Network Diagnostics Using Passive Network Monitoring
and Packet Analysis
Martin Holkovič, CESNET, Czech RepublicOndřej Ryšavý, Brno University of Technology, Czech Republic
Motivation
User tries to send an e-mail
Networkadministrator
diagnosticsreport
SMTP serverhttps://www.flowmon.com/en/products/flowmon/traffic-recorder
Why it is not an easy problem
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 3/18
• Each protocol is different
• Each network is different
• Dependencies between services
• Requiring deep knowledge and lot of time
Bahl, P.; Chandra, R.; Greenberg, A.; aj.: Towards highly reliable enterprise network services via inference of multi-level dependencies. In ACM SIGCOMM Computer CommunicationReview, ročník 37, ACM, 2007, s. 13–24
Possible methods
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 4/18
• Wireshark - manual
• How are the data accessed?
• How is the model created?
Active
Passive
Learned
Predefined
Our goals
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18
• Passive analysis from PCAP file
• Predefined rule-based tree model
• Automate administrator’s actions
• Good-readable diagnostic output
• Easily extendible by an administrator
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 6/18
Proposed architecture
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 7/18
Protocols Analyzer
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 8/18
• Using Tshark (Wireshark)
• Support over 3000 protocols and over 227000 fields
• Integrated lower layers analysis
• JSON output
Events Finder
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 9/18
• Simulates questions of a real administrator• E.g., SMTP authentication
• Two step process:1. Find specific packets
2. Create tuples from packets fulfilling conditions
Tree Engine
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 10/18
• Binary tree• Two next states
• Each node refers to the Events Finder
• State represents the knowledge
• Integrates Python code
Output creator
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 11/18
• Predefined output records
• Creates links between records
• JSON format
Rules – Events Finder
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 12/18
Rules – Tree Engine
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 13/18
Rules - Output
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 14/18
Supported protocols
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 15/18
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 16/x
Future work
• Use another passive data sources• Syslog
• SNMP traps
• Optimize performance• Filtering input data
• Indexing key-data for faster processing
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 17/18
Conclusion
• Network administrators need to diagnose problems
• Diagnostics is time and knowledge requiring activity
• We use PCAP files as the data source
• We have implemented tree-based analysis
• The diagnostic output is good understandable
Network Diagnostics Using Passive Network Monitoring and Packet Analysis 18/18