The data network's SNMP, NetFlow/NetStream, and traffic probe analysis systems only analyze the information collected by each other. It is impossible to analyze and correlate the data of multiple traffic collection systems to improve the depth and accuracy of traffic analysis. This paper proposes a unified traffic management platform that collects data sources through multiple traffic collection technologies for comprehensive analysis and management, improves the accuracy of traffic analysis, and facilitates operation and maintenance efficiency.
The traffic collection technology is mainly divided into the following three types: one is SNMP technology acquisition, network equipment acquisition technology, and hardware probe for traffic collection. A comparative analysis of the three flow collection techniques is as follows.
Application scenario analysis
The unified traffic management platform can support multiple traffic collection technologies, which helps to reduce management techniques and save costs in the entire network according to the important level of the link.
According to the analysis in Table 1, the hardware probe supports packet-by-packet capture and analyzes the level of fineness, but the hardware probe device is expensive, considering the economic cost, it is not necessary to use the probe to collect too many links, and the core link can be concerned; The access link can be based on the device level, and the Netflow/Netstream function can be enabled for collection under the premise of ensuring the performance of the network device, or SNMP can be used for acquisition. In this way, for the entire network, the corresponding traffic collection technology is adopted for different applications, so that the management is refined and the management cost is saved.
Unified Traffic Management Platform System Design
The unified traffic management platform system proposed in this paper, the traffic collection source is applicable to three data sources: SNMP, NetFlow/NetStream, and hardware probe. The system functions cover the collection, statistics and analysis of traffic data.
Traffic statistics based on SNMP data can be implemented: traffic rate, byte rate, packet rate, and bandwidth utilization of all physical ports of the network device.
The function of traffic statistics based on NetFlow/NetStream data: the application traffic rate, byte rate, bandwidth utilization, and application component of the fixed physical port of the network device. The statistical dimension can be divided into an IP network segment, an IP communication pair, and a single IP.
Functions that can be implemented based on traffic statistics of probe data: traffic rate, byte rate, packet rate, packet type, packet size distribution, and bandwidth utilization of all physical ports of the network device.
The application traffic rate, byte rate, bandwidth utilization, and application component of the fixed physical port of the network device. Statistical dimensions can be divided into: IP network segment, IP communication pair, and single IP.
Application traffic rate, byte rate, bandwidth utilization, and application component of the network device logical port (such as MPLS-VPN logical interface). Statistical dimensions can be divided into: IP network segment, IP communication pair, and single IP.
SNMP-based traffic collection process: First, the SNMP data parsing program periodically sends a snmp GET request to the network device to read the interface traffic information in the SNMP MIB management information of the network device. Second, after receiving the snmp GET request, the network device receives the snmp GET request. According to the content of the request, the corresponding information is returned to the SNMP data parsing program; third, the parsing program will return the SNMP data packet for parsing, and insert the parsed content into the interface flow table in the database; fourth, when After the interface traffic data is inserted, the program reports the updated content to the corresponding function interface of the traffic management module.
NetFlow/NetStream-based traffic collection: First, the NetFlow/NetStream function is enabled on the physical interface of the network device. After the function is enabled, the device collects the specific application traffic and the IP address corresponding to the traffic based on the interface. The statistics are temporarily stored in the NetFlow/NetStream cache. NetFlow/NetStream periodically encapsulates the statistics in the cache into NetFlow/NetStream packets and sends them to the NetFlow/NetStream packet parser. Second, the NetFlow/NetStream packet parser receives the statistics. When the NetFlow/NetStream data packet is used, the NetFlow/NetStream protocol format specification is used for parsing, and the parsed result is inserted into the interface application flow table in the NetFlow/NetStream database. Third, when the interface traffic data is inserted, the program will The updated content is reported to the corresponding function interface of the traffic management module.
Probe-based flow collection process: First, open a mirrored port on the network device, copy all the original traffic in the required monitored physical interface to the mirrored port, and connect the mirrored port to the data capture port of the hardware probe. on.
In the second step, the hardware probe receives the original data packet output by the mirror port in real time. The hardware probe program processes the original data packet in two processes, one is the real-time data packet storage process, and the other is the real-time data packet analysis process. The hardware probe periodically sends the cached statistics to the probe management server and is uniformly presented by the probe management server.
In the third step, the probe management server sends all the statistics to the protocol converter through the API interface, and the protocol converter performs data shaping according to the data sent by the probe management server.
In the fourth step, after the data of the protocol converter is normalized, the statistical result of the fixed format is inserted into the interface application flow table in the probe database according to the platform requirement.
In the fifth step, after the interface traffic data is inserted, the program reports the updated content to the corresponding function interface of the traffic management module.
Nantong Boxin Electronic Technology Co., Ltd. , https://www.bosencontrols.com