts/etc/cflowd.conf.example /usr/local/arts/etc/cflowd.conf.example

/usr/local/arts/etc/cflowd.conf/usr/local/arts/etc/cflowd.conf– vi /usr/local/arts/etc/cflowd.confvi /usr/local/arts/etc/cflowd.conf

• OPTIONS {OPTIONS { LOGFACILITY:LOGFACILITY: local6local6 TCPCOLLECTPORT: TCPCOLLECTPORT: 20562056 PKTBUFSIZE:PKTBUFSIZE: 40000004000000 TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socketTABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket FLOWDIR:FLOWDIR: /usr/flows/usr/flows FLOWFILELEN:FLOWFILELEN: 10000001000000 NUMFLOWFILES:NUMFLOWFILES: 1010 MINLOGMISSED:MINLOGMISSED: 300300

}}


• cflowd cflowd 환경 셋업 계속환경 셋업 계속COLLECTOR {COLLECTOR {

HOST: 150.183.235.100 # IP address of central collectorHOST: 150.183.235.100 # IP address of central collector ADDRESSES: { 150.183.235.100 }ADDRESSES: { 150.183.235.100 } AUTH: noneAUTH: none

}}CISCOEXPORTER {CISCOEXPORTER {

HOST: 134.75.20.** # IP address of Cisco sending data.HOST: 134.75.20.** # IP address of Cisco sending data. ADDRESSES: { 134.75.20.***, # Addresses of interfaces on CiscoADDRESSES: { 134.75.20.***, # Addresses of interfaces on Cisco 210.218.215.***,210.218.215.***, 134.75.108.***,134.75.108.***, 150.183.2.***} # sending data.150.183.2.***} # sending data. CFDATAPORT: 2055 # Port on which to listen for data.CFDATAPORT: 2055 # Port on which to listen for data. SNMPCOMM: ‘******' # SNMP community name.SNMPCOMM: ‘******' # SNMP community name. LOCALAS: 17579 # Local AS of Cisco sending data.LOCALAS: 17579 # Local AS of Cisco sending data. COLLECT: { protocol, portmatrix, ifmatrix, nexthop, netmatrix, asmatrix, tos, COLLECT: { protocol, portmatrix, ifmatrix, nexthop, netmatrix, asmatrix, tos,

flows }flows }}}


• # cflowdmux# cflowdmux• # cflowd –s 300 –O 0 –m# cflowd –s 300 –O 0 –m• 결과로 결과로 /usr/flows/usr/flows 에 에 ip.flows.0~9 ip.flows.0~9 파일과 파일과

flows.currentflows.current 라는 파일이 생기고 라는 파일이 생기고 flows.currentflows.current 의 의 크기가 점점 늘어난다면 성공크기가 점점 늘어난다면 성공

• 55 분 뒤에 분 뒤에 flows.20010928_09:15:04+0900 flows.20010928_09:15:04+0900 와 와 같은 형태의 파일이 같은 형태의 파일이 dumpdump 될 것임될 것임

• # ps –ax |grep flow# ps –ax |grep flow 279 ?? S 0:00.18 cflowdmux279 ?? S 0:00.18 cflowdmux 281 ?? S 0:05.60 cflowd -s 300 -O 0 –m281 ?? S 0:05.60 cflowd -s 300 -O 0 –m


• flowscan flowscan 설치 디렉토리에서 설치 디렉토리에서 /usr/flows/bin /usr/flows/bin 에 아래 화일들 복사에 아래 화일들 복사

• CampusIO.cf, flowscan.cf, CampusIO.cf, flowscan.cf, local_nets.boulder, local_nets.boulder, Napster_subnets.boulderNapster_subnets.boulder

• flowscan.cfflowscan.cf FlowFileGlob /usr/flows/flows.*:*[0-9]FlowFileGlob /usr/flows/flows.*:*[0-9] ReportClasses CampusIOReportClasses CampusIO WaitSeconds 300WaitSeconds 300 Verbose 1Verbose 1


• CampusIO.cfCampusIO.cfOutputIfIndexes 2, 9OutputIfIndexes 2, 9LocalSubnetFiles /usr/flows/bin/local_nets.boulderLocalSubnetFiles /usr/flows/bin/local_nets.boulderOutputDir /usr/flows/graphsOutputDir /usr/flows/graphsProtocols icmp, tcp, udpProtocols icmp, tcp, udpTCPServices ftp-data, ftp, smtp, nntp, http, 7070, 554, 1863, 5004TCPServices ftp-data, ftp, smtp, nntp, http, 7070, 554, 1863, 5004NapsterSubnetFiles /usr/flows/bin/Napster_subnets.boulderNapsterSubnetFiles /usr/flows/bin/Napster_subnets.boulderNapsterSeconds 1800NapsterSeconds 1800NapsterPorts 8875, 4444, 5555, 6666, 6697, 6688, 6699, 7777, 8888NapsterPorts 8875, 4444, 5555, 6666, 6697, 6688, 6699, 7777, 8888ASPairs 0:0ASPairs 0:0TopN 10TopN 10

