Técnica e instrumentos de recolección de datos

Capítulo III: Materiales y métodos

5. Técnica e instrumentos de recolección de datos

Network Traffic Analysis identifies which users or applications are generating traffic on your network and how much network bandwidth they are consuming. For example, you may want to know what specific traffic is clogging your sites' networks. Is it your Exchange server? Is a user streaming YouTube videos or music from iTunes that may be causing bandwidth utilization issues? You can drill-down into applications, conversations, domains, endpoints, and protocols to see how this bandwidth usage is impacting your network and to identify the exact sources of spikes and bursts. Also, you can set up an alert to notify you when these spikes occur.

PacketTrap MSP monitors network traffic by capturing flow information from devices, such as routers, switches, servers, and desktops. By enabling NetFlow on your flow capable devices, you can export traffic flow information from these devices to your PacketTrap MSP server.

NOTE: The Network Traffic Analysis feature supports Cisco NetFlow versions 1, 3, 5, 7, and 9, as well as Juniper, J-Flow, and sFlow.

To learn more about how PacketTrap MSP analyzes network traffic information from devices that are not flow-capable devices (in other words, devices that do not support the more com- mon network analysis protocols such as NetFlow, J-Flow, and sFlow), seeEnabling ptFlow. Topics in this section

l How PacketTrap MSP Collects Network Traffic Flow Data l Viewing Traffic Flow Information

l How to Scope Your NetFlow Traffic Data

l Understanding the Various Groups of Traffic Flow Information l Seeing How Traffic Flow Information is Trending

l Enabling NetFlow l Enabling ptFlow

How PacketTrap MSP Collects Network Traffic Flow Data

Capturing flow information from flow-capable devices provides an abundance of information that can help you better manage bandwidth usage on your sites' networks. By enabling your flow-capable devices to export NetFlow information to the server, flow data packets are captured for all of these devices. PacketTrap MSP takes this information and presents it to you in a very easy-to-read format, which you can use this data to determine how traffic impacts your networks. Additionally, you can generate a report using this information to help your sites plan for future network capacity.

The following diagram shows how PacketTrap MSP collects NetFlow data and sends it to the server. Keep in mind that NetFlow data is sent to the server on port 2055 so you must make sure that it is open and not in use by another device. If it is, you can use and alternative port, such as port 9555 or port 995.

See Also

l Enabling NetFlow

Enabling NetFlow

By enabling Netflow on your devices, you are configuring your devices to export NetFlow data to the PacketTrap MSP server. The following instructions show you how to enable Netflow on a Cisco router.

Enable Cisco Express Forwarding: router(config)# ip cef

It is necessary to enable NetFlow on all interfaces through which traffic you are interested in will flow. Now, verify that the router is generating flow stats - try 'show ip cache flow'. Note that for routers with distributed switching (GSR's, 75XX's) the Rendezvous Point CLI will only show flows that made it up to the RP. To see flows on the individual linecards use the 'attach' or 'if-con' command and issue the 'show ip cache flow' on each LC.

Enable export of these flows with the global commands. 'ip flow-export source' can be set to any interface, but one which is the least likely to enter a 'down' state is preferable. Netflow will not be exported if the specified source is down. For this reason, we suggest the Loopback interface, or a stable Ethernet interface:

router(config)# ip flow-export version 5

router(config)# ip flow-export destination <ip-address> <port> router(config)# ip flow-export source FastEthernet0

Use the IP address of your NetFlow Collector and configured listening port.

If your router uses BGP protocol, you can configure AS to be included in exports with command: router(config)# ip flow-export version 5 [peer-as | origin-as]

The following commands break up flows into shorter segments. router(config)# ip flow-cache timeout active 1

router(config)# ip flow-cache timeout inactive 15

Use the commands below to enable NetFlow on each physical interface (i.e. not VLANs and Tun- nels, as they are auto included) you are interested in collecting a flow from. This will normally be an Ethernet or WAN interface. You may also need to set the speed of the interface in kilobits per second. It is especially important to set the speed for frame relay or ATM virtual circuits. interface <interface>

ip route-cache flow bandwidth

Now write your configuration with the 'write' or 'copy run start' commands. When in enabled mode, you can see current NetFlow configuration and state with the following commands:

router# show ip cache flow

router# show ip cache verbose flow

Enabling ptFlow

PacketTrap MSP Traffic Analyzer supports ptFlow technology, as well as industry standards Net- Flow, sFlow, and J-Flow. ptFlow is a packet capture and filtering engine that allows users to gather traffic information from non-Flow supported devices such as computers, routers and switches. The results appear just as they would with any traditional flow technology.

