there's plenty of room at the bottom
DESCRIPTION
A an overview of network flow collection and an invitation to look at the fast_ip network flow platform.http://fastip.comTRANSCRIPT
![Page 1: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/1.jpg)
There’s Plenty of Room at the Bottom:
An Invitation to Explore with Network Flows
Benjamin [email protected]
![Page 2: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/2.jpg)
What are Flows&
Why Should You Care?
![Page 3: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/3.jpg)
You Should CareBecause Visibility Makes
Your Life Easier.
![Page 4: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/4.jpg)
Network Flow DataMeans Great Visibility.
![Page 5: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/5.jpg)
DDoS DetectionCapacity Planning
Traffic ManagementTroubleshooting
Correlation...
![Page 6: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/6.jpg)
The Nature of Flows
![Page 7: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/7.jpg)
[traffic]
![Page 8: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/8.jpg)
[streams]
![Page 9: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/9.jpg)
[packets]
PayloadHeader
![Page 10: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/10.jpg)
[headers]
Source IP Address
Destination IP Address
Source Port
Destination Port
Protocol
![Page 11: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/11.jpg)
[latency]
![Page 12: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/12.jpg)
[jitter]
![Page 13: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/13.jpg)
[packet loss]
![Page 14: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/14.jpg)
The Structure of Flows
![Page 15: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/15.jpg)
Source IP Address
Destination IP Address
Source Port
Destination Port
Protocol
Source IP Address
Destination IP Address
Source Port
Destination Port
Protocol
=
[flow keys]
![Page 16: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/16.jpg)
[templates]
src IPv4 address
dest IPv4 address
src port
dst port
protocol
total packets
start time
end time
total octets
template_id 253
![Page 17: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/17.jpg)
[flow records]
172.16.101.3
192.169.7.200
9801
80
TCP
24 packets
start 28349829023
end 28356729023
27342 octets
template_id 253
![Page 18: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/18.jpg)
The Ecosystem of Flows
![Page 19: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/19.jpg)
[metering process]
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
![Page 20: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/20.jpg)
[observation domain]
eth0
eth1
eth2
![Page 21: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/21.jpg)
[collecting process]172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
172.16.101.3192.169.7.200
980180
TCP
24 packetsstart 28349829023end 28356729023
27342 octets
template_id 253
![Page 22: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/22.jpg)
Storage and Analysis areLeft as an Exercise
for the Reader
![Page 23: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/23.jpg)
Where Do Meters Run?
![Page 24: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/24.jpg)
On Network Switches/Routers[often sampled]
![Page 25: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/25.jpg)
Dedicated Appliances[expensive/limited storage]
![Page 26: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/26.jpg)
On Hosts[where does the data go?]
![Page 27: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/27.jpg)
The Classical View
![Page 28: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/28.jpg)
Where is this coming from?
Where is this going?
![Page 29: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/29.jpg)
![Page 30: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/30.jpg)
The Flow View
![Page 31: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/31.jpg)
![Page 32: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/32.jpg)
![Page 33: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/33.jpg)
TANSTAAFL
![Page 34: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/34.jpg)
Flow Data Takes UpLOTS of Space
![Page 35: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/35.jpg)
[often >1% total traffic]
![Page 36: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/36.jpg)
LOTS of Space Means Storage Expense or Loss of Resolution or
Truncation
![Page 37: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/37.jpg)
LOTS of (Multi-dimensional)Data is
Hard to Analyze
![Page 38: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/38.jpg)
Inflexible and Limitedor
Expensive and Complicated
![Page 39: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/39.jpg)
![Page 40: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/40.jpg)
[apologies]
![Page 41: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/41.jpg)
IPFIX WGhttp://datatracker.ietf.org/wg/ipfix/charter/
nProbehttp://www.ntop.org/nProbe.html
Cisco NetFlow Collection Enginehttp://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html
Arbor Networkshttp://www.arbornetworks.com/
Dartwarehttp://www.intermapper.com/products/intermapper-flows
[resources]
![Page 42: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/42.jpg)
[finally...]
![Page 43: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/43.jpg)
fast_ip is a platform forflow analytics
![Page 44: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/44.jpg)
http://fastip.comSign up for our beta
![Page 45: There's Plenty of Room at the Bottom](https://reader034.vdocuments.site/reader034/viewer/2022050801/5525ce404a7959a2488b4d2c/html5/thumbnails/45.jpg)