[88640] in North American Network Operators' Group
NANOG36-NOTES 2006.02.14 talk 3 Flamingo Netflow Visualization Tool
daemon@ATHENA.MIT.EDU (Matthew Petach)
Tue Feb 14 15:05:39 2006
Date: Tue, 14 Feb 2006 12:04:51 -0800
From: Matthew Petach <mpetach@netflight.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
------=_Part_486_30383761.1139947491724
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
2006.02.14 talk 3 Flamingo netflow visualization
Manish (from BGP Inspect project from Merit)
bgpinspect.merit.edu:8080
He'll be talking later at the Tools BOF as well
apparently.
Introduction: What is Flamingo?
Visualization
The Flamingo Tool
combining visualizations with controls
Case Studies
traffic anomaly
network scans
worm traffic
P2P traffic
the slashdot effect.
The tool has been under development for a year;
John, in audience, and Mike (now employed) have
been working on it as undergrads.
It's just a view into netflow, no filters or
adjustment of data
it's just a visualization system.
client/server architecture
a single server can support multiple clients
Visualation methods
5 different views
extended quad tree implementation
volume by src/dst IP prefix
volume by src/dst AS
Basic quad tree
represent 32bit IP address into fixed space.
4 areas representable by 2 bits. Keep splitting
16 times, you represent 32 bit address in 2D
mapping.
convert it into 3 dimension, have an axis of
freedom to represent additional info.
So one side is the quad tree, the Z axis is volume
of traffic, so you can see relative volumes.
nice slide showing visualization of the traffic
flow patterns.
Can show traffic flows aggregated by src/dst IP;
now there's 2 surfaces needed on the cube, so they
use line thickness between the surfaces to show
flow sizes between ASes.
last visualization incorporates port info as well
But since there's only one axis left;
so now port level info is on z axis.
so IP/port is X1Y1Z1; same for dest IP and port.
Once there are coordinates, the line can be drawn,
scale the width based on the volume, and now you
have the full info in one view.
Same colour used to represent traffic from the
same source ntuple.
combine 2D and 3D representation of data to help
keep yourself oriented.
They have text representatiosn of information,
same as visual data, but in text form.
Slider bars allow thresholding of what gets
displayed, to prevent clutter; only over a certain
size, or only certain ports, etc.
Can also apply labels to help pull information out
for fast refrence.
You can also restrict the address space you care about
to only look at certain subnets.
Case study: Traffic anomaly sunday Oct 16, 2005
large burst of traffic from one host at umich,
lasted 6 hours, four targets, not widely
distributed, it was UDP traffic.
Was visible in normal view.
from 12pm to 6pm.
visible on main view, zoomed in, and the 4 million
flows show as a huge block.
going to src/dest view lets you see where the traffic
is going.
adding the port info, and you see the entire port
space is being sprayed.
Another case study--worm traffic doing port 42 scans
a fan view on the graph, highly visible.
An artificial case study, a host scanning a /24
subnet
SSH scans also show up as many many ports probing
a single port; a reverse fan.
Slashdot effect on campus Oct 31 2004; have before
and during pictures showing the huge traffic swing.
Zotob worm infection;
random destination IPs, but same port, coming from
same host, cone effect.
P2P traffic; single host with multiple connections
to different destinations, significant volume to each.
Darkspace traffic visualizations show nothing but
scans, show up really dramatically.
Conclusion
The Flamingo Visualization Tool provides users with
the ability to easily explore and extract meaning
information regarding traffic flows in their network.
More will be discussed at the Tools BOF this afternoon.
http://flamingo.merit.edu/
Break now, come back at 10:50. Someone left a jacket
at the Yahoo party with a digital camera; describe it
to the registration desk to get it back.
