nagios conference 2014 - gerald combs - a trillion truths
DESCRIPTION
Gerald Combs's presentation on A Trillion Truths. The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conferenceTRANSCRIPT
A Trillion TruthsGerald [email protected]
@geraldcombs
Why Am I Here?
Dunno. Ask Ethan.
Nagios @ wireshark.org
What's happening on your network?
Nagios Is Paging Me
Is this the cause?
Packet Analysis
Wireshark is a Dissection Engine
Wireshark is a Community
Who uses it?Network engineer: Troubleshooting toolSecurity engineer: Forensics toolDeveloper: Debugging toolEducator: Teaching toolProtocol designer: Validation tool
Open Source Business Models
Small? Use GitHub
Large? Get Google or IBM to give you piles of money
Medium? Uhhhh…
Complementary Products
2006: CACE Technologies
2010:
Finding Network Truths
Your 5 Minute Average Is Full Of Lies
14
Did the interval look like this…
Copyright Riverbed Technology 15
…or this…
16
…or this?
17
Maybe this…
18
…or this
The Packets Never Lie
Different truths at different layers
What do you do with a trillion truths?
Capturing At Zero Scale
1. Start tcpdump.2. Say "Try it now."3. Stop tcpudmp. scp the capture & analyze.
21
Visibility You Want
Flows
Bits
NowDawn of Time
You'll have to make your own surveillance jokes. I have to go through a TSA checkpoint tomorrow.
22
Visibility You Get
Flows
Bits
NowDawn of Time
Retrospective Analysis
Cheap: Laptop or server running dumpcap or tcpdump
Fancy: Dedicated boxes
Time equals money. And disks. Time equals disks.
Port Mirroring
Pros
Any1 switch does this…Just a config change…
Cons
…often poorly…requiring change control
1. Any switch you'd want to use in production.
Taps
Pros
PassiveTime accuracyFilteringDuplication
Cons
CostExtra hardwareSometimes a switch
VM Capture
Where do you want to kill performance today?
Jasper Bongertz:http://blog.packet-foo.com/2013/04/capturing-packets-of-vmware-machines/http://blog.packet-foo.com/2013/04/capturing-packets-of-vmware-machines-part-2/
Cloud Capture
Like VM but with less control.
Back to tcpdump. Seriously?
SDN, or Why Cloud Capture Annoys Me
Microsoft (Rich Groves): DEMonBig Switch: Big Tap
Distributed tap built on SDNScales to thousands of ports
Using Wireshark For The First Time
http://en.wikipedia.org/wiki/File:Airbus_A380_cockpit.jpg
Educational Resources
Wireshark Q&A · https://ask.wireshark.org/Laura Chappell · http://www.wiresharkbook.com/ Mailing lists · https://www.wireshark.org/lists/Sharkfest · http://sharkfest.wireshark.org/Bibliography · https://www.wireshark.org/bibliography.html
More Educational Resources
Hansang Bae · http://www.riverbed.com/blogs/authors/Hansang-Bae.htmlMore Hansang · https://blog.wireshark.org/Tim O'Neill · http://www.lovemytool.com/Jasper Bongertz · http://blog.packet-foo.com/
Latency – 2012
Latency – 1996
Latency – 1976
http://bitsavers.informatik.uni-stuttgart.de/pdf/xerox/ethernet/XeroxWireDraft_Dec1976.pdf
…and yet…
Wireshark Today
Large, vibrant ecosystemHundreds of authorsStatistics:
1500 protocols117k filter fields500k 1M downloads / month2M lines of codeRich web presence
Your network is not a black boxhttp://www.hanselman.com/blog/TheInternetIsNotABlackBoxLookInside.aspx
What's Next?
Challenges
To install on OS X you need a bucket and a screwdriverPacket analysis + tablet = sadness"The cloud" is not in the interface list400GBASE-OUCH-THAT-HURTSYou want process information? Too bad
We made the news
Demo Time