is pleased to present a talk:
"Monitoring and Traffic Classification Tool for Analysing the Use
of Network Services"
| jordi.domingo |  |
ac.upc.es |
|---|
http://www.ac.upc.es/homes/jordid/
"Monitoring and Traffic Classification Tool for Analysing the Use
of Network Services"
| jordi.domingo | |
ac.upc.es |
|---|
http://www.ac.upc.es/homes/jordid/
A large number of IP traffic analysis tools are currently used on the Internet. Most of them perform a simple IP header processing in order to maintain high performance. Others can perform an exhaustive IP and application header processing, but are only suitable for small environments. The MIRA tool is based on monitoring traffic, and does not explore the network actively (polling) or intrusively. The data is first captured, and then it is analyzed out of band in almost real time. This architecture facilitates the use of more complex IP header parsing for traffic verification. The architecture is modular. Application modules may be defined and added according with the requirements or new functions. The Application Modules rely on the Application Header Preprocessing Module (AHP). The AHP reduces the volume of the captured data performing a first traffic characterization based on application header pattern matching. It searches not only in the transport header, as most systems do, but inside the application header too. The AHP aggregates data based on the detection of all flows with the same origin or destination. Then it verifies the application protocol related to known TCP/UDP ports searching for application keywords. Packets that have not been verified, because they have an unknown port either at source or destination or transport protocol, are reported as non-regular flows. Application Modules filter and classify reports of servers and flows in order to give accurate server activity data. The Server Detection Application Module (SDM) classifies servers in order to produce reports about the most significant servers, local or remote, and application servers. The Unknown Traffic Heuristic Application Module (UTM) aggregates information based on flows. UTM flow analysis detects significant servers and clients among the traffic that could not be analyzed in the AHP. The SDM and UTM characterize the traffic to a very detailed degree following a server-oriented approach. The results obtained from this analysis can be useful for network dimensioning and server proxy deployment. New arguments for charging, based on a detailed server detection, are being investigated. Finally, unknown traffic classification has also been proposed in order to detect new applications and servers. These functions provide network administrators with as many arguments as they need for managing the network.