------=_Part_486_30383761.1139947491724
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<br>
2006.02.14 talk 3 Flamingo netflow visualization<br>
<br>
Manish (from BGP Inspect project from Merit)<br>
<a href=3D"http://bgpinspect.merit.edu:8080">bgpinspect.merit.edu:8080</a><=
br>
<br>
He'll be talking later at the Tools BOF as well<br>
apparently.<br>
<br>
Introduction: What is Flamingo?<br>
Visualization<br>
The Flamingo Tool<br>
combining visualizations with controls<br>
Case Studies<br>
traffic anomaly<br>
network scans<br>
worm traffic<br>
P2P traffic<br>
the slashdot effect.<br>
<br>
<br>
The tool has been under development for a year;<br>
John, in audience, and Mike (now employed) have<br>
been working on it as undergrads.<br>
<br>
It's just a view into netflow, no filters or<br>
adjustment of data<br>
it's just a visualization system.<br>
client/server architecture<br>
<br>
a single server can support multiple clients<br>
<br>
Visualation methods<br>
5 different views<br>
extended quad tree implementation<br>
volume by src/dst IP prefix<br>
volume by src/dst AS<br>
<br>
Basic quad tree<br>
represent 32bit IP address into fixed space.<br>
4 areas representable by 2 bits. Keep splitting<br>
16 times, you represent 32 bit address in 2D<br>
mapping.<br>
<br>
convert it into 3 dimension, have an axis of<br>
freedom to represent additional info.<br>
<br>
So one side is the quad tree, the Z axis is volume<br>
of traffic, so you can see relative volumes.<br>
<br>
nice slide showing visualization of the traffic<br>
flow patterns.<br>
<br>
Can show traffic flows aggregated by src/dst IP;<br>
now there's 2 surfaces needed on the cube, so they<br>
use line thickness between the surfaces to show <br>
flow sizes between ASes.<br>
<br>
last visualization incorporates port info as well<br>
But since there's only one axis left;<br>
so now port level info is on z axis.<br>
so IP/port is X1Y1Z1; same for dest IP and port.<br>
Once there are coordinates, the line can be drawn,<br>
scale the width based on the volume, and now you<br>
have the full info in one view.<br>
<br>
Same colour used to represent traffic from the<br>
same source ntuple.<br>
<br>
combine 2D and 3D representation of data to help<br>
keep yourself oriented.<br>
<br>
They have text representatiosn of information,<br>
same as visual data, but in text form.<br>
Slider bars allow thresholding of what gets<br>
displayed, to prevent clutter; only over a certain<br>
size, or only certain ports, etc.<br>
<br>
Can also apply labels to help pull information out<br>
for fast refrence.<br>
<br>
You can also restrict the address space you care about<br>
to only look at certain subnets.<br>
<br>
Case study: Traffic anomaly sunday Oct 16, 2005<br>
<br>
large burst of traffic from one host at umich,<br>
lasted 6 hours, four targets, not widely<br>
distributed, it was UDP traffic.<br>
Was visible in normal view.<br>
from 12pm to 6pm.<br>
visible on main view, zoomed in, and the 4 million<br>
flows show as a huge block.<br>
going to src/dest view lets you see where the traffic<br>
is going.<br>
adding the port info, and you see the entire port<br>
space is being sprayed.<br>
<br>
Another case study--worm traffic doing port 42 scans<br>
a fan view on the graph, highly visible.<br>
<br>
An artificial case study, a host scanning a /24 <br>
subnet<br>
<br>
SSH scans also show up as many many ports probing<br>
a single port; a reverse fan.<br>
<br>
Slashdot effect on campus Oct 31 2004; have before<br>
and during pictures showing the huge traffic swing.<br>
<br>
Zotob worm infection;<br>
random destination IPs, but same port, coming from<br>
same host, cone effect.<br>
<br>
P2P traffic; single host with multiple connections<br>
to different destinations, significant volume to each.<br>
<br>
Darkspace traffic visualizations show nothing but<br>
scans, show up really dramatically.<br>
<br>
Conclusion<br>
The Flamingo Visualization Tool provides users with<br>
the ability to easily explore and extract meaning<br>
information regarding traffic flows in their network.<br>
<br>
More will be discussed at the Tools BOF this afternoon.<br>
<br>
<a href=3D"http://flamingo.merit.edu/">http://flamingo.merit.edu/</a><br>
<br>
Break now, come back at 10:50. Someone left a jacket<br>
at the Yahoo party with a digital camera; describe it<br>
to the registration desk to get it back.<br>
<br>
------=_Part_486_30383761.1139947491724--
