Research Academic Computer Technology Institute University of Patras Analyzing Traffic across the Greek School Network Costas Kattirtzis , Emmanuel Varvarigos, Kyriakos Vlachos, University of Patras & Research Academic Computer Technology Institute George Stathakopoulos and Michael Paraskevas Research Academic Computer Technology Institute LANMAN 2005, 14th IEEE Workshop on Local and Metropolitan Area Networks, 18-21 September 2005, Chania, Crete, Greece Communication Networks Laboratory
Introduction • Internet is growing dramatically. • Very complex patterns to model the Network Traffic. • Studies in LAN and WAN have been made since the early 80s. • Today's findings lead us to the conclusion that – Ethernet traffic is statistically self-similar – Poisson assumption is valid in special cases • Recent studies on Peer-to-Peer traffic mainly by Karagiannis et. al have been made. Communication Networks Laboratory
Introduction • In this paper we present a study of traffic patterns on the Greek School Network • We studied in the monitored network – the behavior of flows – the behavior of the packets – the use of each protocol – the use of each well known application – The use of Peer-to-Peer services – The traffic locality phenomenon • Benefits – Understand the impact of network changes and services – Improve network usage and application performance – Reduce IP service and application costs – Optimize network costs – Understand the Impact of P2P applications – Background to the administrators for • dimensioning the network • congestion control • network management Communication Networks Laboratory
Overview • Network Architecture • Measurement Methodology • Traffic Statistics – Service Analysis – Protocol Analysis – Flow Analysis – Packet Size Analysis • Traffic locality • Peer-to-Peer Services • Conclusions Communication Networks Laboratory
Greek School Network Architecture • Nationwide network that spans across Greece. Connects all schools of primary and secondary education including administrator offices. • Hierarchically structured into three layers. – The Backbone network – The Distribution Network – The Access Network Communication Networks Laboratory
Overview • Network Architecture • Measurement Methodology • Traffic Statistics – Service Analysis – Protocol Analysis – Flow Analysis – Packet Size Analysis • Traffic locality • Peer-to-Peer Services • Conclusions Communication Networks Laboratory
Measurement Methodology • All the measurements took place in the PATRAS prefecture from October 24 00:00:00 GMT+02:00 2004 to March 18 23:30:00 GMT+02:00 2005. • Monitoring System – Cisco NetFlow • In terms of NetFlow, flow is defined by Seven Unique Keys: – source IP address – destination IP address – source port number – destination port number – layer 3 protocol type – TOS (Type Of Service) byte and – Input logical interface – FlowScan – cflowd – RRDtool Communication Networks Laboratory
Overview • Network Architecture • Measurement Methodology • Traffic Statistics – Service Analysis – Protocol Analysis – Flow Analysis – Packet Size Analysis • Traffic locality • Peer-to-Peer Services • Conclusions Communication Networks Laboratory
Traffic Statistics - Services Communication Networks Laboratory
Traffic Statistics - Services Outgoing traffic Incoming traffic 50 40 35 Percentile of total Percentile of total 40 30 25 30 traffic traffic 20 20 15 10 10 5 0 0 P P n 2 n p w P 2 p P w t P t P P t o M H o t M P T S n H S 3 n T N M N k P N N 3 P k P n S M D r P S T n S D O e T r u S O F e h u F P P h t o t Flows Flows o Packets Packets Services Services bits bits • Outgoing traffic in term of bytes • DNS and SNMP use UDP – 50% is P2P – Large fraction of the flows, small fraction of the packets and an even – 19% is HTTP smaller fraction of the bytes transferred – 25.6% is unknown • HTTP (web) application • Incoming traffic in term of bytes – The profile of its daily load distribution – 37% is P2P fits closely the corresponding profile of – 30% is HTTP the TCP protocol . – 25.6% is unknown Communication Networks Laboratory
Traffic Statistics - Protocols Communication Networks Laboratory
