SMB Traffic Analyzer @ SDC 2010

SMB Traffic Analyzer

Holger Hetterich
Level 3 Support Engineer
SUSE Linux Products GmbH

2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.

SMB Traffic Analyzer – use case

 The goal of SMB Traffic Analyzer is to find an
answer to questions like:
 Which services are my most used ones?
 How is my Samba network used in the night?
 Which services are almost never used?
 Which users are the most pressing ones on the
Samba network?
 How much is a specific file being used?
 When was that specific file renamed and by
whom?
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.

What is SMB Traffic Analyzer?

 We call it SMBTA in the following
 Module for the Virtual File System layer of Samba
 Capture meta data of prominent functions in the
VFS layer.
 Send the data to a receiver
 SMBTAD receives the data and builds a SQL
storage from it.
 SMBTATOOLS, utilities to assist in querying the
database and support real time monitoring.

2010 Storage Developer Conference. SUSE Linux products GmbH, a Novell business All Rights
Reserved. 3

World of SMBTA - Overview

Reserved. 4

Looking at the VFS module

Reserved. 5

The VFS Module

 Version 1, and 2, we are talking about the latter
 SMBTA v2 going to be released with Samba 3.6.0
 Supported VFS operations: Mkdir, chdir, write, read,
pread, pwrite, rename, open, close
 Fully transparent to the user
 AES encryption support
 Extendable protocol
 Configurable with standard Samba methods
( smb.conf )

Reserved.

A typical transfer
VFS function write SMBTAD

VFS Module

Common data Block
Protocol Header
VFS
Specifies encryption Involved USER Involved Time
Operation Domain
and length of the data username SID Share Stamp
ID
block

Number
File w/
Of bytes
full path
written

Individual VFS function data

Reserved.

A typical transfer
VFS function extendable,datasize is
The common
is
write it's
block SMBTAD

specified in the header.

VFS Module

Common data Block
Protocol Header
VFS
Operation Domain
ID
block

Number
File w/
Of bytes
full path
written


Reserved.

A typical transfer
And also, the header
Includes a subversion VFS function extendable,datasize is
The common
is
write it's
block SMBTAD
Number, and a few extra
Bytes to be used in future specified in the header.

VFS Module

Common data Block
Protocol Header
VFS
Operation Domain
ID
block

Number
File w/
Of bytes
full path
written


Reserved.

Transparent and stackable
The VFS „write“ function as implemented by the SMBTA module
static ssize_t smb_traffic_analyzer_write(vfs_handle_struct *handle,
files_struct *fsp, const void *data, size_t n)
{
struct rw_data s_data;

s_data.len = SMB_VFS_NEXT_WRITE(handle, fsp, data, n);
s_data.filename = fsp->fsp_name->base_name;
DEBUG(10, ("smb_traffic_analyzer_write: WRITE: %sn",
fsp_str_dbg(fsp)));

smb_traffic_analyzer_send_data(handle,
&s_data,
vfs_id_write);
return s_data.len;
}

Reserved.

Stackable ! Call the NEXT function
files_struct *fsp, constlayer. *data, size_t n)
in the VFS void
{

fsp_str_dbg(fsp)));

&s_data,
vfs_id_write);
return s_data.len;
}

Reserved.

Stackable ! Call the NEXT function
files_struct *fsp, constlayer. *data, size_t n)
in the VFS void
{

fsp_str_dbg(fsp)));

&s_data,
vfs_id_write); Transparent ! Send the data
return s_data.len; and return the number
} of bytes just as any
VFS write function

Reserved.

Encryption of data

128 Bit AES

VFS Module SMBTAD
Using the same key

Samba 3.6.0 introduces the program „smbta-util“ which will
make the SMBTA setup for encryption easy. It is able to
generate keys, and to enable encryption or disable it on the fly.
The generated keys are easily useable by SMBTAD as a
keyfile.

Reserved.

Configuration – via smb.conf

Example of a share definition that is SMBTA enabled.

[Distribution Space]
vfs object = smb_traffic_analyzer
smb_traffic_analyzer:host = localhost
smb_traffic_analyzer:port = 3490
smb_traffic_analyzer:protocol_version = V2
comment = Blah
inherit acls = Yes
path = /distspace
read only = No

Reserved.

This is the ultimate evil !

 Exposing user related data is illegal in many
countries !
 Two methods of anonymization built in:
 Prefix + hashnumber
 Prefix only (full anonymization)

Reserved.

World of SMBTA - SMBTAD

Reserved. 16

SMBTAD – concept overview

SMBTAUTILS

Cache
Store incoming VFS data fast

Network
handler Database
feeder

c
aff i Handle client
Tr Requests

VFS
SQLITE

Reserved.

