Slide 1: cflowd 2.0

cflowd 2.0
Cisco flow-export collection







Daniel McRobb
dwm@caida.org

Slide 2: Background

Background

host software for collecting Cisco version 5 (and version 1) flow-export data
aggregates data into tables for continuous collection of summary data (in time-series)
stores raw flow data in rotating log files
provides client/server collection of tabular data in time series

Slide 3: Changes from 1.3b2 to 2.0

Changes from 1.3b2 to 2.0

all tables are per input interface (not per router)
support for version 1 flow-export
central collector included
uses arts++ package for data storage and aggregation
real-time flow-matching API (example `flowwatch' program included)
interface matrix
IP nexthop table

Slide 4: cflowd architecture

cflowd architecture

Slide 5: benefits of new architecture

benefits of new architecture

increased performance (shared memory packet queue vs. UNIX domain sockets for cflowdmux to cflowd IPC)
hooks for real-time flow matching
source code easier to maintain due to heavy use of STL and more modularization

Slide 6: cflowd

cflowd

Slide 7: flow export version 5

flow export version 5

sends UDP packets to a specified host address and port number
each UDP packet contains a number of flow entries

Slide 8: flow-export packets

flow-export packets

Slide 9: flow header

flow header

Slide 10: flow entry

flow entry

Slide 11: cflowd aggregation

cflowd aggregation

cflowd primarily designed to aggregate flow data into tabular data to be used for capacity planning
AS matrix, net matrix, port matrix, protocol table, interface matrix and nexthop table aggregation across all flows

Slide 12: Why so much aggregation?

Why so much aggregation?

data reduction
scale of intended use (backbone-wide)
disk and bandwidth requirements for raw flow data in a backbone network.  We only transfer tabular data back to the central collector.

Slide 13: cfdcollect

cfdcollect

collects cflowd data at regular intervals
produces time-series data for each of the tabular data types (AS matrix, net matrix, port matrix, protocol table, interface matrix, nexthop table)
stores data in ARTS files (1 file per router per day)

Slide 14: centralized collection

centralized collection

Slide 15: arts++

arts++

C++ class library for subset of ARTS data
supports reading/writing of ARTS data via iostreams and UNIX file descriptors
supports simple time-domain aggregation for several data types
simple command-line utilities included for viewing ARTS data files and time domain aggregation

Slide 16: ARTS data files

ARTS data files

efficient data archival (binary, simple size-reducing techniques)
data files are portable; arts++ class library is the interface
extensible for additional data types
versioning of data objects for different storage formats (typically used for space/CPU tradeoff)

Slide 17: ARTS data handled by arts++

ARTS data handled by arts++

AS matrix (version 0)
net matrix (version 2)
port matrix (version 0)
selected port table (version 0)
port matrix (version 2)
selected port table (version 0)
interface matrix (version 0)
IP nexthop table (version 0)
protocol table (version 2)
forward IP path (version 0)

Slide 18: AS matrix (version 0)

AS matrix (version 0)

counters for traffic (packets and bytes) from source ASes to destination ASes
sparse matrix, having only entries for which traffic information is stored

Slide 19: AS matrix data

AS matrix data

Slide 20: ARTS net matrix (version 2)

ARTS net matrix (version 2)

counters for traffic (packets and bytes) from source networks to destination networks
networks are identified by network number and netmask length
sparse matrix, having only entries for which traffic information is stored

Slide 21: net matrix data

net matrix data

Slide 22: ARTS port matrix (version 2)

ARTS port matrix (version 2)

counters for (packets and bytes) from source transport layer port number to destination port number
matrix is sparse; there are no entries for ports on which no traffic was seen

Slide 23: port matrix data

port matrix data

Slide 24: selected port table data

selected port table data

Slide 25: protocol table (version 2)

protocol table (version 2)

counters (packets and bytes) versus IP protocol (TCP, UDP, ICMP, IGMP, et. al.)
sparse table, there are no entries for protocols that were not seen in the measured traffic

Slide 26: protocol table data

protocol table data

Slide 27: interface matrix

interface matrix

counters (packets and bytes) for traffic from input interfaces to output interfaces

Slide 28: interface matrix data

interface matrix data

Slide 29: nexthop table

nexthop table

counter (packets and bytes) for traffic from input interfaces to each IP nexthop

Slide 30: IP nexthop table data

IP nexthop table data

Slide 31: IP forward path (version 0)

IP forward path (version 0)

contains IP addresses of hops in forward path from a source to a destination
contains an RTT value for the source to destination
may be extended in the future to hold more information

Slide 32: forward IP path data

forward IP path data

Slide 33: Time Domain Aggregation

Time Domain Aggregation

Time domain aggregation reduces time granularity in time-series data.

Examples:

convert 5-minute data to 1-hour data for a summary bar chart
convert 1-hour data to one large aggregate for a pie chart

Slide 34: Aggregation Utilities

Aggregation Utilities

artsasagg - for AS matrix
artsnetagg - for net matrix
artsportmagg - for port matrix
artsprotoagg - for protocol table
artsintfmagg - for interface matrix
artsnexthopagg - for nexthop table

Slide 35: Simple display utilities

Simple display utilities

artsdump
artsases
artsnets
artsportms
artsports
artsprotos
artsintfms
artsnexthops

Slide 36: Supported platforms

Supported platforms

FreeBSD 2.2.x Intel
FreeBSD 3.0 Intel
Linux 2.0.35 Intel
Sparc/Solaris 2.5.1
Sparc/Solaris 2.6

Other platforms (field reports)
BSDI BSD/OS 3.1
BSDI BSD/OS 4.0
Digital UNIX 4.0B

Slide 37: Future

Future

support for version 8 flow-export
plotting utilities using XRT/PDS
Web reporting tools (java-based)