Usage

For data analysis, the OC3MON can be used in two different modes:

1.

Two raw capture modes, in which all packet headers are captured to memory and then dumped to disk.

(a)

The first of these modes captures the complete first ATM cell in each packet, which includes TCP/IP headers.

(b)

The second one captures only the ATM headers, but not only for the first cell of each packet but for all cells. This mode might be useful to simulate QoS algorithms of ATM switches

Raw capturing is useful for getting a detailed view of traffic over a relatively brief interval. This allows an extensive further analysis of the captured data. However, because currently the DOS-supplied disk I/O routines -- which are blocking -- are used, it is not possible to write to disk simultaneously with data capturing. In fact, the I/O is not even fast enough to sustain disk transfer of a packet trace without the flow analysis process running. Therefore one can only collect a trace as big as the size of host memory, which in our case would be 114MB (119.5 million bytes), and then must stop OC3MON header collection to let OC3MON transfer the memory buffer to disk. In the future we hope to develop separate I/O routines that directly use the hardware, bypassing the slower DOS routines, and allowing us to keep up with OC3 line rate.

2.

An IP flow capture mode in which the OC3MON maintains flow statistics that do not require the storage of each header.
Because the amount of data captured in a packet level trace and the time needed for our disk I/O inhibits continuous operational header capture, this mode of operation is the default mode. Once again this shows the advantages that the concept of flows offers for traffic analysis. Concurrently with the interrupt driven header capture, software runs on the host CPU to analyze the packet headers and to establish flows. The flows are analyzed and stored at regular intervals for remote querying. For querying, a Perl script on a web server is executed in regular intervals and the data is captured to a file. The queries themselves are done with simple telnet type connections to port 22 of the OC3MON PC. Using port 22 has the advantage that this port very often is not blocked by firewalls.

The way how queries in the flow capture mode are implemented is the main disadvantage of the OC3MON software. Using telnet on the one hand is very simple to implement, on the other hand the data is transferred in a non-standardized ASCII format. Every change to the OC3MON software requires a change in the applications that use OC3MON as well. This makes it very difficult for application developers to integrate OC3MON in an own environment.

Additionally by using telnet, security is not present in the OC3MON querying architecture at all. Everyone with IP access to the machine can query it with a simple telnet command. Whats even worse, those queries will reset the counters on OC3MON and therewith the automated measurements will display wrong data afterwards. These security problems can currently only be solved by putting the OC3MON ethernet interface inside a secure network. For those reasons, the querying protocol is a severe limitation for practical use of the software. However, we will later see (in section 3.4) that there is already a promising solution for this.

  

Figure 3.15: How Data is retrieved from OC3MON