Network Diagnostics Using Passive Network Monitoring

and Packet Analysis

Martin Holkovič, CESNET, Czech RepublicOndřej Ryšavý, Brno University of Technology, Czech Republic

Motivation

User tries to send an e-mail

Networkadministrator

diagnosticsreport

SMTP serverhttps://www.flowmon.com/en/products/flowmon/traffic-recorder

Why it is not an easy problem

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 3/18

• Each protocol is different

• Each network is different

• Dependencies between services

• Requiring deep knowledge and lot of time

Bahl, P.; Chandra, R.; Greenberg, A.; aj.: Towards highly reliable enterprise network services via inference of multi-level dependencies. In ACM SIGCOMM Computer CommunicationReview, ročník 37, ACM, 2007, s. 13–24

Possible methods

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 4/18

• Wireshark - manual

• How are the data accessed?

• How is the model created?

Active

Passive

Learned

Predefined

Our goals

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 5/18

• Passive analysis from PCAP file

• Predefined rule-based tree model

• Automate administrator’s actions

• Good-readable diagnostic output

• Easily extendible by an administrator

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 6/18

Proposed architecture

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 7/18

Protocols Analyzer

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 8/18

• Using Tshark (Wireshark)

• Support over 3000 protocols and over 227000 fields

• Integrated lower layers analysis

• JSON output

Events Finder

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 9/18

• Simulates questions of a real administrator• E.g., SMTP authentication

• Two step process:1. Find specific packets

2. Create tuples from packets fulfilling conditions

Tree Engine

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 10/18

• Binary tree• Two next states

• Each node refers to the Events Finder

• State represents the knowledge

• Integrates Python code

Output creator

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 11/18

• Predefined output records

• Creates links between records

• JSON format

Rules – Events Finder

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 12/18

Rules – Tree Engine

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 13/18

Rules - Output

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 14/18

Supported protocols

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 15/18

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 16/x

Future work

• Use another passive data sources• Syslog

• SNMP traps

• Optimize performance• Filtering input data

• Indexing key-data for faster processing

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 17/18

Conclusion

• Network administrators need to diagnose problems

• Diagnostics is time and knowledge requiring activity

• We use PCAP files as the data source

• We have implemented tree-based analysis

• The diagnostic output is good understandable

Network Diagnostics Using Passive Network Monitoring and Packet Analysis 18/18