Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SF-TAP: L7レベルネットワークトラフィック解析器

ytakano
March 16, 2015
Programming
0
170

SF-TAP: L7レベルネットワークトラフィック解析器

スケーラブルで柔軟性の高いL7レベルのネットワークトラフィック解析器の説明

ytakano

March 16, 2015
Tweet

More Decks by ytakano

See All by ytakano
論理構造入門
ytakano
0
180
アクターモデル
ytakano
0
400
π計算
ytakano
0
55
FARIS: Fast and Memory-efficient URL Filter by Domain Specific Machine
ytakano
0
140
リアクティブプログラミング
ytakano
0
530
MindYourPrivacy: Design and Implementation of a Visualization System for Third-Party Web Tracking - IEEE PST 2014
ytakano
0
380
SF-TAP: Scalable and Flexible Traffic Analysis Platform running on Commodity Hardware
ytakano
0
600
SF-TAP Tutorial Flow Abstractor ver.
ytakano
0
610
Survey of Transactional Memory
ytakano
0
600

Other Decks in Programming

See All in Programming
ドメイン・ファーストで考える問題解決に役立つモデル設計 / Domain First Model Design
suzushin54
2
2k
Folding Cheat Sheet #1
philipschwarz
PRO
0
200
9年開発を牽引して見えてきた、共通化すべきものと個別でつくるもの ~プログラム言語~
shinout
1
630
Java 22 Overview
kishida
1
100
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
22
14k
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
260
15分間でふんわり理解するDocker @ Matsuriba MAX
ukwhatn
PRO
1
410
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
330
코틀린으로 멀티플랫폼 만들기
pangmoo
0
110
スクラムチームと認知負荷 - ニフティのスクラムトーク Vol2. / NIFTY Tech Talk #18
niftycorp
PRO
1
110
エンターテイメント業界で利用されるAWS
demuyan
0
190
せっかくモデル図描くのなら、 嬉しいことが多い方がいいよね!
kuboaki
1
3k

Featured

See All Featured
Teambox: Starting and Learning
jrom
127
8.4k
Ruby is Unlike a Banana
tanoku
95
10k
The Mythical Team-Month
searls
214
42k
Designing for Performance
lara
601
67k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
The Illustrated Children's Guide to Kubernetes
chrisshort
28
46k
The Cost Of JavaScript in 2023
addyosmani
13
3.8k
We Have a Design System, Now What?
morganepeng
42
6.7k
How GitHub (no longer) Works
holman
302
140k
Into the Great Unknown - MozCon
thekraken
10
980
4 Signs Your Business is Dying
shpigford
175
21k
Done Done
chrislema
178
15k

Transcript

  1. 4'5"14DBMBCMFBOE'MFYJCMF5SB⒏D "OBMZTJT1MBUGPSN -ϨϕϧωοτϫʔΫτϥϑΟοΫղੳث ৘ใ௨৴ݚڀػߏɹߴ໺༞ًɼ҆ాਅޛɼࡾӜྑհ ๺཮ઌ୺Պֶٕज़େֶӃେֶɹҪ্๎࠸ɼ໌ੴ๜෉ 

  2. ͓͠ͳ͕͖ w ຊݚڀͷ໨త w طଘݚڀͱຊݚڀͷҐஔ͚ͮ w 4'5"1ͷಈ࡞ਤٴͼߏ੒ཁૉ w Ԡ༻ྫ w

    ઃܭɾ࣮૷ w σϞ w ύϑΥʔϚϯεܭଌ 

  3. ໨తʢ̍ʣ ߴ଎ͳ-τϥϑΟοΫͷղੳ IJHIQQT IJHICQT 

  4. ໨తʢ̎ʣ εέʔϥϒϧͳτϥϑΟοΫղੳث ໨తʢ̎ʣ εέʔϥϒϧͳτϥϑΟοΫղੳث ߴෛՙͳ-τϥϑΟοΫղੳ ୆਺ޮՌͰղফ 

  5. ໨తʢ̏ʣ ղੳثͷϓϩάϥϚϒϧͳ࡞੒ ໨తʹԠͨ͡ݴޠͰղੳثͷ࣮૷ΛՄೳʹ ͪΐͬͱͨ͠ݕূͳΒ1ZUIPO 3VCZ ػցֶशͳΒ+BWBɼ$ ߴ଎ੑΛٻΊΔͳΒ$ 

