How to test netmon sniffer performance

From Netmon

To evaluate Netmon sniffer performance the following will be required:

1. a computer running Netmon. (The "netmon" device) It must allow remote SQL queries as described here. Only the Netmon configuration steps are required.
2. a second (Linux) computer to perform the network traffic replay. (The "replay" device)
3. an isolated network segment using a hub or managed switch (with port spanning on the port the Netmon device is attached to) for connectivity.
4. tcpreplay This is the utility used to replay the traffic sample.
5. A traffic sample from the network to be tested, of known size. To simplify calculations, an even number of packets is recommended. Prior to starting the test process, analyze the sample using Wireshark or a similar tool and determine the amount of non-IP traffic in the capture. Record this value as you will need it later. (the "sample")
6. A traffic sample consisting of easily identified traffic to use as padding. (the "padding")
7. A set of dummy data to insert into the Netmon database.

Follow these steps to perform the testing:

1. Assign the IP address '192.168.0.1' to the Netmon device, and '192.168.0.2' to the replay device.

2. Install tcpreplay on the replay device.

3. copy the following script and save it with the filename "netmon_test.sh":

#!/bin/bash

export iface=$1 # is interface
export speed=$2 # is network speed desired
export cap=$3 # is sample capture file
export pad=$4 # is padding capture file
export reps=$5 # is repetitions of padding capture file
export host=$6 # is netmon host
export ts=$7 # is starting timestamp

for ((i=1;i<6;i+=1)); do
    echo Begin run $i
    echo "delete from agg_netflow where timestamp > $ts; delete from netflow;" | psql -h $host -U postgres netmon35
   
    tcpreplay --intf1=$iface --mbps=$speed $cap;
    tcpreplay --intf1=$iface --mbps=$speed -l $reps $pad;

    rsh root@$host /apache/cli/aggregator.py
    
    echo "delete from agg_netflow where (src_ip in ('192.168.0.1','192.168.0.2') OR dst_ip in ('192.168.0.1','192.168.0.2')) AND lowest_port=1;" | psql -h $host -U postgres netmon35

    echo "select sum(octets) from agg_netflow where timestamp > $ts;" | psql -h $host -U postgres netmon35

done

3. establish key-based SSH authentication between the replay device and the Netmon device. You must generate a key pair on the replay device and then configure the Netmon device for key-based authentication, and copy the public key to the Netmon device.

4. use netcat to create the 'padding' traffic capture.

On the replay device:

yes AAAAAAAAAAAAAAA | nc -v -v -l -p 1 > /dev/null

On the Netmon device:

yes BBBBBBBBBBBBBBB | nc rhost 1 > /dev/null

5. Capture a decent amount of traffic (a minute or two will suffice) using tcpdump on the replay device:

tcpdump -w padding.cap -i eth0 tcp port 1

6. You can now begin running samples against an empty database. On the replay device, place all required files in the same folder (in our examples we will use /root/testing/). Set permissions on the shell script to be executable for your test user account (chmod u+x).

Execute the script as follows:

/root/testing/netmon_test.sh eth0 10 /root/testing/sample.cap /root/testing/padding.cap 192.168.0.1 0 > 10_mbit_results.txt

Script arguments defined:

Argument #1 is the interface to send the sample over

Argument #2 is network speed desired

Argument #3 is the location of the sample capture file

Argument #4 is the location of the padding capture file

Argument #5 is the number of repetitions of padding capture file to perform. You should consider the length of time the traffic capture will take to replay and then repeat it enough times so that there is at least 20 minutes of padding after the sample capture has finished

Argument #6 is the netmon host IP - this is needed for remote psql queries

Argument #7 is the starting timestamp to consider data from. This is useful when the database has been filled with data.

The redirection argument > follows the script arguments and points to the output file. This file will be filled with the results data from your run. Record the results. The formula for determining packet loss is as follows:

(Packets reported by Netmon) / (Total packets in sample) - (14 bytes per packet in sample) - (non IP traffic) = (% of traffic lost)

Recall that the amount of non IP traffic in the sample is a value you must find through analysis with Wireshark. This value is needed because Netmon's sniffer discards traffic that is not IP based. The 14 bytes per packet value represents the ethernet packet overhead, which is discarded by Netmon. For more detail on network overhead see this document.

7. To pad out the database with dummy data, copy and save the following script with the name "insert_random.py":

#!/usr/bin/python

import getopt,sys,random

try:
        from madnet_db import *
except Exception, e:
        print e
        sys.exit(1)

def main():

        # start, end IP sets
        src_ip = ['192.168.0.1','192.168.0.2']
        dst_ip = src_ip

        # ports
        ports = [80,22,21,53,8080]

        # bits per second
        #     1000000     = 1 Mbit
        bps = 10000000    # 10 Mbit
        bytes = bps / 8

        # start, end timestamp
        s_ts = 1193875200
        e_ts = 1201824000

        # entries per second
        eps = 10

        # perform INSERTs?
        insert = 0

        # make db connection
        if insert == 1:
                try:
                        db = madnet_db("dbname=netmon35 host=127.0.0.1")
                        db.set_autocommit(0)
                except Exception, e:
                        print "ERROR: %s" %e
                        pass

        # insert crap
        q=''
        for i in range (s_ts, e_ts+1):
                if insert == 0 and q != '':
                        print q
                        q=''
                for j in range (0, eps):
                        if j > 0 and insert == 0:
                                q+="\n"
                        s = random.sample(src_ip,1)[0]
                        e = random.sample(dst_ip,1)[0]
                        b = int(bytes / ((e_ts - s_ts) / eps))
                        p = random.sample(ports,1)[0]
                        if insert == 1:

                                query = "INSERT INTO agg_netflow (src_ip,dst_ip,lowest_port,octets,timestamp) VALUES ('%s','%s','%s','%s','%s')" % (s,e,p,b,i)

                                try:
                                        db.insert(query)
                                except Exception, e:
                                        print e
                                        sys.exit(1)
                        else:
                                q+="%s\t%s\t%s\t%s\t%s\t\\N\t\\N\t\\N" % (s,e,p,b,i)

if __name__ == "__main__":
        main()

To configure the script, modify the variables immediately below the line "def main():" These lines are reproduced and annotated here:

A set of IP addresses to use for source and destination values

        # start, end IP sets
        src_ip = ['192.168.0.1','192.168.0.2']
        dst_ip = src_ip

A set of ports to use for lowest_port values

        # ports
        ports = [80,22,21,53,8080]

The network throughput you'd like to simulate with this data set

       # bits per second
        #     1000000     = 1 Mbit
        bps = 10000000    # 10 Mbit
        bytes = bps / 8

The starting and ending UNIX timestamp for this data set

        # start, end timestamp
        s_ts = 1193875200
        e_ts = 1201824000

How many entries per timestamp unit should be inserted into the database

        # entries per second
        eps = 10

if this is set to 1 the database inserts will be done by the script - VERY SLOW

        # perform INSERTs?
        insert = 0

The value recorded for e_ts is critical since it must be used in later runs of netmon_test.sh to filter out this data.

8. Repeat steps 6 and 7 for the varying combinations of database size and replay speed that you desire.