• No results found

Network Analysis with isilk

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Network Analysis with isilk"

Copied!
65
0
0

Loading.... (view fulltext now)

Download now ( 65 Page )

Full text

(1)

Network Analysis

with iSiLK

Ron Bandes

CERT

®

Network Situational

Awareness (NetSA) Group

(2)

© 2011 Carnegie Mellon University NO WARRANTY

THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS

OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR

COPYRIGHT INFRINGEMENT.

This presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at

This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013.

(3)

Overview

Network Monitoring

Packets and Flows

Collection, Packing, Repository, and Analysis

SiLK vs. iSiLK

Live CD (OK, it’s a DVD)

Starting iSiLK and running a query

Demo: Query, summarize, refine query, summarize,

report

(4)

What is iSiLK?

It is a graphical front-end for SiLK,

the System for Internet Level Knowledge

flow analysis tool

(5)

Network Monitoring

Internet

Monitored

Network

Other

internetwork

(6)

Network Monitoring

Internet

internetwork

Other

sensor

sensor

sensor

(7)

Network Monitoring

Internet

internetwork

Other

sensor

sensor

sensor

sensor

SiLK

repository

(8)

Network Monitoring

Internet

internetwork

Other

sensor

sensor

sensor

sensor

SiLK

repository

(9)

Packet Encapsulation

Application

layer message

(HTTP, SMTP,

DNS)

TCP/UDP/ICMP segment

IP datagram

Ethernet frame

Dest MAC address

Source MAC addr

Type of packet

Src IP address

Dst IP address

Type of

segment

Src port Dest port

(10)

Flows

1 3 8

(11)

Some Terms

SiLK

: A traffic analysis tool which processes flow

data.

Flow

: the collection of packets travelling in the

same direction in a TCP or UDP connection.

Flow Record

: a single record containing summary

information for a flow.

Flow Repository

: a tree structure of flat files

(12)

Collection, Packing, and Analysis

Collection

of flow data

Examines packets and summarizes into standard flow

records

Timeout and payload-size values are established during

collection

Packing

stores flow records in a scheme optimized

for space and ease of analysis

Analysis

of flow data

(13)

Collection

PCAP

YAF

(14)

Packing

SiLK

repository

IPFIX

rwflowpack

SiLK

repository

SiLK

repository

(15)

out

RootDir

Sensor2

silk

.

conf

Sensor1

in

inweb

innull

outweb

outnull

year

day

month

(16)

Analysis

SiLK

tool

chain

Raw (binary)

flow records

in a file

Text

output

SiLK

repository

Raw (binary)

flow records

in a file

SiLK

repository

SiLK

repository

(17)

Reporting

UNIX text

tools

(sort, cut, …)

Text

output

Text

output

Visualization

tools (gnuplot,

Rayon, Excel)

(18)

Why use iSiLK?

It helps me to choose SiLK tools

Toolbar buttons allow quick perusal of tools

It lets me avoid SiLK tool syntax

Menus & other GUI elements show my choices

It lets me avoid Linux command syntax and file

names

iSiLK organizes my data sets and results

(19)

What won’t iSiLK do?

iSiLK won’t replace my need to understand what’s in

flow data

I still need to understand what patterns in flow data

represent the traffic situations that I’m looking for

(20)

SiLK environment

SiLK on

Linux system

Flow

Repository

Terminal

window

(21)

iSiLK environment

SiLK on

Linux system

Flow

Repository

iSiLK on

Windows system

(or Mac or Linux)

(22)

Setting up iSiLK on the Live CD

Open Applications

→System

Tools

→Terminal

echo "export SILK_DATA_ROOTDIR=/data/SiLK-LBNL-05" >>

.

bashrc

On the desktop, open Applications

→Programming →iSiLK

iSiLK Configuration:

Remote_Host:

localhost (default)

Remote_Port:

22 (default)

Remote_User:

liveuser

RSH_Key:

/home/liveuser/.ssh/id_rsa

Rmt_Output:

isilk-output

(23)
(24)
(25)
(26)
(27)
(28)
(29)
(30)
(31)
(32)
(33)
(34)
(35)
(36)
(37)
(38)
(39)
(40)
(41)
(42)
(43)
(44)
(45)
(46)
(47)
(48)
(49)
(50)
(51)
(52)
(53)
(54)
(55)
(56)
(57)
(58)
(59)
(60)
(61)
(62)
(63)
(64)
(65)

Contact Information

Ron Bandes,

[email protected]

Software Engineering Institute

Carnegie Mellon University

References

Download now ( PDF - 65 Page - 1.70 MB )

Related documents

Loma Linda University Dentistry - Volume 24, Number 1

During their second quarter at the School, students in den- tistry, dental hygiene, and the International Dentist Program meet for a dedicatory service where their family members join

Export processing zones : a review in need of update

It first provides a brief overview of trends in EPZs and then discusses a series of issues such as investment and types of industry in EPZs (incentive scheme, foreign ownership,

31minutes' AMA for r_leangains.pdf

• I eat at maintenance on 3 workout days and want my weekly caloric intake to be ~4000 calories under maintenance.. But that only matters because that is what I need to get to my

Frugal Innovation in the Indian Health Care Sector

 With the help of a comparative case study on nine frugal innovation examples in the Indian Health care sector, seven success factors with significant relevance were identified:

The practice of liquor licensing law in Colorado is somewhat

Ø An application would not be acted on if, within the previous two years, the same site or one within 500 feet of it has been pro- posed for the same type of license and the

Practice Managing Internet Connection Campus Area Network (Can) with Firewall and Address Listmikrotik Router Os

civitas akademik untuk menunjang proses pembelajaran.Koneksi internet yang baik dan memadai mutlak diperlukan supaya para pengguna atau user dapat menikmati teknologi secara

On the study of wavefront aberrations combining a point-diffraction interferometer and a Shack-Hartmann sensor

radii, and e is the thickness of the lens. The nomenclature is the same presented in Fig. 3: Scheme of the meniscus lens under test. The optical density was 2.5 and the

Private Equity and Debt in Real Estate

A core investment company (“ CIC ”) is a company which satisfies the following conditions as on the date of the last audited balance sheet (i) it holds not less than 90% of its