  6. ໨తʢ̐ʣ ίϞσΟςΟϕʔε ϕϯμʔϩοΫΠϯ͔Βͷ։์ ΞϓϥΠΞϯε͸ػೳ௥Ճ͕ࠔ೉ ݚڀɾ։ൃϑΣʔζʹ͸ෆ޲͖ 

  7. طଘݚڀͱຊݚڀͷҐஔ͚ͮ ("411<64&/*9"5$> 4$"1<*.$> MJCOJET TOPSU OFUNBQ 1'@3*/( %1%, CQG QDBQ

    ϑϩʔϨϕϧղੳ -ϓϩτίϧ൑ผ τϥϑΟοΫΩϟϓνϟ O%1* MpMUFS MJCQSPUPJEFOU 4'5"1 εέʔϥϏϦςΟˍϞδϡϥϦςΟ 

  8. 4'5"1ͷಈ࡞ਤ $16 $16 $16 $16 'MPX"CTUSBDUPS $16 $16 $16 $16

    'MPX"CTUSBDUPS $16 $16 $16 $16 'MPX"CTUSBDUPS $16 $16 $16 $16 'MPX"CTUSBDUPS $FMM*ODVCBUPS 5IF*OUFSOFU 4'5"1$FMM 4'5"1$FMM 4'5"1$FMM 4'5"1$FMM *OUSB/FUXPSL $PSF4DBMJOH $PSF4DBMJOH $PSF4DBMJOH $PSF4DBMJOH )PSJ[POUBM4DBMJOH "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS (C& (C& 

  9. 4'5"1ͷߏ੒ཁૉ 'MPX"CTUSBDUPS $FMM*ODVCBUPS -ϓϩτίϧ൑ผ *1ϑϥάϝϯτˍ5$1ετϦʔϜ࠶ߏ੒ ϑϩʔந৅ԽʹΑΔඇݴޠґଘͷ*'ఏڙ ϑϩʔ୯ҐͰͷߴ଎ϩʔυόϥϯε *1ϑϥάϝϯτϋϯυϦϯά 

  10. Ԡ༻ྫʢ̍ʣ $FMM*ODVCBUPSͷར༻ $FMM*ODVCBUPS 4OPSU 4OPSU 4OPSU 4OPSU (CQT ෳ਺ϚγϯͰͷ*%4ӡ༻ 

  11. Ԡ༻ྫʢ̎ʣ 'MPX"CTUSBDUPSͷར༻ 'MPX"CTUSBDUPS )551"OBMZ[FS &MBTUJD4FBSDI ,JCBOB &MBTUJD4FBSDI ,JCBOB ʹΑΔ)551τϥϑΟοΫͷ ϦΞϧλΠϜՄࢹԽ

    

  12. 4'5"1ͷΞʔΩςΫνϟ /8*' )551*' 5-4*' 'MPX"CTUSBDUPS 'MPX $MBTTJpFS 5-4"OBMZ[FS )551"OBMZ[FS )5511SPYZ

    5$1BOE6%1 )BOEMFS pMUFSBOE DMBTTJpFS SVMF --PPQCBDL*' %# 'PSFOTJD *%4*14 FUD "QQMJDBUJPO 1SPUPDPM"OBMZ[FS FUD 5$1%FGBVMU*' 6%1%FGBVMU*' "OBMZ[FS1MBOF "CTUSBDUPS1MBOF $BQUVSFS 1MBOF 4'5"1$FMM *ODVCBUPS 'MPX *EFOUJpFS 'MPX 4FQBSBUPS 4FQBSBUPS 1MBOF TFQBSBUFEUSB⒏D 4'5"1$FMM --4OJ⒎FS 44- 1SPYZ FUD PUIFS4'5"1DFMMT *11BDLFU %FGSBHNFOUFS -#SJEHF NJSSPSJOH USB⒏D 1BDLFU'PSXBSEFS *1'SBHNFOU )BOEMFS ͭͷ1MBOFΛఆٛ "OBMZ[FS1MBOF -ղੳث 'PSFOTJD *%4*14 FUDʜ "CTUSBDUPS1MBOF ϑϩʔͷந৅Խ 4FQBSBUPS1MBOF ϑϩʔ෼ׂ $BQUVSFS1MBOF τϥϑΟοΫΩϟϓνϟ 

