Netflow Stats for 09/14/2005

Netflow Stats for 09/14/2005
Connie Logg
Thu Sep 15 00:37:00 PDT 2005

STATS: total records = 7975381; missed records = 2187; percent missed = 0.03;
Any link terminated with an '*', is only visible within SLAC.

PROTOCOLS

APPLICATION BUCKETS

SLAC PROGRAMS

Protocol	Total Recs	Total Flows	Total Pkts	Total Bytes
ALL	7.98 M	10.11 M	4.22 G	4.26 T
TCP	4.89 M 61.32 %	5.98 M 59.14 %	4.14 G 98.28 %	4.22 T 99.10 %
GRE	17.02 K 0.21 %	44.10 K 0.44 %	40.18 M 0.95 %	19.11 G 0.45 %
UDP	2.75 M 34.44 %	3.47 M 34.34 %	28.35 M 0.67 %	18.54 G 0.43 %
ICMP	321.30 K 4.03 %	0.61 M 6.08 %	3.80 M 0.09 %	820.86 M 0.02 %

Bucket	Records	Flows	Packets	Bytes
BULK*	392.64 K 4.92 %	541.72 K 5.36 %	2.16 G 51.23 %	2.26 T 53.08 %
DATABASE*	785.00 0.01 %	981.00 0.01 %	189.52 K 0.00 %	123.18 M 0.00 %
GRID*	974.00 0.01 %	1.01 K 0.01 %	29.36 K 0.00 %	17.55 M 0.00 %
INTERACTIVE*	1.28 K 0.02 %	2.10 K 0.02 %	19.43 K 0.00 %	2.60 M 0.00 %
MAIL*	579.33 K 7.26 %	956.97 K 9.46 %	20.20 M 0.48 %	8.09 G 0.19 %
OTHER*	1.24 M 15.51 %	2.09 M 20.69 %	1.17 G 27.81 %	1.16 T 27.16 %
SERVICES*	2.41 M 30.21 %	3.24 M 32.07 %	764.52 M 18.13 %	763.28 G 17.90 %
WWW*	3.67 M 46.06 %	3.89 M 38.43 %	102.86 M 2.44 %	71.83 G 1.69 %

Program	Records	Flows	Packets	Bytes
HEP	7.22 M 90.57 %	9.25 M 91.48 %	4.09 G 96.87 %	4.14 T 97.14 %
OTHER	82.60 K 1.04 %	109.36 K 1.08 %	1.03 M 0.02 %	781.75 M 0.02 %
SSRL	669.84 K 8.40 %	752.58 K 7.44 %	131.14 M 3.11 %	121.22 G 2.84 %

Note: The data links are to the data files used by Gnuplot to plot the data. This data can be copied and pasted into the Excel application, and by exercising Excel's'Data'=>'Text to columns', the blank separated data can be formatted for further manipulation by Excel.

Graphs show one point per day. TCP ~= ALL so TCP data overplots the ALL.

Protocol Raw Data Historical

.

The 'Buckets' have been defined by the 'Micsmon' Committee, and are detailed below.

Bucket Raw Data Historical

.

SLAC WAN traffic can be broken down into 2 identifiable areas. There is the High Energy Physics (HEP) program and the Stanford Synchrotron Radiation Laboratory (SSRL).

Program Raw Data Historical

Top Level Domains

This graph shows the history of traffic volume for some of our collaborators aroung the world. The collaborators plotted are listed in the file /afs/slac/package/netmon/netflow/src/topdom-hist.cfg. The blank separated data is available here

In the following two graphs, in and out traffic are lumped together to calculate the total traffic between SLAC and the internet.

Characterizing the Traffic and Flows

Flow sizes: Characterizing the size of the flows - Flow size and packet count distributions (analyzed data)
Time series of in/out TCP/UDP byte and packet flows for today

Bucket Specifications

Note: The netflow records are examined and classified by the following table. No attempt is made to disguish 'spoofed' or phony port accesses from the genuine ones.

Bucket Type Members

BULK TCP Applications:
ftp (20,21), ssh (22), bbftp (5020-5022), bbcp (5031), nfs (2049),
UDP Applications:
afs (0,7000,7001,7002,7003,7004,7005,7006,7007,7008,7009), nfs (2049),
Specified Nodes:
afs-nodes,datamove-nodes

DATABASE TCP Applications:
postgres (5432), sqlnet (1521), oracle (1525,1527,1529), ingres (1524), objectivity (6780,6779,1992,1993,1994,1995,1996,1997,1998,3333),
Specified Nodes:
objectivity-nodes

GRID TCP Applications:
grid-gatekeeper (2119), grid-gsiftp (2811), grid-ldaps (636), grid-mds-giis (2135), grid-gsiftpdata (6100-6299),

INTERACTIVE TCP Applications:
klogin (543), kshell (544), rlogin (513), shell (514), telnet (23),

MAIL TCP Applications:
imap4 (143), imaps (993), pop2 (109), pop3 (110), smtp (25),
Specified Nodes:
mail-nodes

OTHER TCP Applications:
other (),
UDP Applications:
other (),

SERVICES TCP Applications:
X11 (6000-6006), bgp (179), discard (9), dns (53), echo (7), exec (512), finger (79), ident (113), portmap (111), netbios (137,138,139), ntp (123), printer (515), tftp (69), time (37), ldap (389), wins (42), iperf (5000-5012),
UDP Applications:
dns (53), portmap (111),
Specified Nodes:
netmon-nodes,visitor

WWW TCP Applications:
irc (6666,6667), www (80,443,119,591,8080,8088),

SLACONLY Analysis

A note on how this is created:

'/afs/slac/package/netmon/netflow/src/run-analysis' on yesterday's data.
When 'run-analysis' finishes, run /afs/slac/package/netmon/netflow/src/plot-analysis.
When 'plot-analysis' is done, run /afs/slac/package/netmon/netflow/src/fix-up-html.

Please provide feedback to designing author: Connie Logg,

Bucket Type	Members
BULK	TCP Applications: ftp (20,21), ssh (22), bbftp (5020-5022), bbcp (5031), nfs (2049), UDP Applications: afs (0,7000,7001,7002,7003,7004,7005,7006,7007,7008,7009), nfs (2049), Specified Nodes: afs-nodes,datamove-nodes
DATABASE	TCP Applications: postgres (5432), sqlnet (1521), oracle (1525,1527,1529), ingres (1524), objectivity (6780,6779,1992,1993,1994,1995,1996,1997,1998,3333), Specified Nodes: objectivity-nodes
GRID	TCP Applications: grid-gatekeeper (2119), grid-gsiftp (2811), grid-ldaps (636), grid-mds-giis (2135), grid-gsiftpdata (6100-6299),
INTERACTIVE	TCP Applications: klogin (543), kshell (544), rlogin (513), shell (514), telnet (23),
MAIL	TCP Applications: imap4 (143), imaps (993), pop2 (109), pop3 (110), smtp (25), Specified Nodes: mail-nodes
OTHER	TCP Applications: other (), UDP Applications: other (),
SERVICES	TCP Applications: X11 (6000-6006), bgp (179), discard (9), dns (53), echo (7), exec (512), finger (79), ident (113), portmap (111), netbios (137,138,139), ntp (123), printer (515), tftp (69), time (37), ldap (389), wins (42), iperf (5000-5012), UDP Applications: dns (53), portmap (111), Specified Nodes: netmon-nodes,visitor
WWW	TCP Applications: irc (6666,6667), www (80,443,119,591,8080,8088),