SlideShare une entreprise Scribd logo

Rorschach Plots and Network Performance Analysis

Télécharger en tant que PPTX, PDF
Jim Gilsinn
Jim Gilsinn

Presented @ BSidesDC 2013 Washington, DC, October 20, 2013 Measuring the performance of network protocols that require determinism can be difficult with the existing set of tools. Tools like Wireshark can give you the details of the protocols themselves and some general statistics about the packet streams, but they don’t easily show the full set of traffic for those streams. Visual tools like Etherape can show you the full set of traffic streams, but don’t give you any idea of the nuances of the performance represented in those traffic streams. While at the National Institute of Standards and Technology (NIST), I built a tool capable of analyzing and displaying the performance of network protocols. The first generation of the tool was called the Industrial Ethernet Network Performance (IENetP) test tool and the second generation of the tool is called the Factory Equipment Network Testing (FENT) framework. Both these tools are available on SourceForge and are public domain. I have since left NIST and the tools haven’t been picked up by anyone. The FENT framework is useful for analyzing the performance of any deterministic protocol and reporting certain performance characteristics. It was originally designed for EtherNet/IP (Ethernet / Industrial Protocol), Modbus, Profinet, and other industrial Ethernet-based protocols, but has proven to be useful for many other protocols as well. The most beneficial part of the software has actually been the graphical analysis, which in many cases resemble Rorschach plots due to the subtle performance problems that show up as strange patterns in the data. My presentation will describe the FENT framework, present the tool in its current state, and display some of the more interesting results. It will also be a plea for someone to take up the open-source development of this project and move it forward. My new position does not leave me with enough time to dedicate to the project, so the project has been dormant for the last few months. I’ve received complements on the project from many industrial partners in the past and they would like to see further development, but that means that someone else has to take on the task.