  13. $FMM*ODVCBUPSͷઃܭ 4'5"1$FMM *ODVCBUPS 'MPX 4FQBSBUPS TFQBSBUFEUSB⒏D PUIFS4'5"1DFMMT -#SJEHF 1BDLFU'PSXBSEFS *1'SBHNFOU

    )BOEMFS 1BDLFU'PSXBSEFS -ϒϦοδػೳ -ϑϨʔϜΩϟϓνϟػೳ *1'SBHNFOU)BOEMFS ϑϥάϝϯτԽύέοτͱ ϑϩʔͷରԠ 'MPX4FQBSBUPS ෳ਺*'΁ϑϩʔ෼ׂ 

  14. 'MPX"CTUSBDUPSͷ ઃܭʢ̍ʣ  /8*' )551*' 5-4*' 'MPX"CTUSBDUPS 'MPX $MBTTJpFS 5$1BOE6%1

    )BOEMFS pMUFSBOE DMBTTJpFS SVMF --PPQCBDL*' 5$1%FGBVMU*' 6%1%FGBVMU*' 'MPX *EFOUJpFS *11BDLFU %FGSBHNFOUFS 5$1BOE6%1)BOEMFS 'MPX*EFOUJpFS *11BDLFU%FGSBHNFOUFS 5$1ϑϩʔ࠶ߏ੒ ϑϩʔࣝผ 6%1͸ͦͷ·· *1ϑϥάϝϯτ࠶ߏ੒

  15. 'MPX"CTUSBDUPSͷ ઃܭʢ̎ʣ  /8*' )551*' 5-4*' 'MPX"CTUSBDUPS 'MPX $MBTTJpFS 5$1BOE6%1

    )BOEMFS pMUFSBOE DMBTTJpFS SVMF --PPQCBDL*' 5$1%FGBVMU*' 6%1%FGBVMU*' 'MPX *EFOUJpFS *11BDLFU %FGSBHNFOUFS 'MPX$MBTTJpFS -ϓϩτίϧࣝผ ϑϩʔந৅*'΁τϥϑΟοΫΛग़ྗ

  16. 'MPX"CTUSBDUPSͷ ઃఆϑΝΠϧʢ̍ʣ  develop ana- by this plane. developed by

    s analyzers in rator and ab- f the capturer the analyzer the following ow abstractor le of an ana- stractor illus- 1 http: 2 up = ˆ[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a- zA-Z]+: .+\r?\n)+) 3 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 4 proto = TCP # TCP or UDP 5 if = http # path to UNIX domain socket 6 nice = 100 # priority 7 balance = 4 # balaced by 4 IFs 8 9 torrent_tracker: # BitTorrent Tracker 10 up = ˆGET .*(announce|scrape).*\?.*info_hash =.+&.+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+) 11 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 12 proto = TCP 13 if = torrent_tracker 14 nice = 90 # priority 15 16 dns_udp: 17 proto = UDP 18 if = dns 19 port = 53 20 nice = 200

  17. 'MPX"CTUSBDUPSͷ ઃఆϑΝΠϧʢ̎ʣ  develop ana- by this plane. developed by

    s analyzers in rator and ab- f the capturer the analyzer the following ow abstractor le of an ana- stractor illus- 1 http: 2 up = ˆ[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a- zA-Z]+: .+\r?\n)+) 3 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 4 proto = TCP # TCP or UDP 5 if = http # path to UNIX domain socket 6 nice = 100 # priority 7 balance = 4 # balaced by 4 IFs 8 9 torrent_tracker: # BitTorrent Tracker 10 up = ˆGET .*(announce|scrape).*\?.*info_hash =.+&.+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+) 11 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 12 proto = TCP 13 if = torrent_tracker 14 nice = 90 # priority 15 16 dns_udp: 17 proto = UDP 18 if = dns 19 port = 53 20 nice = 200 ਖ਼نදݱʹΑΔϓϩτίϧ൑ผ

