The Opteq Realtime iQ module is a comprehensive network monitoring, analysis, and short term reporting tool. It was designed primarily to enable clients to gain knowledge about their network in order to be able to make informed decisions about how best to manage their network. More specifically it was primarily designed to work in conjunction with the Opteq Bandwidth iQ Module to assist in designing rules and policies. It is difficult to design rule sets without the knowledge of what occurs on the network itself. Nonetheless, Realtime iQ compliments all the Opteq iQ modules as it not only helps in the design and/or establishment of what proactive action to take but to also continuously evaluate the impact/effect of these actions and thereby closes the management cycle loop.

Realtime iQ is quite capable of being used as a stand-alone tool for monitoring, analysis and troubleshooting because of its relative power, simplicity, and cost. The Realtime iQ module basically consists of two primary routines or tools. A monitor routine, which runs in Realtime and summarizes traffic/flow data into “easy-to-read”, graphically based tables and charts. And a packet-capture routine, which stores a packet stream onto disk for later viewing, analysis, or download.

It should be noted that, due to its primary design and high system load, the Realtime monitor only records data into memory while it is running. Unless one has copied or printed the monitored data before the monitor is stopped, the data will be lost. One may however run the packet capture at the same time as the monitor and replay the stream through the monitor at any time to recreate the summaries.

Bandwidth iQ (the bandwidth manager) is suitable for long term reporting on traffic flows. The philosophy is such: One would use Realtime iQ to help establish rules/policies within the bandwidth manager, where all data is written to an SQL database for long term reporting. Once the bandwidth policies have been created and the network is flowing optimally, Realtime iQ may be switched off until it is needed once more

Please refer to the product matrix for the throughput capacities for running Real time iQ on each Opteq iQ platform.

The Opteq Bandwidth manager is just that, it allows you to manage your bandwidth in the true sense of the word. Just like you would set up a policies and procedures manual for managing your business, bandwidth iQ allows you to set up the rules which will govern the use of your bandwidth. Including reporting periods, what data to report, exception handling to review and add or change policies and all the necessities for effective management. The Bandwidth manager stores statistics in an SQL database and provides ODBC access for special reports and graphs. Stats-only rules and special report groups are used for an all round better solution for long term traffic reporting. Stats only rules - are rules that allow full classification as per a normal rule but they have no action or bandwidth parameters and are simply there to record statistics. These rules do not get “hits” as a normal rule would and the packet continues through the rule set even after a match on a stats-only rule.

It is important to note and understand the differences in viewpoint between the bandwidth manager and Realtime iQ. The bandwidth manager is concerned with managing and recording data that passes through it. i.e. It records data as incoming or outgoing from itself via a LAN or WAN interface. Realtime iQ is a traffic Sniffer and therefore views data from an external host or network point of view. All data is recorded as being sent or received by a host that is external to the Opteq unit. i.e. It records traffic as incoming or outgoing from the host itself. For this reason, if one wishes to see the correct throughput statistics, It is extremely important that Realtime iQ knows which hosts are local or inside the network (see edit local list in the manual).

Please note that although Realtime iQ is simple and easy to use it does require that users have at least a basic knowledge of networking protocols and terminologies. It has been noticed in the field that the use of Realtime iQ often enhances and adds to basic knowledge because of its simplicity, ease of use, and power.

Realtime iQ will help you answer the following types of questions and many more…

• Why is network performance so poor?
• What host or hosts are using most of the available network bandwidth?
• What is the bandwidth percentage actually used by the individual hosts on the network?
• What are the contacted peers per host and what is the amount of network traffic produced by each of the processes running on each of them?
• When are the peak usage times?
• Where is this extra traffic suddenly coming from?
• Do we have a virus?
• What hosts are infected?
• What protocols are running on my network?
• What can I do to improve performance?

A few common applications of Realtime iQ:

Traffic Measurement.

Realtime iQ differs from many traffic monitoring tools because it transparently processes traffic and provides live traffic information in an easy to understand format (graphs and tables) and it is 100% non obtrusive. It reads packets off the network as it sees them, which does not probe the network in anyway.

Captured packets are associated with source/destination hosts - Each new captured packet is used for both updating traffic statistics and learning about network topology.