Technologie
1  sur  27
Rorschach Plots and Network Performance Analysis Jim Gilsinn Kenexis Consulting Corporation October 19-20, 2013 BSidesDC 2013 1
Rorschach? October 19-20, 2013 BSidesDC 2013 2
“Rorschach” Plots October 19-20, 2013 BSidesDC 2013 3
“Rorschach” Plots October 19-20, 2013 BSidesDC 2013 4
“Rorschach” Plots October 19-20, 2013 BSidesDC 2013 5
ICS Environment October 19-20, 2013 BSidesDC 2013 6
ICS Environment October 19-20, 2013 BSidesDC 2013 7
ICS Systems October 19-20, 2013 BSidesDC 2013 8
What’s This All About? • I used to work at NIST • I left about a year ago • I worked on ICS network performance metrics, tests, and tools • The test tools I developed have been dormant since leaving • The vendors I worked with while at NIST want to tool • My new employer won’t support open-source development • I’m here to beg for help! October 19-20, 2013 BSidesDC 2013 9
Performance Testing Methodology: Performance Metrics • Publish/subscribe or peer-to-peer communications • Main performance metric: Cyclic frequency variability/jitter • Real-time EtherNet/IP uses publish/subscribe • Requested/Accepted Packet Interval (RPI/API) • Measured Packet Interval (MPI) October 19-20, 2013 BSidesDC 2013 10
Performance Testing Methodology: Performance Metrics • Command/response or master/slave communications • Main performance metric: Latency • Large numbers of protocols use this • Most (All?) PC-based server/client protocols – HTTP(S), (S)FTP, etc. • Most industrial protocols – Modbus/TCP, Profinet, Ethercat, etc. October 19-20, 2013 BSidesDC 2013 11
IENetP Test Tool • Industrial Ethernet Network Performance (IENetP) • http://sourceforge.net/projects/ienetp/ • Current Version = 1.1.2, Released 2011-02-11 • Software Features • • • • • • • Analyze existing Wireshark captures Allows user to override default EtherNet/IP filter Isolates individual traffic streams Determine cyclic jitter of those streams Generates HTML report Generates time-space & histogram graphs Graphs allow zooming October 19-20, 2013 BSidesDC 2013 12
NIST Performance Test Tool • Industrial Ethernet Network Performance (IENetP) Test Tool • Factory Equipment Network Testing (FENT) Framework
FENT Framework Universal Client Application Testing Testing Module Testing Module Testing Module Module Analysis Analysis Engine Engine Reporting Engine Universal Client Application API Personality Module Personality Module Personality Module Ethernet Sensor Gateway Internet Fieldbus October 19-20, 2013 BSidesDC 2013 14
FENT Features • All Analysis Features From IENetP • Analyze Wireshark capture files • Build graphs and reports of results • Added Features • True multi-protocol support • Real-time testing capability • Extensible framework October 19-20, 2013 BSidesDC 2013 15
FENT Personality Modules • Wrapper for Driver Application • Implement a TCP-socket interface for UCA-API messaging • Build a simple XML-based PM Descriptor file UCA – API Protocol PM PM Descriptor • Features • Describes Wireshark parameters • Allows any protocol to be used • Can be built/loaded at run-time October 19-20, 2013 BSidesDC 2013 Driver App 16
FENT Framework Run-Time UCA Testing Module Analysis Engine 1. Reporting Engine 2. PSML File 3. 4. UCA – API Wireshark Protocol PM PM Descriptor 5. Driver App 6. Testing Module  Protocol PM – Grab protocol-specific Wireshark parameters via UCA-API Testing Module  Wireshark – Start capturing traffic Testing Module  Protocol PM – Command driver app to communicate with DUT Testing Module  Wireshark – Stop Capturing traffic, process capture file using desired protocol and user parameters, generate PSML file Analysis Engine – Read PSML file, analyze packets for desired metrics Reporting Engine – Report data to user DUT October 19-20, 2013 BSidesDC 2013 17
FENT UCA-API Schema October 19-20, 2013 BSidesDC 2013 18
FENT Framework • Project Home: • http://sourceforge.net/projects/fent/ • What’s Available: • SVN repository & schema • FENT software • Conduct real-time testing • Analyze results • Build graphs on-screen • NIST SensorSim PM, IEEE 1451 PM • EtherNet/IP PlugFest “Gold Standard” Background Traffic October 19-20, 2013 BSidesDC 2013 19
FENT Framework • Known Problems & Issues • Doesn’t work with Wireshark 1.9+ • Tshark argument for getting fields changed • • • • Logic problems with using multi-protocol Wireshark headers Software doesn’t use true database Testing automation not integrated No installer October 19-20, 2013 BSidesDC 2013 20
FENT Demo October 19-20, 2013 BSidesDC 2013 21
“Gold Standard” Background Traffic October 19-20, 2013 BSidesDC 2013 22
“Gold Standard” Background Traffic • What Is It? • A set of Wireshark captures, Linux scripts, and analysis results • Based on EtherNet/IP PlugFest performance testing requirements • High precision and accuracy Wireshark captures of PlugFest performance background traffic • Linux scripts designed for use in BackTrack Linux (http://www.backtrack-linux.org/) • Analysis results show validation for use in PlugFest performance testing • Where Can You Get It? • http://ienetp.sourceforge.net/EtherNet-IP_Testing.zip or • FENT SVN in Background_Traffic folder October 19-20, 2013 BSidesDC 2013 23
ARP Request Broadcasts 180 Gratuitous ARP Broadcasts 180 DHCP Request Broadcasts 100 ICMP (ping) Request Broadcasts 100 NTP Multicasts 10 EtherNet/IP ListIdentity Request 10 EtherNet/IP Class 1 1800 ARP Burst Requests 240 pkts @ 4k Hz Burst Unmanaged Burst Managed Steady-State Unmanaged Rate (pps) Steady-State Managed Traffic Type Baseline PlugFest Performance Traffic
“Gold Standard” Captures • Built From Individual Traffic Streams • Each traffic stream generated and captured using NIST Ixia system (a few microseconds jitter) • Assembled using editcap and mergecap scripts • Final captures are 60-seconds long • Can’t just loop continuously • Longer test captures require rebuilding (not hard) • Analyzed Using IENetP • Analysis results are included in package • Well within spec for PlugFest performance testing needs (<25% of desired packet intervals) October 19-20, 2013 BSidesDC 2013 25
Licensing? • The project is Public Domain!!! • There are NO LICENSING ISSUES!!! October 19-20, 2013 BSidesDC 2013 26
What’s Next? • Contact Me • • • • • Jim Gilsinn 301-706-9985 jim.gilsinn@kenexis.com Twitter – @JimGilsinn LinkedIn – http://www.linkedin.com/in/jimgilsinn/ • Review the FENT SourceForge Project • http://sourceforge.net/projects/fent/ • Fork the Project October 19-20, 2013 BSidesDC 2013 27

Recommandé

You name it, we analyze it
You name it, we analyze itYou name it, we analyze it
You name it, we analyze itJim Gilsinn
 
A Child Like Approach to Grid Cybersecurity
A Child Like Approach to Grid CybersecurityA Child Like Approach to Grid Cybersecurity
A Child Like Approach to Grid CybersecurityRobert M. Lee
 