  18. 'MPX"CTUSBDUPSͷ ઃఆϑΝΠϧʢ̏ʣ  develop ana- by this plane. developed by

    s analyzers in rator and ab- f the capturer the analyzer the following ow abstractor le of an ana- stractor illus- 1 http: 2 up = ˆ[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a- zA-Z]+: .+\r?\n)+) 3 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 4 proto = TCP # TCP or UDP 5 if = http # path to UNIX domain socket 6 nice = 100 # priority 7 balance = 4 # balaced by 4 IFs 8 9 torrent_tracker: # BitTorrent Tracker 10 up = ˆGET .*(announce|scrape).*\?.*info_hash =.+&.+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+) 11 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 12 proto = TCP 13 if = torrent_tracker 14 nice = 90 # priority 15 16 dns_udp: 17 proto = UDP 18 if = dns 19 port = 53 20 nice = 200 -ϓϩτίϧࢦఆ

  19. 'MPX"CTUSBDUPSͷ ઃఆϑΝΠϧʢ̐ʣ  develop ana- by this plane. developed by

    s analyzers in rator and ab- f the capturer the analyzer the following ow abstractor le of an ana- stractor illus- 1 http: 2 up = ˆ[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a- zA-Z]+: .+\r?\n)+) 3 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 4 proto = TCP # TCP or UDP 5 if = http # path to UNIX domain socket 6 nice = 100 # priority 7 balance = 4 # balaced by 4 IFs 8 9 torrent_tracker: # BitTorrent Tracker 10 up = ˆGET .*(announce|scrape).*\?.*info_hash =.+&.+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+) 11 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 12 proto = TCP 13 if = torrent_tracker 14 nice = 90 # priority 15 16 dns_udp: 17 proto = UDP 18 if = dns 19 port = 53 20 nice = 200 ग़ྗΠϯλʔϑΣʔε໊ࢦఆ

  20. 'MPX"CTUSBDUPSͷ ઃఆϑΝΠϧʢ̑ʣ  develop ana- by this plane. developed by

    s analyzers in rator and ab- f the capturer the analyzer the following ow abstractor le of an ana- stractor illus- 1 http: 2 up = ˆ[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a- zA-Z]+: .+\r?\n)+) 3 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 4 proto = TCP # TCP or UDP 5 if = http # path to UNIX domain socket 6 nice = 100 # priority 7 balance = 4 # balaced by 4 IFs 8 9 torrent_tracker: # BitTorrent Tracker 10 up = ˆGET .*(announce|scrape).*\?.*info_hash =.+&.+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+) 11 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 12 proto = TCP 13 if = torrent_tracker 14 nice = 90 # priority 15 16 dns_udp: 17 proto = UDP 18 if = dns 19 port = 53 20 nice = 200 ϙʔτ൪߸ࢦఆ

  21. 'MPX"CTUSBDUPSͷ ઃఆϑΝΠϧʢ̒ʣ  develop ana- by this plane. developed by

    s analyzers in rator and ab- f the capturer the analyzer the following ow abstractor le of an ana- stractor illus- 1 http: 2 up = ˆ[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a- zA-Z]+: .+\r?\n)+) 3 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 4 proto = TCP # TCP or UDP 5 if = http # path to UNIX domain socket 6 nice = 100 # priority 7 balance = 4 # balaced by 4 IFs 8 9 torrent_tracker: # BitTorrent Tracker 10 up = ˆGET .*(announce|scrape).*\?.*info_hash =.+&.+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+) 11 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 12 proto = TCP 13 if = torrent_tracker 14 nice = 90 # priority 15 16 dns_udp: 17 proto = UDP 18 if = dns 19 port = 53 20 nice = 200 ϧʔϧͷ༏ઌॱҐࢦఆ