For each host that is seen by the monitor, the following information is recorded:

• The total traffic: (volume and packets sent/received) generated/received by the host classified according to network protocol (IP, IPX, AppleTalk, etc.) and when applicable, IP protocol (TCP, UDP, ICMP, FTP, HTTP, NFS, etc.).
• IP multicast traffic statistics.
• TCP session history: Source/destination, duration, TCP sliding window size and TTL statistics, retransmitted data, fragmented packets percentage. Host used TCP/UDP services, operating system type and address tracking.
• Traffic distribution: (Local vs. remote traffic), network usage (contacted peers, traffic generated by each running application), overall used bandwidth (actual, peak, and average), local subnet traffic matrix.
• Packets distribution: Total number of packets sorted by packet size, unicast vs. multicast vs. broadcast, and IP vs. non-IP traffic.
• Protocol utilisation and distribution: according to both protocol and source/destination (local vs. remote).
• Network Flows: Traffic statistics for each user defined flow. A network flow is a stream of packets that matches a user specified rule. Realtime iQ network flows can be used to specify traffic of particular interest. This is edited manually on a network by network base by editing the local protocols lists. How exactly to do this is covered in the Realtime iQ manual and a downloadable Flash instruction is available from the partner site. As most common network applications use TCP/UDP ports for transmission we give you the ability to filter certain ports and give them friendly names, or in other words the ability to classify what “applications” you would like to filter on.

Realtime iQ is designed to efficiently and effectively identify the traffic flows, types or problems on a network so that one may make intellectual choices as to what network management actions/decisions will benefit the network. For example, if there is allot of HTTP traffic, then the network would most certainly benefit from a caching solution.

Should one not be able to identify a traffic flow type, one should use the packet capture facility to capture and decode that traffic. This facility has the capability of decoding almost every know Ethernet protocol. Over 21 000 protocols and sub protocols

The bulk of ones traffic will/can be identified by the common protocol decoders within Realtime iQ itself (unless there is some highly unusual traffic running). However one may need to inform the Realtime monitor of certain traffic flows or specific tcp/udp port usage’s that are in use and important to ones infrastructure. To do this one would simply add a “friendly name” and TCP/UDP port to the classification “protocols list” and Realtime iQ will then monitor that flow.

Realtime iQ provides detailed statistics about NFS /ARP /ICMP /TCP /UDP /ICMP /ICMPv6 /DLC /IPX /Decnet/(R) ARP/AppleTalk/ NetBIOS/OSI /IPv6 /STP /IPSEC /OSPF /IGMP protocol usage

Traffic monitoring

Traffic monitoring is the ability to identify those situations where network traffic does not comply with specified policies or when it exceeds some defined thresholds. In general, network administrators specify some policies to which all the hosts must obey, sometimes known as a SLA (Service Level Agreement). Inside the traffic monitoring category fall all those situations caused by both misconfigured and faulty applications generating traffic that should not normally flow across healthy networks.

Realtime iQ natively provides support for detecting some network configuration problems including:

• Duplicate IP Addresses Identification.
• Subnet Gateway misconfiguration. Realtime iQ identifies the subnet routers by checking the association destination IP/MAC address in each captured packet (not just the ones directed to non-local IP addresses). Subnet routers are identified by the destination MAC address whereas hosts with misconfigured netmasks are identified because they send a router those packets that are directed to hosts belonging to the local subnet.
• Misconfiguration of software applications. The analysis of protocol traffic data allows administrators to ascertain if there is something wrong on a certain host. For instance, the use of Realtime iQ has allowed clients to detect the installation of misconfigured NTP clients that were asking the time of the day once every five seconds and an unauthorised caching DNS that was filling up its cache very frequently. Administrators have often come across situations where databases are configured to replicate at low bandwidth usage times but instead, due to some fault are set to replicate during peak hours and thereby bringing the network to a standstill. Often this state of affairs had been going on for months as the network administrators did not have the tools at hand to correctly diagnose the problem. Very often seeking to upgrade bandwidth unnecessarily as a resolution. With Realtime iQ administrators have been able to quickly identify this and many other unwarranted traffic flows.
• Service misuse detection. For example, by identifying hosts/users that do not make use of the specified caching proxies or that route packets through suboptimal gateways, one is able to take proactive action against those users
• Protocol misuse by identifying those computers that run unnecessary protocols, for instance, the Windows operating system installs by default protocols such as NetBEUI and IPX while most people need just TCP/IP.
• Excessive host bandwidth utilisation may point to underlying problems or misconfigurations with those hosts and warrant further investigation etc.

Network Optimization and Planning.

Whenever it is necessary to upgrade/update an existing network in order to provide an adequate speed to its users, it is not often easy to know where the true bottlenecks are. Sometimes the way individual hosts are configured causes troubles to the whole network, whereas in other situations network administrators might need assistance in determining how the network is used in a 24 hour period in order to better plan extensions. For instance, if network performance is adequate during most of the day it might be cheaper to postpone some tasks in order to avoid traffic peaks, instead of buying new expensive network equipment. Therefore, in order to make decisions about network extensions, network administrator must be able to know:

• How the overall network traffic changes over time in order to decide whether the network is slow most of the time or just in some specified time frames.
• The number and type of network assets and their categorisation according to collected usage.
• What hosts, if any, are misconfigured in order to see whether those few hosts have a great negative impact on the overall network performance?