Wireshark Network Protocol Analyzer
Wireshark Network Protocol AnalyzerWireshark Network Protocol Analyzer
Wireshark Network Protocol AnalyzerJim Gilsinn
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 Derek Harp
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
 
ICS Performance Lab
ICS Performance LabICS Performance Lab
ICS Performance LabJim Gilsinn
 

Recommandé

You name it, we analyze it
You name it, we analyze itYou name it, we analyze it
You name it, we analyze itJim Gilsinn
 
A Child Like Approach to Grid Cybersecurity
A Child Like Approach to Grid CybersecurityA Child Like Approach to Grid Cybersecurity
A Child Like Approach to Grid CybersecurityRobert M. Lee
 
Wireshark Network Protocol Analyzer
Wireshark Network Protocol AnalyzerWireshark Network Protocol Analyzer
Wireshark Network Protocol AnalyzerJim Gilsinn
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 Derek Harp
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
 
ICS Performance Lab
ICS Performance LabICS Performance Lab
ICS Performance LabJim Gilsinn
 
Low-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance TestingLow-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance TestingJim Gilsinn
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsJim Gilsinn
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Cook Like a Hacker!
Cook Like a Hacker!Cook Like a Hacker!
Cook Like a Hacker!Jim Gilsinn
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Ahmed Al Enizi
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)Jim Gilsinn
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with WiresharkJim Gilsinn
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jNeo4j
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfUK Journal
 

Contenu connexe

En vedette

Low-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance TestingLow-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance TestingJim Gilsinn
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsJim Gilsinn
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
 
Cook Like a Hacker!
Cook Like a Hacker!Cook Like a Hacker!
Cook Like a Hacker!Jim Gilsinn
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Ahmed Al Enizi
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Jim Gilsinn
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)Jim Gilsinn
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with WiresharkJim Gilsinn
 

En vedette (10)

Low-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance TestingLow-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance Testing
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...
 
Cook Like a Hacker!
Cook Like a Hacker!Cook Like a Hacker!
Cook Like a Hacker!
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with Wireshark
 

Dernier

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jNeo4j
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfUK Journal
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimaginedpanagenda
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideStefan Dietze
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 

Dernier (20)