SMBTAD – caching

 Temporarily store VFS data in the Systems RAM
 Be quick : the coolness of talloc_pool !
 The database feeder runs as a thread:
 Sleep !
 Check the cache, open a new cache, and
feed the old contents into the database.
 Sleep !
…

Reserved.

SMBTAD – Battle for Performance
On average, we
Battleground : ThinkPad X61 standalone Are 8,9 seconds
behind, that is a
SMBTAD Performance test performance
done by the smbtatorture utility decrease of
180,00 s about 7,4 %.
160,00 s
The decrease is
140,00 s
127,61 s 127,89 s 129,16 s
133,46 s
127,05 s
131,12 s
127,29 s
132,53 s
125,09 s 125,01 s
much less if
121,41 s
118,84 s 120,20 s 121,16 s
123,35 s 123,26 s 121,61 s
SMBTA is run
120,00 s 117,65 s
114,87 s 114,50 s
on a dedicated
100,00 s system. Similar
tests at SUSE
80,00 s
labs with several
60,00 s
systems
resulted in about
40,00 s 2-3 %.
SMBTA enabled
20,00 s SMBTA enabled (talloc_pool patch 1)
Pure Samba Server
SMBTA enabled (talloc_pool patch 2)
SMBTA enabled (talloc_pool patch 3) SMBTA enabled (talloc_pool patch 3)
0,00 s Pure Samba Server SMBTA enabled (talloc_pool patch 2)
Run 1 Run 2 Run 3 Run 4 Run 5 Run 6 Run 7 Run 8 Run 9 Run 10 SMBTA enabled (talloc_pool patch 1)
SMBTA enabled

Reserved.

SMBTAD – maintain the DB

 The database needs to be maintained, it would
otherwise grow and grow.
 A configureable maintenance timer and
process is included in SMBTAD.
 Clean up any data that is older than a given
timespan
 Run this maintenance process at regular intervalls

Reserved.

World of SMBTA – SMBTATOOLS

Reserved. 21

SMBTATOOLS

 Smbtaquery
 Produce reports/statistics from the data
 Runs complex queries, may take time
 Works with a simple interpreter to make
querying easy for users.
 Smbtamonitor
 Real time monitoring

Reserved.

SMBTATOOLS - smbtaquery

Smbtaquery - built-in interpreter

OBJECT ACTION
Username Total,
Share List, RESULT
File Top,
Domain Usage,
Global last_activity

- hides the complexity of the database to the end user
- easy to learn syntax
- identification of given objects, adds requirements for unique identification
automatically

Reserved.

Screenshots of smbtaquery

Reserved.

SMBTAQUERY

 Any smbtaquery object understands
 From … to
 Since

 'global since yesterday, usage r;'
 'user holger from 10-23-2010 00:01:00 to today,
total rw;'

Reserved.

SMBTATOOLS - smbtamonitor

 Idea: Enable Real-Time by omitting database queries, instead
work directly with the incoming data in SMBTAD.
 SMBTAD includes a subsystem for monitors:
 Filter
incoming information in realtime for objects
 Make internal Database queries to initizalize a monitor object
 Run a specific monitor function (such as Throughput per second)

 Displays real time information on a given Object
 Throughput R / W / RW by second
 Total numbers
 Live logging
 Runs as many monitor instances as wanted

Reserved.

SMBTA – project outlook

 Release 0.1, when it's done :)
 What's missing
 Documentation!
 Open bugs ( bugzilla.novell.com, [SMBTA] in the subject )
 Release 0.2 with:
 XML support for smbtaquery
 Export to openoffice, HTML and others
 Web interface for smbtaquery and smbtamonitor
 Using smbtaquery as engine
 Run a client side round robin database w/ smbtamonitor

 AES Encryption SMBTAD ↔ SMBTATOOLS
 Additional features in the VFS module
 Optional compression
 Support for clustered Samba

Reserved.

SMBTA – Information and Q&A
 SMB Traffic Analyzer ( GPL v3 )
 http://holger123.wordpress.com/smb-traffic-analyzer/
 Core team:
 Holger Hetterich <hhetter@novell.com>
 Overall
 Michael Haefner
 smbtamonitor
 Benjamin Brunner
 smbtaquery
 Björn Geuken
 Graphical interfaces
 Ralf Schwiete
 Port to SOLARIS

Thank you Samba Team!
Q&A
Thanks to Novell/SUSE!
Reserved.

SMB Traffic Analyzer @ SDC 2010

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (14)

Similar to SMB Traffic Analyzer @ SDC 2010

Similar to SMB Traffic Analyzer @ SDC 2010 (20)

SMB Traffic Analyzer @ SDC 2010