In particular Realtime iQ allows administrators to:

• Discover and categorise assets according to collected usage. Realtime iQ is able to report on network assets including running operating system and list of known capabilities (e.g. DNS Server, gateway). In addition, Realtime iQ contains decoders for protocols such as IPX/NetBIOS/AppleTalk that provide much more information than the IP protocol regarding host information. For instance AppleTalk NBP (Name Binding Protocol) that is similar to Internet DNS (Domain Name Server) contains information not limited to host name but also informs about the running applications and the asset type.
• Identify unnecessary protocols. Sometimes traffic is generated by hosts/routers that have not been configured properly and that attempt to communicate with peers using protocols that nobody else beside them is using. In addition, Realtime iQ can easily identify cases where in pure IP networks some misconfigured hosts use protocols such as IPX/NetBIOS/AppleTalk that generate some periodic broadcast traffic propagated to the whole subnet.
• Identify suboptimal routing. It is possible to identify machines that use non-optimal routing just by keeping track of ICMP redirect messages or by periodically analysing the list of subnet routers.
• Traffic characterization and distribution. Realtime iQ allows administrators to understand how traffic is distributed with respect to the protocol and origin (local vs. remote traffic). The study of traffic patterns helps administrators to understand how the network is used both locally and from remote regions and hence to improve, if possible, the global network topology and configuration.
• Reduction of the number of protocols used by replacing some old/legacy protocols with new ones (e.g. replace NetBIOS with NetBIOS over IP when possible) in order to reduce the number of protocols (hence to simplify network administration) without losing any existing functionality.
• Wiser bandwidth usage by studying how certain protocols are used, hence add applications such as proxies that allow traffic to be significantly reduced by caching information. In other words if there is allot of HHTP traffic you would benefit immensely from adding a cache to keep repeatedly used web traffic local. The easiest method would be to enable caching on the Opteq unit itself.

Network Intrusion.

It is evident that the majority of common network attacks incur from within an organisation. The reasons for this is because of a lack of internal security and the fact, that users if allowed, will often unwittingly install software applications that make intruders lives much easier. Realtime iQ offers some simple facilities for recognising issues at the TCP/IP level. E.g. ports scan, synflood, and land attack (Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes including unpatched Windows xp sp2 machines).

Using Realtime iQ one is able to recognise the following security concerns:

• Port scan detection. The classic (send a packet to every port) and slow (a kind of port scan where port scan happens very slowly in order to make its detection more difficult) port scan (stealth scan) can be easily detected. Many viruses also propagate by first broadcasting to find vulnerable hosts – this makes it easy to identify infected machines.
• Spoofing detection. Identification that warns the user when two distinct IP addresses map to the same hardware address. Note that spoofing detection should be used properly/thoughtfully on networks where proxy ARP routers are installed or whenever a host has enabled IP aliasing support. In other words there are times when such a configuration is valid.
• Vulnerability Scanners Detection. Attacks usually happen in two phases: in the first phase, the attacker learns about network topology and tries to find any vulnerability, whereas in the second phase the real attack begins. In the first phase, quite often attackers use vulnerability detection tools (e.g. Saint and Nessus) in order to rapidly identify the easiest way to break the target network. Realtime iQ can detect such scanners as it logs suspicious packets (e.g./FIN packets), identifies connections not properly terminated, and records ports usage making easy to identify suspicious situations (e.g. ports with incoming and no outgoing traffic) that need further investigation by network administrators.
• Trojan Horses detection by monitoring usage of ports that are used by well-known Trojan applications such as BO2K.
• Denial of service, synflood, smurf and network melt-down can be detected by analysing the traffic sent/received statistics and glancing through the throughput graphs. The port usage and hosts broadcasting this traffic may easily be identified and then policies enforced using the bandwidth manager to firewall these ports off.
• Network Discovery identification by monitoring ARP (local network discovery) and ICMP (local/remote network discovery) traffic. Peaks of unanswered requests in a given amount of time are usually the proof of existence of such “discovery” applications running on the network.
• Suspicious Packets Using libraries freely available on the Internet, hackers can easily forge packets for the purpose of exploiting security flaws of the TCP/IP protocol suite and weakness of some TCP/IP stack implementations. For this reason Realtime iQ is able to recognise peaks of packets having the RST (reset) flag set, overlapping offsets of fragmented packets and packets with SYN-ACK or SYN/FIN flag that do not belong to an established connection.