Traffic Statistics - Protocols Outgoing traffic Incoming traffic 100 100 90 Percentile of total 90 80 ercentage 80 70 70 60 traffic 60 50 50 40 40 30 P 30 20 20 10 10 0 0 P TCP P UDP IPINIP TC ulticast P D P IP ulticast M ICM U IN IC flows IP flow s M packets M packets Protocols Protocols bits bits Outgoing traffic Incoming traffic • The size of the incoming packets is much larger than Bytes Flows Packets Bytes Flows Packets Protocols the size of the outgoing 95% 61.6% 84,2% 93.1% 54.4% 83% TCP packets. 4,4 34,5 14,5 5,2 41,2 14,5 UDP • TCP uses more and larger • The other IP protocols individually make up packets per flow than UDP a negligible percentage of the overall traffic Communication Networks Laboratory
Traffic Statistics – Flow Analysis 109858082 143809451 143848754 145058776 145061162 145071742 145071956 145099781 145100818 145160507 1.00E+09 • 87% of the flows carry Cumulative number of flows 50504812 5-12 packets 17757186 17580176 1.00E+08 • The majority of the flows last 6 - 6.5 sec. 1.00E+07 • Data transfers* 829363 • interactive : TCP-telnet, 1.00E+06 ICMP, UDP-NTP • transaction oriented : TCP-FTP, TCP-SMTP 1.00E+05 124 197 228 530 1 2 4 5 10 12 17 18 30 68 • bulk data transfer : TCP-FTPD, TCP-WWW packets per flow • A cross-check of the findings of k. Claffy et al. at “Traffic Characteristics of the T1 NSFNET Backbone”. Communication Networks Laboratory
Traffic Statistics – Packet Size Analysis 100 50 1st Sample 2nd Sample 45 90 40 80 Cumulative Percentage % P a c k e ts 35 70 30 60 25 50 20 15 40 10 30 5 20 0 10 Packets of November 0 -3 2 3 3 -6 4 6 5 -9 6 5 7 7 -1 0 2 4 1 0 2 5 -1 5 3 6 9 7 -1 2 8 1 2 9 -1 6 0 1 6 1 -1 9 2 1 9 3 -2 2 4 2 2 5 -2 5 6 2 5 7 -2 8 8 2 8 9 -3 2 0 3 2 1 -3 5 2 3 5 3 -3 8 4 3 8 5 -4 1 6 4 1 7 -4 4 8 4 4 9 -4 8 0 4 8 1 -5 1 2 5 1 3 -5 4 4 5 4 5 -5 7 6 Packets of March 0 2 6 0 4 8 2 6 0 4 4 7 3 9 6 2 8 5 1 8 4 2 3 - - 1 2 2 3 4 4 5 0 5 0 5 - - - - - - - 1 1 6 9 3 7 1 5 9 3 - 2 9 5 2 8 4 1 7 > 1 1 2 3 3 4 5 7 5 IP packet size (bytes) Packet Size (bytes) • Dual-modal pattern • Large size packets caused • Predominance of small-sized • By Ethernet full size packets caused packets • by TCP control segments and and • By p2p applications • by HTTP application Communication Networks Laboratory
Overview • Network Architecture • Measurement Methodology • Traffic Statistics – Service Analysis – Protocol Analysis – Flow Analysis – Packet Size Analysis • Traffic locality • Peer-to-Peer Services • Conclusions Communication Networks Laboratory
Traffic Statistics – Traffic Locality • Outgoing traffic: The 50 100 Percent of traffic send by source most busy sources (of the 6188) in a 5-minute sample, 80 are responsible for 60 – 94.5% of the bytes – 93.1% of the flows 40 – 90.9% of the packets. 20 • Incoming traffic: The same users: 0 – 76.6% of the bytes 1 5 9 3 7 1 5 9 3 7 1 5 9 1 1 2 2 2 3 3 4 4 4 – 77.5% of the flows Number of Hosts incoming bytes incoming packets incoming flows – 52.5% of the packets. outgoing bytes outgoing packets outgoing flows • The same results were observed in the 250 minutes samples. Communication Networks Laboratory
Overview • Network Architecture • Measurement Methodology • Traffic Statistics • Service Analysis • Protocol Analysis • Flow Analysis • Packet Size Analysis • Traffic locality • Peer-to-Peer Services • Conclusions Communication Networks Laboratory
Peer-to-Peer Services outgoing traffic incoming traffic Protocol bits % packets % flows % bits % packets % flows % BitTorrent 25,6 17,9 5,9 23,3 18,7 7 eMule 19,5 16,1 12,8 10,6 14,3 14,6 Napster 3 2,5 0,3 2,2 2,3 0,4 Gnutella 0,3 0,3 0,2 0,2 0,3 0,2 Kazaa 0,2 0,2 0,1 0,4 0,2 0,1 Direct Connect 0,1 0 0 0,1 0 0 Total 48,7 37 19,3 36,8 35,8 22,3 • Very Difficult to identify P2P traffic The 3 rd generation P2P systems use arbitrary ports for the P2P connections • • Still 25% of the traffic is unknown • 32,3% - 48,7% of the outgoing and 14% - 39% of the incoming bytes are caused by P2P services Communication Networks Laboratory
Peer-to-Peer Services • P2P services are active 24 hours per day + they do not follow the traffic pattern of the overall traffic • Emule and BitTorrent were the two most prevalent protocols. • After 19/12/2004 the use of BitTorrent was reduced significantly because of the shut down of Suprnova.org Communication Networks Laboratory
Recommend
More recommend