Next: Using the commandline interface
Up: Advanced interface
Previous: Specifying the traffic
Next, we consider other advanced options, related mainly to data aggregation.
- By default, the advanced interface will simply spew out the list of flows one at a time. This is desirable only if the expected number of flows is small, or if the flows need to be examined closely. A better way to make an assessment on the flows returned is to aggregate them with respect to various fields, as explained in the following bullets.
- At the bottom of the search form, you will find a set of predefined aggregation options.
- Display hourly variation. Using this option, you can get an hour-wise breakup of the traffic in question. It will let you examine the nature of the traffic - if it is uniform, or bursty, or periodic. It will also let you learn if data is available for the period you are interesting in. If the data is not available, then it may mean that the Planetflow system is down, or that the node in question is down.
- Aggregate flows per xid. This is the most common option used to resolve complaints. It gives a slice-wise breakup of the traffic, indicating which slices are responsible for the traffic in question. If the traffic spec is narrow enough, then it should pinpoint a single slice which can then be contacted and asked to slow down or to clarify its experiment.
- Aggregate flows per destination IP. This option lets you aggregate the traffic per destination IP, indicating how much and what type of traffic was sent to every unique IP address contacted in this context. This option is useful to evaluate the scope of the experiment and determining the number of hosts contacted, their geographical distribution etc. It is useful to couple this option with the choice of limiting the results to intra-PlanetLab or out-of-PlanetLab traffic.
- Scan detector. This option uses Silk's built-in scan detector, which uses various machine learning techniques to evalute if a flow or a set of flows constitute a network scan.
- Aggregation need not be limited to the set of pre-defined options available. It can be done based on arbitrary keys or sets of keys. In order to use this feature, select ``Sort wrt specified key'' and then select the aggregation keys from the check boxes under ``Key''. Here are some useful combinations:
- Source address/slice id. If you are investigating IP spoofing, then this combination should give some insights on who is spoofing, and how many addresses are being spoofed. It will give you a list of the unique source IP addresses used by each slice. If you negate the IP address of the Node as explained earlier in this section, then the list will exclude all known interfaces.
- Destination address/destination port. This combination is useful to uncover port scanning attempts.
- Source port or destination port. Using one of these can give a sense of the services being served on the node, and the services that are being contacted.
Next: Using the commandline interface
Up: Advanced interface
Previous: Specifying the traffic
2008-09-23