Choosing a Method of Traffic Monitoring¶
This chapter describes the traffic monitoring technologies supported by Wansight Sensor. There are four Wansight Sensor “flavors”, each having a different way of obtaining traffic information:
► Packet Sensor analyzes packets. It can be used on appliances that are either deployed in-line (servers, firewalls, routers, bridges, IDSes, load-balancers) or connected to a mirrored port or TAP.
In switched networks, only the packets for a specific device reach the device’s network card. If the server running a Packet Sensor is not deployed in-line, in the main data path, then a network TAP or a switch or router that offers a “monitoring port” or “mirroring port” must be used. In this case, the network device sends copies of data packets traveling through selected ports or VLANs to the monitoring port. Packet Sensor inspects every packet it receives and conducts packet-based traffic analysis.
► Flow Sensor analyzes flows. It is used for monitoring NetFlow® (jFlow, NetStream, cflowd), sFlow® and IPFIX flow packets.
Many routers and switches can collect IP traffic statistics and periodically send them as flow records to a Flow Sensor. Because the flow protocol already performs pre-aggregation of traffic data, the flow data sent to Flow Sensor is much smaller than the monitored traffic, and this makes Flow Sensor a good option for monitoring remote or high-traffic networks. The main downside of flow-based traffic analysis is that pre-aggregating traffic data adds a delay of at least 30 seconds to collecting real-time traffic statistics
► SNMP Sensor monitors the bandwidth usage of routers and switches on a port-by-port basis.
When this technology is used, an SNMP Sensor queries the device (e.g. router, switch, server) for the traffic counters of each port with small data packets. These are triggering reply packets from the device. Compared to other bandwidth monitoring technologies, the SNMP option is very basic and offers no IP-specific information. SNMP creates the least CPU and network load
► Sensor Cluster aggregates pre-existing Sensor traffic data into a single, unified, IP graphing domain.
Sensor Cluster sums up the traffic data collected by Packet Sensors, Flow Sensor and SNMP Sensor interfaces and performs the same tasks as the other Sensors (IP graphing, IP accounting etc.)
For redundancy, high availability and to be able to view packet dumps and flow data, you can deploy Flow Sensor(s) and Packet Sensor(s) simultaneously.
Comparison between Packet Sniffing, Flow Monitoring, and SNMP Polling¶
Packet Sensor is recommended when the speed of detecting attacks is critical, or when there is a need for capturing raw packets for forensics and troubleshooting. Because every packet entering the network is inspected, Packet Sensor needs to run on servers with powerful CPUs.
Flow Sensor analyzes pre-aggregated traffic information sent by routers and switches, so it can monitor traffic passing through multiple 10/40/100 GbE interfaces even when it runs on a low-end server. By comparison, Flow Sensor has some disadvantages:
✘ It exhibits reduced speed in processing real-time traffic information. Flow exporters aggregate traffic data over time, making the traffic visible only after a delay (flow aging) that usually exceeds 30 seconds✘ It provides slightly less accurate traffic readings because in most cases the packets or flows are sampled✘ Enabling the flow exporter functionality may result in an increased CPU load on the network device when the flow collection is not performed in hardware✘ Flows can be dropped if a powerful spoofed DDoS attack fills the TCAM of the network device
SNMP Sensor is useful to monitor devices that cannot export flows or mirror packets, or to compare flow and SNMP-derived statistics in order to ensure the flow data’s accuracy.
Packet Sensor |
Flow Sensor |
SNMP Sensor |
|
---|---|---|---|
Traffic Monitoring Technology |
|
|
|
Maximum Traffic Capacity per Sensor * |
100 GigE |
multiples of 100 Gbps |
multiples of 100 Gbps |
DDoS Detection Time ** |
≤ 1 seconds |
≥ flow aging time (≥ 30 seconds usually) + 5 seconds |
≥5 seconds |
IP Graph Granularity |
≥ 5 seconds |
≥ 20 seconds |
N/A (SNMP offers no details about IPs) |
Traffic Validation Options |
IP classes, MAC addresses, VLANs, BPF |
IP classes, Interfaces, AS Numbers, Ingress/Egress |
Interfaces |
Packet Dumps |
Yes |
No |
No |
Flow Collector |
No |
Yes |
No |