• local_nets.boulderlocal_nets.boulderSUBNET=137.68.200.0/24SUBNET=137.68.200.0/24DESCRIPTION=our network1DESCRIPTION=our network1==SUBNET=137.68.201.0/24SUBNET=137.68.201.0/24DESCRIPTION=our network2DESCRIPTION=our network2


• # flowscan# flowscan

• 아래와 같은 화면이 나오면 설치 성공아래와 같은 화면이 나오면 설치 성공

FlowScan FlowScan 환경 설정 환경 설정 1212• Save old flowsSave old flows

– # mkdir /usr/flows/saved# mkdir /usr/flows/saved– # mkdir /usr/flows/other# mkdir /usr/flows/other– # touch /usr/flows/saved/.gzip_lock# touch /usr/flows/saved/.gzip_lock

• 그래프 생성그래프 생성– # cp graphs.mf /usr/flows/graphs/Makefile# cp graphs.mf /usr/flows/graphs/Makefile– # cd /usr/flows/graphs# cd /usr/flows/graphs– # gmake# gmake

• 554_dst.rrd554_dst.rrd 를 찾을 수 없다는 메시지가 나오면 다음과 같은 를 찾을 수 없다는 메시지가 나오면 다음과 같은 명령으로 명령으로 rrdrrd 파일을 수동으로 만듬파일을 수동으로 만듬# rrdtool create 554_dst.rrd --step 300 \ DS:in_bytes:ABSOLUTE:400:U:U \ # rrdtool create 554_dst.rrd --step 300 \ DS:in_bytes:ABSOLUTE:400:U:U \ DS:out_bytes:ABSOLUTE:400:U:U \ DS:in_pkts:ABSOLUTE:400:U:U \ DS:out_bytes:ABSOLUTE:400:U:U \ DS:in_pkts:ABSOLUTE:400:U:U \ DS:out_pkts:ABSOLUTE:400:U:U \ DS:in_flows:ABSOLUTE:400:U:U \ DS:out_pkts:ABSOLUTE:400:U:U \ DS:in_flows:ABSOLUTE:400:U:U \ DS:out_flows:ABSOLUTE:400:U:U \ RRA:AVERAGE:0:1:600 \ DS:out_flows:ABSOLUTE:400:U:U \ RRA:AVERAGE:0:1:600 \ RRA:AVERAGE:0:6:600 \ RRA:AVERAGE:0:24:600 \ RRA:AVERAGE:0:6:600 \ RRA:AVERAGE:0:24:600 \ RRA:AVERAGE:0:288:732 \ RRA:MAX:0:24:600 \ RRA:MAX:0:288:732RRA:AVERAGE:0:288:732 \ RRA:MAX:0:24:600 \ RRA:MAX:0:288:732

FlowScan FlowScan 환경 설정 환경 설정 1313• crontab crontab 설정설정

# { FlowScan stuff:# { FlowScan stuff:### make the graphs:# make the graphs:0,5,10,15,20,25,30,35,40,45,50,55 * * * * test -f /usr/flows/graphs/Makefile && 0,5,10,15,20,25,30,35,40,45,50,55 * * * * test -f /usr/flows/graphs/Makefile &&

cd /usr/flows/graphs && /usr/local/bin/gmake -s >/dev/nullcd /usr/flows/graphs && /usr/local/bin/gmake -s >/dev/null###copy files in internet directory#copy files in internet directory3,8,13,18,23,28,33,38,43,48,53,58 * * * * cp /usr/flows/graphs/*.png 3,8,13,18,23,28,33,38,43,48,53,58 * * * * cp /usr/flows/graphs/*.png

/usr/local/webdocument/ && cp /usr/flows/graphs/*.html /usr/local/webdocument/ && cp /usr/flows/graphs/*.html /usr/local/webdocument//usr/local/webdocument/

### gzip the saved flow files:# gzip the saved flow files:2,7,12,17,22,27,32,37,42,47,52,57 * * * * test -d /usr/flows/saved && cd 2,7,12,17,22,27,32,37,42,47,52,57 * * * * test -d /usr/flows/saved && cd