  22. 'MPX"CTUSBDUPSͷ ઃఆϑΝΠϧʢ̓ʣ  develop ana- by this plane. developed by

    s analyzers in rator and ab- f the capturer the analyzer the following ow abstractor le of an ana- stractor illus- 1 http: 2 up = ˆ[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a- zA-Z]+: .+\r?\n)+) 3 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 4 proto = TCP # TCP or UDP 5 if = http # path to UNIX domain socket 6 nice = 100 # priority 7 balance = 4 # balaced by 4 IFs 8 9 torrent_tracker: # BitTorrent Tracker 10 up = ˆGET .*(announce|scrape).*\?.*info_hash =.+&.+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+) 11 down = ˆHTTP/1\.[01] [1-9][0-9]{2} .+\r?\n 12 proto = TCP 13 if = torrent_tracker 14 nice = 90 # priority 15 16 dns_udp: 17 proto = UDP 18 if = dns 19 port = 53 20 nice = 200 ෼ࢄॲཧɾ$16ෛՙ෼ࢄ༻ઃఆ ͜ͷ৔߹ɼͭͷ*'΁ϑϩʔ୯ҐͰ ෼ׂ͞Εग़ྗ͞ΕΔ

  23. ந৅ϑϩʔ*'ͷ σΟϨΫτϦߏ଄ 20 nice = 200 Figure 3: Configuration Example

    of Flow Abstractor 1 $ ls -R /tmp/sf-tap 2 loopback7= tcp/ udp/ 3 4 /tmp/sf-tap/tcp: 5 default= http2= ssh= 6 dns= http3= ssl= 7 ftp= http_proxy= torrent_tracker= 8 http0= irc= websocket= 9 http1= smtp= 10 11 /tmp/sf-tap/udp: 12 default= dns= torrent_dht= 

  24. MPPQCBDL ΠϯλʔϑΣʔε ೖྗ༻ΠϯλʔϑΣʔε ϓϩΫγɾτϯωϧ༻ ແݶϧʔϓΛ๷͙ͨΊ IPQΧ΢ϯτΛར༻ 

  25. EFGBVMU ΠϯλʔϑΣʔε Ͳͷϧʔϧʹ΋Ϛον͠ͳ͔ͬͨ ϑϩʔ͕ग़ྗ͞ΕΔ 

  26. λϓϧϑϩʔ*% *1ΞυϨεY ϙʔτ൪߸Y ϗοϓΧ΢ϯτ 

  27. 5$1Πϕϯτͷந৅Խ $3&"5&% %"5" %&4530:&% 

  28. ࣮૷ 'MPX"CTUSBDUPS $ $POTVNFS1SPEVDFS1BUUFSO εϨουؒͷόϧΫσʔλసૹ $FMM*ODVCBUPS $ OFUNBQ $"4Λ࢖ͬͨܰྔϩοΫ 

  29. σϞ 

  30. ෳ਺ΠϯλʔϑΣεʹΑΔ $16ෛՙܭଌ (a) HTTP Analyzer x 1 (b) HTTP Analyzer

    x 2 (c) HTTP Analyzer x 4 generate 50 clients / sec, 1000 clients maximum, 2500 requests / sec on average Figure 7: CPU Load of HTTP Analyzer and Flow Abstractor 

  31. 'MPX"CTUSBDUPSͱ ඵؒίωΫγϣϯ਺  s maximum, 2500 requests / sec on

    average TP Analyzer and Flow Abstractor

  32. $FMM*ODVCBUPSͷ ύϑΥʔϚϯε  ࠷େ.QQT ʢϑϩʔʣ ৄࡉ͸ผࢿྉʹͯɾɾɾ

  33. ·ͱΊ w ൚༻-ղੳث4'5"1ΛఏҊ w εέʔϥϒϧ w ϞδϡϥϦςΟ w ίϞσΟςΟ w

    ඇݴޠґଘͷΠϯλʔϑΣʔε w ϓϩάϥϚϒϧͳωοτϫʔΫղੳ͕Մೳʹ w ߴ଎ͳωοτϫʔΫʹରͯ͠΋ద༻Մೳʹ