You can use the following information to configure and deploy ptFlow. Configuration

NOTE: It is recommended that you use 2 NICs. You can use one NIC to collect the mirrored traffic and the other NIC to maintain network and Internet connectivity.

1. Establish port mirroring on the router or switch. Port mirroring is used on a network device to send a copy of all network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. Port mirroring on a Cisco Sys- tems switch is generally referred to as Switched Port Analyzer (SPAN); some other ven- dors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches. Please consult your device's manual to see if it supports port mirroring and instructions on how to enable it.

2. In the Details View, select an agent device and right-click it. 3. Click Tools -> Enable Traffic Analysis.

4. In the Traffic Analysis Enablement window, check to see that the Enable ptFlow option is selected. The Enable NetFlow or sFlow option is not available if the device you selected is a Cisco device or if it not an agent device.

5. Click Next.

6. The PacketTrap MSPhost server IP will appear automatically. Select the Ingress (traffic in) and Egress (traffic out) check boxes on all your desired interfaces.

7. Click Save.

9. Click on Devices, select the machine running PacketTrap MSP and click View Details. ptFlow will appear under Network Traffic Flow.

Deployment Scenarios

Case #1: After enabling port mirroring on the Switch or Router, connect the mirrored port to the computer running the PacketTrap MSP agent (this maybe host server or it may be your deployed agent).

Case #2: Insert a hub into your desired location and then connect it to the computer running PacketTrap MSP agent (this maybe host server or it may be your deployed agent).

Viewing Traffic Flow Information

By drilling into the Device details, you can view the various groups of traffic flow information that has been collected from a flow-capable device. In the Network Traffic Flow window, you will see data for applications, conversations, domains, endpoints, protocols, and interfaces. To view network traffic information

1. In the Devices View, double-click a flow-capable device.

2. On the Device Details page, click the Network Traffic Flow tab on the left side.

3. To set the scope of the information that you want to view in the chart, do the following:

l In the Period drop-down list, select the scope for the reporting time period. For

example, if you select This Month, then you will see the traffic flow information captured for the current month. For more information, seeHow to Scope Your Net- Flow Traffic Data.

l In the Show Top drop-down list, select the number of records that you want to dis-

play. Keep in mind, the more records that you select to display, the more time it will take to load these records.

l In the Top Sort Order, select to view in the information in Bytes or Packets.

4. Click any of the following groups to start to drill down into the details of your traffic flow information: Applications, Conversations, Domains, Endpoints, Protocols, and Interfaces.

For example, in the Applications group, you can see which port the application is using, and how much traffic it has generated. If you select a record, you will see specific information about the endpoint, destination domain name, out packets and in packets, and more.

NOTE: The scope that you selected in the previous step will remain in place as you view each group.

See Also

l How to Scope Your NetFlow Traffic Data

l Understanding the Various Groups of Traffic Flow Information l Seeing How Traffic Flow Information is Trending

How to Scope Your NetFlow Traffic Data

How you scope your NetFlow traffic data allows you to look at network traffic patterns that occurred over hours, days, weeks, months, or year. When you get to the hour level, you can drill down to see more granular data. This data can help you see when something happened in your network and help you uncover the source of the problem.

Once you have configured and enabled a NetFlow source, you can scope the NetFlow traffic data in the following ways:

l This Hourshows data that starts at the top of the hour up until when you select this scope

option. For example, if you want to view data for "This Hour" at 10:27 AM today, Pack- etTrap MSP shows data from 10:00 AM to 10:27 AM.

l Past Hourshows data for the previous hour. For example, if you want to view data for

the "Past Hour" at 10:27 AM today, then PacketTrap MSPshows data from 9:00 AM to 10:00 AM.

l This Dayshows all of today's data, which starts at 12:00 AM and stops at the top of the

current hour. For example, if you want to view today's data at 10:27 AM, PacketTrap MSP shows data from today at 12:00 AM through today at 10:00 AM.

l Past Dayshows all of yesterday's data, which starts at 12:00 AM and stops at 11:59 PM. l This Weekshows data for the current week starting on Monday and continuing through

to today. For example, if you want to view data for "This Week" at 10:27 AM today, Pack- etTrap MSP shows data from Monday at 12:00 AM through today at 10:00 AM.

l Past Weekshows data for the previous week starting at 12:00 AM on Monday of that

week and ending on Sunday at 11:59 PM of the same week.

l This Monthshows data starting on the first day of the current month and continues

through to today. For example, if you want to view data for "This Month" at 10:27 AM, PacketTrap MSP shows data starting on the first day of the month at 12:00 AM through today at 10:00 AM.

l Last Monthshows data from the previous month starting on the first day of that month

at 12:00 AM and continues through to the last day of that month at 11:59 PM.

l This Yearshows data starting on the first day of the current year and continues through

to today. For example, if at 10:27 AM today you want to view data for "This Year", Pack- etTrap MSP shows all available data starting on January 1st at 12:00 AM through today at 10:00 AM.

l Past Yearshows data for the previous year starting at 12:00 AM on January 1st of that

year through December 31st of that same year at 11:59 PM.

Understanding the Various Groups of Traffic Flow Information

PacketTrap MSP captures the various groups of traffic flow information and displays the information on the Device Details page.

For each application shown in the list, you can see which port the application is using, and how much traffic it has generated. Select an application in the list and you will see more specific information about the endpoint, destination domain name, out packets and in packets, and more.

Conversations

The Conversation group shows you which nodes are going to which domain names or devices in a network. By selecting a conversation in the list, you can see which device has the highest number of conversations.

If there is a spike in the data, you will see which user or device is causing this spike. Using the color-coding, you can look at the spike and then find the user or device in the Top Conversations list that is causing this spike in traffic.

You can discover which user caused the spike, where they went, what port they were using, and the amount of traffic that was generated. You can also see the amount of time how long the traffic was generated for. This color coded chart provides you with a quick look at who’s doing what on the network at what time, over which port.

Domains

The Domains group displays all the different web sites that your users are visiting, the amount of traffic generated, and the amount of time they spent surfing the web. If you double-click on a source IP, you can see the specific conversation for a domain on that IP address.

Endpoints

The Endpoints group displays traffic flow information between 2 devices. If you select an endpoint, you can see that this person is going to this system using this application. Clicking the Trend Chart button, you can see the spikes in the data when this action occurred. Again if you double-click , it shows you the specific conversations that took place between this user and this endpoint.

Protocols

The Protocol group displays the type of traffic that is being generated on your network and which protocols are consuming the most network bandwidth.

Network Engineers may find this information particularly helpful. For example, if you notice on the chart that there is more UDP traffic on your network than expected, you can see where and by whom is generating the traffic.

Interfaces

If you are collecting traffic from multiple interfaces on a switch, the Interface group allows you to easily identify which port the problem application is using.

See Also

l Viewing Traffic Flow Information

Seeing How Traffic Flow Information is Trending

By default, a pie chart displays how the different conversations in a group compare to each other. However, PacketTrap MSP also provides a way for you to see how the data is trending. Pie Charts

By default, PacketTrap MSP presents traffic flow information in a pie chart. As you can see in the following image, the pie chart is broken down into color-coded sections, where each color represents a specific conversation that occurred for a given group.

Trend Charts

If you want to see how a particular conversation is trending, select it in the list of conversations, and then click the Trend Chart link. As you can see in the following image, this chart will show you if any spikes occur during the defined time period, and how much traffic is generated for this particular application or IP address.

NOTE: You can use the Pie Chart link on this page to return to the Pie Chart after viewing the Trend Chart.

See Also

Managing Policies

In document Estrés académico y estrategias de afrontamiento en estudiantes de 1 ° y 5 ° grado de secundaria de una institución educativa estatal de Lima Este, 2015 (página 44-47)