Next: Is OC3MON really fast
Up: The OC3MON Software
Previous: Software-Description
For data analysis, the OC3MON can be used in two different modes:
- 1.
- Two raw capture modes, in which all packet headers are captured
to memory and then dumped to disk.
- (a)
- The first of these modes captures the complete first ATM cell in
each packet, which includes TCP/IP headers.
- (b)
- The second one captures only the ATM headers, but not only for the
first cell of each packet but for all cells. This mode might be useful
to simulate QoS algorithms of ATM switches
Raw capturing is useful for getting a detailed view of traffic over a
relatively brief interval. This allows an extensive further analysis
of the captured data. However, because currently the DOS-supplied
disk I/O routines -- which are blocking -- are used, it is not
possible to write to disk simultaneously with data capturing. In
fact, the I/O is not even fast enough to sustain disk transfer of a
packet trace without the flow analysis process running. Therefore one
can only collect a trace as big as the size of host memory, which in
our case would be 114MB (119.5 million bytes), and then must stop
OC3MON header collection to let OC3MON transfer the memory buffer to
disk. In the future we hope to develop separate I/O routines that
directly use the hardware, bypassing the slower DOS routines, and
allowing us to keep up with OC3 line rate.
- 2.
- An IP flow capture mode in which the OC3MON maintains
flow statistics that do not require the storage of each header.
Because the amount of data captured in a packet level trace and the
time needed for our disk I/O inhibits continuous operational header
capture, this mode of operation is the default mode. Once again this
shows the advantages that the concept of flows offers for traffic
analysis. Concurrently with the interrupt driven header capture,
software runs on the host CPU to analyze the packet headers and to
establish flows. The flows are analyzed and stored at regular intervals
for remote querying. For querying, a Perl script on a web server is
executed in regular intervals and the data is captured to a file. The
queries themselves are done with simple telnet type connections
to port 22 of the OC3MON PC. Using port 22 has the advantage that this
port very often is not blocked by firewalls.
The way how queries in the flow capture mode are implemented is
the main disadvantage of the OC3MON software. Using telnet on the
one hand is very simple to implement, on the other hand the data is
transferred in a non-standardized ASCII format. Every change to the OC3MON
software requires a change in the applications that use OC3MON as
well. This makes it very difficult for application developers to
integrate OC3MON in an own environment.
Additionally by using telnet, security is not present in the
OC3MON querying architecture at all. Everyone with IP access to the
machine can query it with a simple telnet command. Whats even
worse, those queries will reset the counters on OC3MON and therewith
the automated measurements will display wrong data afterwards. These
security problems can currently only be solved by putting the OC3MON
ethernet interface inside a secure network. For those reasons, the
querying protocol is a severe limitation for practical use of the
software. However, we will later see (in section 3.4)
that there is already a promising solution for this.
Figure 3.15:
How Data is retrieved from OC3MON
|
Next: Is OC3MON really fast
Up: The OC3MON Software
Previous: Software-Description
root
8/4/1997