/usr/flows/saved && /usr/flows/bin/locker -ne .gzip_lock "/usr/local/bin/ksh -c /usr/flows/saved && /usr/flows/bin/locker -ne .gzip_lock "/usr/local/bin/ksh -c '/bin/ls flows.[0-9]!(*.gz) 2>/dev/null | /usr/bin/xargs -n1 /usr/bin/gzip'"'/bin/ls flows.[0-9]!(*.gz) 2>/dev/null | /usr/bin/xargs -n1 /usr/bin/gzip'"

### Purge the flow files:# Purge the flow files:# find(1) -mtime +1 was insufficient - I want to delete them as soon as they're# find(1) -mtime +1 was insufficient - I want to delete them as soon as they're# `n' hours old:# `n' hours old:0 * * * * /usr/bin/find /usr/flows/saved -type f -name 'flows.*' -print |/usr/bin/perl -e 0 * * * * /usr/bin/find /usr/flows/saved -type f -name 'flows.*' -print |/usr/bin/perl -e

'$now = time; $seconds = 28*60*60; while (<>) { chomp; (@_ = stat $_) && '$now = time; $seconds = 28*60*60; while (<>) { chomp; (@_ = stat $_) && ($now - $_[9] > $seconds) && print $_, "\n" }' |/usr/bin/xargs /bin/rm -f($now - $_[9] > $seconds) && print $_, "\n" }' |/usr/bin/xargs /bin/rm -f

# } # }


• vi /usr/local/etc/apache/httpd.confvi /usr/local/etc/apache/httpd.confDocumentRoot /usr/local/webdocumentDocumentRoot /usr/local/webdocumentScriptAlias /cgi-bin/ "/usr/local/webdocument/cgi-ScriptAlias /cgi-bin/ "/usr/local/webdocument/cgi-

bin/"bin/"<Directory "/usr/local/webdocument/cgi-bin/"><Directory "/usr/local/webdocument/cgi-bin/">

• #apachectl start#apachectl start• 홈페이지를 통해서 홈페이지를 통해서 flowscanflowscan 의 각종 그래프가 의 각종 그래프가

보이면 설치 완료보이면 설치 완료 ..• FlowScan+FlowScan+ 를 설치 하지 않으려면 여기서 종를 설치 하지 않으려면 여기서 종

료료 ..

FlowScan+ FlowScan+ 환경 설정환경 설정

• 현재 개발 진행 중현재 개발 진행 중• optimization, visualization, optimization, visualization, 보안 문제 보안 문제

해결 등을 추진 중임해결 등을 추진 중임• 20022002 년 말까지 과제 종료 예정년 말까지 과제 종료 예정• testtest 로 설치해 보고 싶으신 분은 로 설치해 보고 싶으신 분은

flowscan.kreonet2.netflowscan.kreonet2.net 에 방문하셔서 에 방문하셔서 설치 안내를 받아 설치 가능설치 안내를 받아 설치 가능 ..

결론결론

• FlowScanFlowScan 은 아주 유용한 은 아주 유용한 passive passive measurement measurement 분석 도구분석 도구

• 개발 중인 개발 중인 FlowScan+FlowScan+ 를 통해 더 자세한 를 통해 더 자세한 트래픽 분석이 가능함트래픽 분석이 가능함

• KREONETKREONET 의 사용자인 경우의 사용자인 경우 , FlowScan, , FlowScan, FlowScan+ FlowScan+ 설치 관련 문의 및 지원 가능설치 관련 문의 및 지원 가능

• Contact: Contact: 이만희 이만희 [email protected]@kisti.re.kr

mailto:[email protected]

ReferencesReferences

• KREONET FlowScan+ KREONET FlowScan+ http://flowscan.kreonet2.nethttp://flowscan.kreonet2.net

• KAIST Project Homepage(developers) KAIST Project Homepage(developers) http://cosmos.kaist.ac.kr/~navihphttp://cosmos.kaist.ac.kr/~navihp

• KAIST FlowScan+ HomepageKAIST FlowScan+ Homepage

http://moran.kaist.ac.krhttp://moran.kaist.ac.kr • http://net.doit.wisc.edu/~plonka/lisa/FlowScan/http://net.doit.wisc.edu/~plonka/lisa/FlowScan/

• http://http://www.caida.org/tools/measurement/cflowdwww.caida.org/tools/measurement/cflowd//

http://flowscan.kreonet2.net/

http://cosmos.kaist.ac.kr/~navihp

http://moran.kaist.ac.kr/

http://net.doit.wisc.edu/~plonka/lisa/FlowScan/

http://www.caida.org/tools/measurement/cflowd/



network measurement for kreonet -flowscan- 2002.9.26이만희kisti/kreonet

Documents