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 

Rorschach Plots and Network Performance Analysis

  • 1. Rorschach Plots and Network Performance Analysis Jim Gilsinn Kenexis Consulting Corporation October 19-20, 2013 BSidesDC 2013 1
  • 6. ICS Environment October 19-20, 2013 BSidesDC 2013 6
  • 7. ICS Environment October 19-20, 2013 BSidesDC 2013 7
  • 8. ICS Systems October 19-20, 2013 BSidesDC 2013 8
  • 9. What’s This All About? • I used to work at NIST • I left about a year ago • I worked on ICS network performance metrics, tests, and tools • The test tools I developed have been dormant since leaving • The vendors I worked with while at NIST want to tool • My new employer won’t support open-source development • I’m here to beg for help! October 19-20, 2013 BSidesDC 2013 9
  • 10. Performance Testing Methodology: Performance Metrics • Publish/subscribe or peer-to-peer communications • Main performance metric: Cyclic frequency variability/jitter • Real-time EtherNet/IP uses publish/subscribe • Requested/Accepted Packet Interval (RPI/API) • Measured Packet Interval (MPI) October 19-20, 2013 BSidesDC 2013 10
  • 11. Performance Testing Methodology: Performance Metrics • Command/response or master/slave communications • Main performance metric: Latency • Large numbers of protocols use this • Most (All?) PC-based server/client protocols – HTTP(S), (S)FTP, etc. • Most industrial protocols – Modbus/TCP, Profinet, Ethercat, etc. October 19-20, 2013 BSidesDC 2013 11
  • 12. IENetP Test Tool • Industrial Ethernet Network Performance (IENetP) • http://sourceforge.net/projects/ienetp/ • Current Version = 1.1.2, Released 2011-02-11 • Software Features • • • • • • • Analyze existing Wireshark captures Allows user to override default EtherNet/IP filter Isolates individual traffic streams Determine cyclic jitter of those streams Generates HTML report Generates time-space & histogram graphs Graphs allow zooming October 19-20, 2013 BSidesDC 2013 12
  • 13. NIST Performance Test Tool • Industrial Ethernet Network Performance (IENetP) Test Tool • Factory Equipment Network Testing (FENT) Framework
  • 14. FENT Framework Universal Client Application Testing Testing Module Testing Module Testing Module Module Analysis Analysis Engine Engine Reporting Engine Universal Client Application API Personality Module Personality Module Personality Module Ethernet Sensor Gateway Internet Fieldbus October 19-20, 2013 BSidesDC 2013 14
  • 15. FENT Features • All Analysis Features From IENetP • Analyze Wireshark capture files • Build graphs and reports of results • Added Features • True multi-protocol support • Real-time testing capability • Extensible framework October 19-20, 2013 BSidesDC 2013 15
  • 16. FENT Personality Modules • Wrapper for Driver Application • Implement a TCP-socket interface for UCA-API messaging • Build a simple XML-based PM Descriptor file UCA – API Protocol PM PM Descriptor • Features • Describes Wireshark parameters • Allows any protocol to be used • Can be built/loaded at run-time October 19-20, 2013 BSidesDC 2013 Driver App 16
  • 17. FENT Framework Run-Time UCA Testing Module Analysis Engine 1. Reporting Engine 2. PSML File 3. 4. UCA – API Wireshark Protocol PM PM Descriptor 5. Driver App 6. Testing Module  Protocol PM – Grab protocol-specific Wireshark parameters via UCA-API Testing Module  Wireshark – Start capturing traffic Testing Module  Protocol PM – Command driver app to communicate with DUT Testing Module  Wireshark – Stop Capturing traffic, process capture file using desired protocol and user parameters, generate PSML file Analysis Engine – Read PSML file, analyze packets for desired metrics Reporting Engine – Report data to user DUT October 19-20, 2013 BSidesDC 2013 17
  • 18. FENT UCA-API Schema October 19-20, 2013 BSidesDC 2013 18
  • 19. FENT Framework • Project Home: • http://sourceforge.net/projects/fent/ • What’s Available: • SVN repository & schema • FENT software • Conduct real-time testing • Analyze results • Build graphs on-screen • NIST SensorSim PM, IEEE 1451 PM • EtherNet/IP PlugFest “Gold Standard” Background Traffic October 19-20, 2013 BSidesDC 2013 19
  • 20. FENT Framework • Known Problems & Issues • Doesn’t work with Wireshark 1.9+ • Tshark argument for getting fields changed • • • • Logic problems with using multi-protocol Wireshark headers Software doesn’t use true database Testing automation not integrated No installer October 19-20, 2013 BSidesDC 2013 20
  • 21. FENT Demo October 19-20, 2013 BSidesDC 2013 21
  • 22. “Gold Standard” Background Traffic October 19-20, 2013 BSidesDC 2013 22
  • 23. “Gold Standard” Background Traffic • What Is It? • A set of Wireshark captures, Linux scripts, and analysis results • Based on EtherNet/IP PlugFest performance testing requirements • High precision and accuracy Wireshark captures of PlugFest performance background traffic • Linux scripts designed for use in BackTrack Linux (http://www.backtrack-linux.org/) • Analysis results show validation for use in PlugFest performance testing • Where Can You Get It? • http://ienetp.sourceforge.net/EtherNet-IP_Testing.zip or • FENT SVN in Background_Traffic folder October 19-20, 2013 BSidesDC 2013 23
  • 24. ARP Request Broadcasts 180 Gratuitous ARP Broadcasts 180 DHCP Request Broadcasts 100 ICMP (ping) Request Broadcasts 100 NTP Multicasts 10 EtherNet/IP ListIdentity Request 10 EtherNet/IP Class 1 1800 ARP Burst Requests 240 pkts @ 4k Hz Burst Unmanaged Burst Managed Steady-State Unmanaged Rate (pps) Steady-State Managed Traffic Type Baseline PlugFest Performance Traffic
  • 25. “Gold Standard” Captures • Built From Individual Traffic Streams • Each traffic stream generated and captured using NIST Ixia system (a few microseconds jitter) • Assembled using editcap and mergecap scripts • Final captures are 60-seconds long • Can’t just loop continuously • Longer test captures require rebuilding (not hard) • Analyzed Using IENetP • Analysis results are included in package • Well within spec for PlugFest performance testing needs (<25% of desired packet intervals) October 19-20, 2013 BSidesDC 2013 25
  • 26. Licensing? • The project is Public Domain!!! • There are NO LICENSING ISSUES!!! October 19-20, 2013 BSidesDC 2013 26
  • 27. What’s Next? • Contact Me • • • • • Jim Gilsinn 301-706-9985 jim.gilsinn@kenexis.com Twitter – @JimGilsinn LinkedIn – http://www.linkedin.com/in/jimgilsinn/ • Review the FENT SourceForge Project • http://sourceforge.net/projects/fent/ • Fork the Project October 19-20, 2013 BSidesDC 2013 27