untitled

Section 1 5

6

MRTG 7 Prefix RMON NetFlow

NetFlow NetFlow Data Collector DB Subnet B B Router = Exporter Subnet A AS IP Prefix 1 8 Subnet B Router = Exporter AS AS Prefix 2

NetFlow Version 5 AS AS Peer AS Origin AS Next Hop / In Out ifindex IP ICMP, TCP, UDP,... TOS TCP 9

Exporter CPU Cisco NetFlow Performance Analysis http://www.cisco.com/en/us/products/ps6601/products_white_paper0900aecd802a0eb9.shtml CPU 10

Exporter Cisco 11

Exporter Juniper M M (1) 12 firewall { filter sample-all { term one { then { sample; accept; } } } }

Exporter Juniper M M (2) 13 interfaces { ge-0/0/0 { description Sampling Interface"; link-mode full-duplex; unit 0 { family inet { filter { input sample-all; # Input output sample-all; # Output } address ***.***.***.***/30; } } }

Exporter Juniper M M (3) 14 forwarding-options { sampling { traceoptions { file sampled-debug size 5m; # Debug } input { family inet { max-packets-per-second 1000; # PPS rate 5000; # run-length 0; } } output { cflowd ***.***.***.*** { # port ****; # UDP version 5; # NetFlow autonomous-system-type origin; # Src/Dst AS Origin } } } }

15 Exporter router: router: 10.1.1.162 10.1.1.162 ifindex: ifindex: 20 20 period: period: 02/21/2006 02/21/2006 15:14:46 Src 15:14:46 - - 02/21/2006 AS Dst 02/21/2006 15:32:49 15:32:49 JST AS JST Src Src AS AS Dst Dst AS AS Pkts Pkts Pkts/sec Pkts/sec Bytes Bytes Bits/sec Bits/sec ------ ------ ------ ------ ------------- ------------- ------------- ------------- ------------- ------------- ------------- ------------- 0 0 0 0 810 810 0.747922 0.747922 666379 666379 4922.47 4922.47 router: router: 10.1.1.162 10.1.1.162 ifindex: ifindex: 22 22 router: period: period: 02/21/2006 02/21/2006 15:14:46 router: 10.1.1.162 15:14:46 - - 02/21/2006 10.1.1.162 32!? ifindex: 02/21/2006 15:32:49 15:32:49 JST JST Src Src AS AS Dst Dst AS ifindex: 20 AS Pkts 20 period: Pkts Pkts/sec Pkts/sec Bytes Bytes Bits/sec Bits/sec ------ ------ ------ ------ ------------- period: 01/01/1970 01/01/1970 09:00:00 ------------- ------------- 09:00:00 - ------------- ------------- - 02/21/2006 02/21/2006 13:59:33 ------------- ------------- 13:59:33 JST JST Src ------------- 0 0 0 0 1 Src Network 1 0.000923361 Network Dst Dst Network Network Pkts 0.000923361 79 79 0.583564 Pkts Bytes Bytes ------------------ ------------------ ------------------ ------------------ ------------- ------------- 0.583564 ------------- ------------- 10.1.122.56/32 router: router: 10.1.1.162 10.1.122.56/32 192.168.75.236/32 192.168.75.236/32 1826 1826 2655004 2655004 10.1.1.162 10.1.123.202/32 ifindex: ifindex: 23 10.1.123.202/32 192.168.143.165/32 192.168.143.165/32 759 759 1100015 1100015 23 10.1.116.84/32 period: period: 02/21/2006 02/21/2006 15:14:46 10.1.116.84/32 10.124.148.112/32 15:14:46 - - 02/21/2006 02/21/2006 15:32:49 10.124.148.112/32 714 15:32:49 JST 714 1034511 1034511 10.1.124.61/32 JST Src Src AS AS Dst Dst AS 10.1.124.61/32 10.126.73.208/32 AS Pkts Pkts Pkts/sec 10.126.73.208/32 507 Pkts/sec Bytes Bytes Bits/sec507 689825 689825 10.1.122.85/32 Bits/sec ------ ------ ------ ------ ------------- 10.1.122.85/32 192.168.121.187/32 ------------- -------------192.168.121.187/32 405 ------------- ------------- -------------405 567893 567893 10.1.123.193/32 ------------- 0 0 0 10.1.123.193/32 10.84.7.172/32 0 8307 8307 7.67036 10.84.7.172/32 362 7.67036 7432711 7432711 54904.6362 508693 508693 10.1.98.80/32 10.1.98.80/32 10.124.148.248/32 10.124.148.248/32 54904.6 293 293 426022 426022 10.1.124.134/32 10.1.124.134/32 192.168.99.89/32 192.168.99.89/32 273 273 395603 395603 10.1.124.164/32 10.1.124.164/32 10.85.41.155/32 10.85.41.155/32 179 179 256694 256694 10.1.122.24/32 10.1.122.24/32 10.204.139.210/32 10.204.139.210/32 155 155 208942 208942 10.1.116.84/32 10.1.116.84/32 10.86.93.108/32 10.86.93.108/32 145 145 208151 208151 10.1.116.68/32 10.189.248.228/32 257 118917 10.1.116.68/32 10.189.248.228/32 257 118917 10.1.103.37/32 10.1.103.37/32 10.95.44.209/32 10.95.44.209/32 170 170 106664 106664

Collector/Analyzer Cisco ARBOR peakflow, GenieATM cflowd by CAIDA flow-tools nfdump/nfsen cflowd flow-tools 16

cflowd ARTS Origin AS Dest Prefix TCP Exporter FreeBSD 17

nfdump http://nfdump.sourceforge.net/ 18

NfSen NFDUMP Web http://sourceforge.net/projects/nfsen/ 19

flow-tools http://www.splintered.net/sw/flow-tools/ NetFlow PostgresSQL, MySQL DB Ad-Hoc DWH flow-report 20

Excel S-PLUS R 21

Excel Src or Dst AS Excel Import 65,536 x 256 MS Office Excel 2003 Src AS, Dst AS, Prefix 22 Byte Src or Dst AS

R The R Project for Statistical Computing http://www.r-project.org/ S R S 23

Section 2-24

Section 3 33

IP? Inbound : Outbound : 34

1. Outbound 24h? 35

12 20 7 8% 7 8% 24 36

2. In Out Out In Out ADSL FTTH!? Outbound Traffic FTTH ADSL! 37 Inbound Traffic

In Out Out In Out In ADSL Out 1 10G FTTH ADSL, FTTH ISP Kenjiro Cho, Kensuke Fukuda, Hiroshi Esaki and Akira Kato. The Impact and Implications of the Growth in Residential User-to-User Traffic. SIGCOMM2006 2 8 38

ISP ISP 39 ISP : IP : IP ISP : 1 1 : 6 ISP =1/2048, =1/5000

ISP ISP IP? 40

Special Thanks to THX!! IIJ JANOG18 41

by VzB 42