Web Services and Devices Profile for Web Services (DPWS)
SMB Traffic Analyzer @ SDC 2010
1. SMB Traffic Analyzer
Holger Hetterich
Level 3 Support Engineer
SUSE Linux Products GmbH
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
2. SMB Traffic Analyzer – use case
The goal of SMB Traffic Analyzer is to find an
answer to questions like:
Which services are my most used ones?
How is my Samba network used in the night?
Which services are almost never used?
Which users are the most pressing ones on the
Samba network?
How much is a specific file being used?
When was that specific file renamed and by
whom?
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
3. What is SMB Traffic Analyzer?
We call it SMBTA in the following
Module for the Virtual File System layer of Samba
Capture meta data of prominent functions in the
VFS layer.
Send the data to a receiver
SMBTAD receives the data and builds a SQL
storage from it.
SMBTATOOLS, utilities to assist in querying the
database and support real time monitoring.
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved. 3
4. World of SMBTA - Overview
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved. 4
5. Looking at the VFS module
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved. 5
6. The VFS Module
Version 1, and 2, we are talking about the latter
SMBTA v2 going to be released with Samba 3.6.0
Supported VFS operations: Mkdir, chdir, write, read,
pread, pwrite, rename, open, close
Fully transparent to the user
AES encryption support
Extendable protocol
Configurable with standard Samba methods
( smb.conf )
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
7. A typical transfer
VFS function write SMBTAD
VFS Module
Common data Block
Protocol Header
VFS
Specifies encryption Involved USER Involved Time
Operation Domain
and length of the data username SID Share Stamp
ID
block
Number
File w/
Of bytes
full path
written
Individual VFS function data
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
8. A typical transfer
VFS function extendable,datasize is
The common
is
write it's
block SMBTAD
specified in the header.
VFS Module
Common data Block
Protocol Header
VFS
Specifies encryption Involved USER Involved Time
Operation Domain
and length of the data username SID Share Stamp
ID
block
Number
File w/
Of bytes
full path
written
Individual VFS function data
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
9. A typical transfer
And also, the header
Includes a subversion VFS function extendable,datasize is
The common
is
write it's
block SMBTAD
Number, and a few extra
Bytes to be used in future specified in the header.
VFS Module
Common data Block
Protocol Header
VFS
Specifies encryption Involved USER Involved Time
Operation Domain
and length of the data username SID Share Stamp
ID
block
Number
File w/
Of bytes
full path
written
Individual VFS function data
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
10. Transparent and stackable
The VFS „write“ function as implemented by the SMBTA module
static ssize_t smb_traffic_analyzer_write(vfs_handle_struct *handle,
files_struct *fsp, const void *data, size_t n)
{
struct rw_data s_data;
s_data.len = SMB_VFS_NEXT_WRITE(handle, fsp, data, n);
s_data.filename = fsp->fsp_name->base_name;
DEBUG(10, ("smb_traffic_analyzer_write: WRITE: %sn",
fsp_str_dbg(fsp)));
smb_traffic_analyzer_send_data(handle,
&s_data,
vfs_id_write);
return s_data.len;
}
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
11. Transparent and stackable
The VFS „write“ function as implemented by the SMBTA module
Stackable ! Call the NEXT function
static ssize_t smb_traffic_analyzer_write(vfs_handle_struct *handle,
files_struct *fsp, constlayer. *data, size_t n)
in the VFS void
{
struct rw_data s_data;
s_data.len = SMB_VFS_NEXT_WRITE(handle, fsp, data, n);
s_data.filename = fsp->fsp_name->base_name;
DEBUG(10, ("smb_traffic_analyzer_write: WRITE: %sn",
fsp_str_dbg(fsp)));
smb_traffic_analyzer_send_data(handle,
&s_data,
vfs_id_write);
return s_data.len;
}
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
12. Transparent and stackable
The VFS „write“ function as implemented by the SMBTA module
Stackable ! Call the NEXT function
static ssize_t smb_traffic_analyzer_write(vfs_handle_struct *handle,
files_struct *fsp, constlayer. *data, size_t n)
in the VFS void
{
struct rw_data s_data;
s_data.len = SMB_VFS_NEXT_WRITE(handle, fsp, data, n);
s_data.filename = fsp->fsp_name->base_name;
DEBUG(10, ("smb_traffic_analyzer_write: WRITE: %sn",
fsp_str_dbg(fsp)));
smb_traffic_analyzer_send_data(handle,
&s_data,
vfs_id_write); Transparent ! Send the data
return s_data.len; and return the number
} of bytes just as any
VFS write function
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
13. Encryption of data
128 Bit AES
VFS Module SMBTAD
Using the same key
Samba 3.6.0 introduces the program „smbta-util“ which will
make the SMBTA setup for encryption easy. It is able to
generate keys, and to enable encryption or disable it on the fly.
The generated keys are easily useable by SMBTAD as a
keyfile.
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
14. Configuration – via smb.conf
Example of a share definition that is SMBTA enabled.
