08-13-2012, 11:58 AM #1
- Join Date
- Sep 2010
- Blog Entries
- Thanked 144 Times in 83 Posts
Analyzing traffic to router from network scenario
A few weeks back I was in a scenario in which I had to analyze the whole traffic of a network. Yes ! whole traffic of the network. All VLANs.
Hmm. So the natural option was to analyze upstream traffic from all switches going to router. The added danger was that if I messed up anything in their data center, I would feel the wrath of a lot of people.
So I am just enumerating some ways which I thought can be done in such scenario. (Note that I am not very good at networking )
1. The use of network taps Network tap - Wikipedia, the free encyclopedia comes in very handy in such scenarios. The hardware is specially made to duplicate traffic from a wire and monitoring node sees this traffic. So no hindrance to actual bandwidth and packets. Pretty cool ehh. But pricing is not very cool ...
2. Port mirroring is the natural option that most would opt. The economical and most viable option. What is port mirroring >> Port mirroring - Wikipedia, the free encyclopedia Note, it can only be done on switch ports. (Correct me if I am wrong)
There was a main switch which was handling all the rest of switches. There was a one LAN wire which was going from this main switch port to router port. Port mirroring can be enabled on this port to capture all the packets going upstream to router.
Note that port mirroring is enabled by issuing extra commands on switch or by configuring through the web interface of switch.
3. Many routers now come with NetFlow technology. NetFlow - Wikipedia, the free encyclopedia
Routers and switches that support NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records, toward at least one NetFlow collector - typically a server that does the actual traffic analysis.
4. An idea also came as to put a machine with two NIC cards with linux between the connection. Put one interface for incoming connection and another interface for outgoing connection. Enable IP forwarding. Capture traffic on any interface. Could it be done
Didn't try this method as automatically it was evident that a single x86 machine could not handle all the traffic of the network and could collapse.
Anyways, plz do share some more points if you can come with something w.r.t this scenario.In the world of 0s and 1s, are you a zero or The One !
08-18-2012, 05:03 PM #2
08-18-2012, 07:35 PM #3
- Join Date
- Jul 2010
- Blog Entries
- Thanked 169 Times in 86 Posts
If your objective is to just monitor the network traffic i.e the bandwidth statistics & protocol statistics then netflow is the one to go....config is simple i.e set of commands to redirect traffic to a particular IP which has the netflow client to analyze the netflow statistics.
If you objective is to collect all traffic data go with port mirroring....but you might experience latency and overheads in the network....it depends on the Core Switch HW config.
The option of going with 2 NIC cards would be the least preferred in my opinion u will have packet loss
01-29-2013, 03:57 AM #4
- Join Date
- Jan 2013
- Thanked 1 Time in 1 Post
I agree with AnarKI
If your analyzing multiple systems and this is a Datacenter your talking about
And your wanting to place a NIC card on 2 systems and one for Forwarding and one for outgoing
+ you have over 1000+ Systems forwarding all information at once
you could look at Load balance being slowed down and not only that the systems might not be able to handle such information
I dont think putting it on 2systems will do the job by reading about NetFlow it seems like it would do the trick But then again your analyzing over 1000+ Systems
The best thing to do is make a Network Script that runs a Tcpdump on all systems and forwards the data to a particular machine and run it through a network Analyzer software
Tcpdump is very low and would not increase any system performance
by putting Tcpdump script on 50 systems with a 25mb file each day lets say it fills it up 25mb each day forwarded to all other systems your looking at maybe a
3gb+ file to analyze and spread across a multiple tier system with higher power performance it would reduce the performance greatly especially if it has Parallel Distribution