These provide a continuous, near real-time view of the network traffic through a network's border. Although there are now a number of tools available that collect and process flow data, there is a dearth of visualization tools.
By utilizing freely available software tools, FlowScan can be readily deployed in most modern educational institution, corporate, and ISP networks. The information presented by FlowScan assists in understanding the nature of the traffic that your network is carrying. It can be useful in the identification and investigation of anomalies such as poor performance and attacks on hosts.
It can provide a foundation on which to develop usage-based billing or to verify the effectiveness of Quality-of-Service policies. Without this assumption, no totals can accumulate, and FlowScan can't plot values against time. Secondly, while NetFlow flows contain start and end time information for the packets in a given flow, they do not indicate the distribution of packet delivery within that time range. Therefore, even if FlowScan attempts to record the real time at which traffic was observed, accuracy can not be improved.
Experience shows that the effect of this time granularity inaccuracy is negligible as data is aggregated into coarser grained time samples. For long-term analysis, one specifies the number of hours over which to plot results. Increasing the hours significantly beyond the default 48 hours becomes an exercise in customization of date and description annotations.
Note also that often used daily averages may hide spurious abuse activity. Short-lived attacks can be severely minimized by daily averaging. Therefore, graphing over extended periods of time using daily averages tends to be more useful as an aid to capacity planning or even traffic shaping efforts.
FlowScan's CampusIO report uses a number of heuristics to help identify and analyze "elusive" traffic e. These heuristics employ a method of stateful inspection similar to that used by many modern firewalls. Such firewalls track the state of an application session by observing information within a packet or series of packets, enabling the firewall to filter packets according to whether or not a session has been established and is still active. Passive inspection of either the packet header or the application payload gleans state information, enabling traffic identification and analysis.
This feature alone is insufficient for reliable continuous use: additional software tools are needed to define, parse, and analyze these flows.
FlowScan examines flow data and maintains counters reflecting what was found. Counter values are stored using RRDtool , a database system for time-series data.
Finally, FlowScan uses visualization capabilities of both RRDtool and other front-ends to report on the processed flow data.
0コメント