[Distribution Space]
vfs object = smb_traffic_analyzer
smb_traffic_analyzer:host = localhost
smb_traffic_analyzer:port = 3490
smb_traffic_analyzer:protocol_version = V2
comment = Blah
inherit acls = Yes
path = /distspace
read only = No
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
15. This is the ultimate evil !
Exposing user related data is illegal in many
countries !
Two methods of anonymization built in:
Prefix + hashnumber
Prefix only (full anonymization)
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
16. World of SMBTA - SMBTAD
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved. 16
17. SMBTAD – concept overview
SMBTAUTILS
Cache
Store incoming VFS data fast
Network
handler Database
feeder
c
aff i Handle client
Tr Requests
VFS
SQLITE
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
18. SMBTAD – caching
Temporarily store VFS data in the Systems RAM
Be quick : the coolness of talloc_pool !
The database feeder runs as a thread:
Sleep !
Check the cache, open a new cache, and
feed the old contents into the database.
Sleep !
…
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
19. SMBTAD – Battle for Performance
On average, we
Battleground : ThinkPad X61 standalone Are 8,9 seconds
behind, that is a
SMBTAD Performance test performance
done by the smbtatorture utility decrease of
180,00 s about 7,4 %.
160,00 s
The decrease is
140,00 s
127,61 s 127,89 s 129,16 s
133,46 s
127,05 s
131,12 s
127,29 s
132,53 s
125,09 s 125,01 s
much less if
121,41 s
118,84 s 120,20 s 121,16 s
123,35 s 123,26 s 121,61 s
SMBTA is run
120,00 s 117,65 s
114,87 s 114,50 s
on a dedicated
100,00 s system. Similar
tests at SUSE
80,00 s
labs with several
60,00 s
systems
resulted in about
40,00 s 2-3 %.
SMBTA enabled
20,00 s SMBTA enabled (talloc_pool patch 1)
Pure Samba Server
SMBTA enabled (talloc_pool patch 2)
SMBTA enabled (talloc_pool patch 3) SMBTA enabled (talloc_pool patch 3)
0,00 s Pure Samba Server SMBTA enabled (talloc_pool patch 2)
Run 1 Run 2 Run 3 Run 4 Run 5 Run 6 Run 7 Run 8 Run 9 Run 10 SMBTA enabled (talloc_pool patch 1)
SMBTA enabled
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
20. SMBTAD – maintain the DB
The database needs to be maintained, it would
otherwise grow and grow.
A configureable maintenance timer and
process is included in SMBTAD.
Clean up any data that is older than a given
timespan
Run this maintenance process at regular intervalls
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
21. World of SMBTA – SMBTATOOLS
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved. 21
22. SMBTATOOLS
Smbtaquery
Produce reports/statistics from the data
Runs complex queries, may take time
Works with a simple interpreter to make
querying easy for users.
Smbtamonitor
Real time monitoring
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
23. SMBTATOOLS - smbtaquery
Smbtaquery - built-in interpreter
OBJECT ACTION
Username Total,
Share List, RESULT
File Top,
Domain Usage,
Global last_activity
- hides the complexity of the database to the end user
- easy to learn syntax
- identification of given objects, adds requirements for unique identification
automatically
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
24. Screenshots of smbtaquery
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
25. Screenshots of smbtaquery
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
26. Screenshots of smbtaquery
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
27. Screenshots of smbtaquery
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
28. Screenshots of smbtaquery
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
29. SMBTAQUERY
Any smbtaquery object understands
From … to
Since
'global since yesterday, usage r;'
'user holger from 10-23-2010 00:01:00 to today,
total rw;'
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
30. SMBTATOOLS - smbtamonitor
Idea: Enable Real-Time by omitting database queries, instead
work directly with the incoming data in SMBTAD.
SMBTAD includes a subsystem for monitors:
Filter
incoming information in realtime for objects
Make internal Database queries to initizalize a monitor object
Run a specific monitor function (such as Throughput per second)
Displays real time information on a given Object
Throughput R / W / RW by second
Total numbers
Live logging
Runs as many monitor instances as wanted
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
31. SMBTA – project outlook
Release 0.1, when it's done :)
What's missing
Documentation!
Open bugs ( bugzilla.novell.com, [SMBTA] in the subject )
Release 0.2 with:
XML support for smbtaquery
Export to openoffice, HTML and others
Web interface for smbtaquery and smbtamonitor
Using smbtaquery as engine
Run a client side round robin database w/ smbtamonitor
AES Encryption SMBTAD ↔ SMBTATOOLS
Additional features in the VFS module
Optional compression
Support for clustered Samba
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.
32. SMBTA – Information and Q&A
SMB Traffic Analyzer ( GPL v3 )
http://holger123.wordpress.com/smb-traffic-analyzer/
Core team:
Holger Hetterich <hhetter@novell.com>
Overall
Michael Haefner
smbtamonitor
Benjamin Brunner
smbtaquery
Björn Geuken
Graphical interfaces
Ralf Schwiete
Port to SOLARIS
Thank you Samba Team!
Q&A
Thanks to Novell/SUSE!
2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved.