internet traffic measurements
play

Internet traffic measurements Renata Teixeira (Inria) Why measure - PowerPoint PPT Presentation

Nov 16, 2023 •124 likes •539 views

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance analysis Anomaly and intrusion detec=on Network engineering Traffic at different granulari=es IP-level packets Capture per-packet

  1. Internet traffic measurements Renata Teixeira (Inria)

  2. Why measure traffic? • Performance analysis • Anomaly and intrusion detec=on • Network engineering

  3. Traffic at different granulari=es • IP-level packets – Capture per-packet informa=on • Flows – Sta=s=cs of packets grouped into flows • Network interface – Sta=s=cs of packets that traverse a network interface

  4. Outline • Mo=va=on and defini=ons • Tools for measuring traffic – Packet capture – Interface counts – Flow capture • Traffic matrix • Trace anonymiza=on • Summary

  5. Packet capture on end systems • Basic method – Capture and record packets passing through an interface Packet Trace t 1

  6. Tools • tcpdump – Command-line packet capture • libpcap – C/C++ library for packet capture • Wireshark – Packet capture and analysis

  7. Possible measurement ar=facts • Dropped packets are common under high u=liza=on – Inspect report of dropped packets • Other less frequent ar=facts – Fail to report drops – Falsely report drops – Duplicate packets – Re-ordered packets – Misfilter

  8. How to capture packets on point-to- point links? ?

  9. Port mirroring • Basic method – Copies packets from one or more ports to a mirroring port – Run packet capturing tool on host connected to mirroring port t 1 mirroring port

  10. Network Tap • Basic method – Electrical or op=cal spliWer on monitored link – Monitoring host with specialized network interface and interface driver t 1

  11. Comparison Port mirroring Tap • Pros • Pros – Easy to setup – Monitor all packets – Low cost – Eliminates risk of dropped packets • Cons • Cons – Hardware and media errors are dropped – Expensive – Packets may be dropped at high u=liza=on

  12. High-speed capture with commodity hardware • Key idea – Direct access to NIC (i.e., bypass kernel) – Parallelism • Tools – TStat – ntop – WAND

  13. Outline • Mo=va=on and defini=ons • Tools for measuring traffic – Packet capture – Interface counts – Flow capture • Traffic matrix • Trace anonymiza=on • Summary

  14. Interface counts • Basic method – Routers log simple sta=s=cs (bytes/packets) • Total values since interface ini=alized – Request sta=s=cs using SNMP (MIB-II MIB) #packets In 0 #packets In 0 #packets Out 2 2 1 #packets Out 0

  15. Example proper=es • Number of In/Out bytes (total, unicast, non-unicast) • Number of In/Out packets (total, unicast, non-unicast) • Number of In/Out discarded/corrupted packets

  16. Interface counts: Pros and Cons • Pros – Supported on all networking equipment – LiWle performance impact on routers – LiWle storage needs • Cons – Missing data (SNMP uses UDP) – Polling makes it hard to synchronize data from mul=ple interfaces – Coarse-grained measurements

  17. Outline • Mo=va=on and defini=ons • Tools for measuring traffic – Packet capture – Interface counts – Flow capture • Traffic matrix • Trace anonymiza=on • Summary

  18. IP Flows • Set of packets with common proper=es – Defini=on can vary • Tradi=onal 5-tuple: src IP, dst IP, src port, dst port, protocol • Packets from one ingress to an egress point • Packets that are “ close ” together in =me – Maximum spacing between packets (e.g., 15 sec, 30 sec) flow 1 flow 2 flow 3

  19. Flow ≠ applica=on session • Applica=on session may be composed of mul=ple flows • Packets in applica=on session may not follow same links • Hard to measure applica=on session inside the network

  20. Capturing flow sta=s=cs in routers • Basic method – Specify set of proper=es that define a flow – Router log sta=s=cs per flow (flow records) – Push flow records to collec=ng process (IPFIX) flow id #packets 1 1 2

  21. Flow records: Flow iden=fier • Packet header informa=on – Source and des=na=on IP addresses – Source and des=na=on TCP/UDP port numbers – Other IP & TCP/UDP header fields (e.g., protocol, ToS bits) • Rou=ng informa=on – Input and output interfaces – Source and des=na=on IP prefix (mask length) – Source and des=na=on autonomous system numbers

  22. Flow records: Flow proper=es • Aggregate traffic informa=on – Start and finish =me of the flow (=me of first & last packet) – Total number of bytes and number of packets in the flow – TCP flags (e.g., logical OR over the sequence of packets)

  23. Packet Sampling • Packet sampling before flow crea=on – 1-out-of-m sampling of individual packets (e.g., m=100) – Crea=on of flow records over the sampled packets • Reducing overhead – Avoid per-packet overhead on (m-1)/m packets – Avoid crea=ng records for a large number of small flows • Increasing overhead (in some cases) – May split some long transfers into mul=ple flow records – … due to larger =me gaps between successive packets

  24. Tools • In-router capture – Cisco NetFlow – Juniper JFlow • Collec=on and post-processing – Flow-tools – ntop

  25. Flow monitoring: Pros and Cons Pros Cons • More details about traffic • Less details than packet compared to counters capture – No individual packet arrival • Lower measurement volume =mes than full packet traces – No informa=on on packet • Available on high-end line content cards (Neilow, Jflow) • Not uniformly supported • Control over overhead via (gejng beWer with IPFIX) aggrega=on and sampling • Computa=on/memory requirements for the flow cache

  26. Using the traffic data in network opera=ons • Interface counts: everywhere – Tracking link u=liza=ons and detec=ng anomalies – Genera=ng bills for traffic on customer links – Inference of the offered load (i.e., traffic matrix) • Packet monitoring: selected loca=ons – Analyzing the small =me-scale behavior of traffic – Troubleshoo=ng specific problems on demand • Flow monitoring: selec=ve, e.g,. network edge – Tracking the applica=on mix – Direct computa=on of the traffic matrix – Input to denial-of-service aWack detec=on

  27. Outline • Mo=va=on and defini=ons • Tools for measuring traffic – Packet capture – Interface counts – Flow capture • Traffic matrix • Trace anonymiza=on • Summary

  28. Traffic matrix: Defini=on – Representa=on of traffic volume flowing from sources to des=na=ons • Bytes • Links • Packets • Routers • Flows, etc. • Points of Presence (PoPs) • Networks

  29. Usage • Capacity planning • Traffic engineering (IGP and BGP) • Billing • Peering analysis • Anomaly detec=on • Design of new protocols

  30. Ingress router to egress router matrix d CR 1 … CR 8 AS2 CR 1 AS3 AS1 … PoP 4 PoP 3 CR 8 CR 7 CR 8 CR 5 CR 6 AR 1 CR 1 CR 3 AR 2 AR 1 CR 2 CR 4 AR 3 AR 2 PoP 1 AR 3

  31. Measuring the traffic matrix • Packet capture – Gives the most detailed view of traffic – But, expensive and high collec=on overhead • Flow capture – Enough to build traffic matrix – Lower collec=on overhead (in par=cular with sampling) • Interface counts – Cannot directly measure traffic matrix, must es=mate – Lowest overhead, widely available

  32. Outline • Mo=va=on and defini=ons • Tools for measuring traffic – Packet capture – Interface counts – Flow capture • Traffic matrix • Trace anonymiza=on • Summary

  33. Benefits of sharing data • Good scien=fic prac=ce • Get others to work on relevant problems • Learn from analysis of others • Get broader view

  34. But, packet traces contain lots of sensi=ve informa=on • Headers – Connec=on endpoints: who is talking to who; sites visited – Protocol, ports: applica=ons used • Payload – Visited content – Passwords, etc.

  35. Solu=on: Anonymiza=on • Process to sani=ze data to ensure anonymity – Absence of iden=ty – Prevent others from linking iden=ty to ac=ons of an individual • Packet trace anonymiza=on tools – tcpdpriv, ipsumdump, ip2anonip, Crypto-PAn, PktAnon

  36. Anonymizing payload • Payload contains most sensi=ve informa=on – BeWer if removed completely – If not possible, get minimum necessary • E.g., HTTP host beWer than full URL

  37. Anonymizing packet headers • Packet headers can be shared with care – MAC addresses • Poten=al to link records with the same MAC across datasets – IP addresses oren need to be anonymized – IP addresses appear in other parts of the packet • IP op=ons (e.g., record route) • ICMP/DNS packets

  38. Outline • Mo=va=on and defini=ons • Tools for measuring traffic – Packet capture – Interface counts – Flow capture • Traffic matrix • Trace anonymiza=on • Summary

  39. Summary • Packet capture – Detailed per-packet measurements; high overhead • Interface counts – Coarse measurements per link; low overhead • Flow capture – More details than link counts, less than packet captures – Medium collec=on overhead controlled with sampling • Traffic matrix – Measured from flow capture • Trace aonymiza=on is key for data sharing

  40. Ques=ons?

Recommend

Macro- and Microscopic Analysis of the Internet Economy from Network Measurements Jakub Mikians

Macro- and Microscopic Analysis of the Internet Economy from Network Measurements Jakub Mikians

Introduction Macroscopic view: Interdomain Traffic Matrix Microscopic view: Price Discrimination Conclusions and Further Work Contributions Backup Macro- and Microscopic Analysis of the Internet Economy from Network Measurements Jakub Mikians

1.04k views • 78 slides
DipZoom: A Marketplace for Internet Measurements Michael Rabinovich, Sipat Tiukose, Zhihua Wen

DipZoom: A Marketplace for Internet Measurements Michael Rabinovich, Sipat Tiukose, Zhihua Wen

DipZoom: A Marketplace for Internet Measurements Michael Rabinovich, Sipat Tiukose, Zhihua Wen Limin Wang EECS Department Case Western Reserve University Internet Measurements A-priori measurement platforms (e.g. IDMaps) - Great for

263 views • 15 slides
for Application Traffic Experimentation Utkarsh Goel, Ajay Miyyapuram, Mike P. Wittie, Qing Yang

for Application Traffic Experimentation Utkarsh Goel, Ajay Miyyapuram, Mike P. Wittie, Qing Yang

MITATE: Mobile Internet Testbed for Application Traffic Experimentation Utkarsh Goel, Ajay Miyyapuram, Mike P. Wittie, Qing Yang Montana State University - Bozeman March 26, 2014 Workshop on Active Internet Measurements (AIMS14) 1

612 views • 30 slides
Measurements and Observations of IP Introduction Multicast Traffic Environment and methodology

Measurements and Observations of IP Introduction Multicast Traffic Environment and methodology

Outline Measurements and Observations of IP Introduction Multicast Traffic Environment and methodology Bruce A. Mah Measurements bmah@CS.Berkeley.EDU Aggregate The Tenet Group Audio conversations University of California at Berkeley

197 views • 4 slides
Speed Measurements for Residential Internet Access Oana Goga, Renata Teixeira CNRS and UPMC

Speed Measurements for Residential Internet Access Oana Goga, Renata Teixeira CNRS and UPMC

Speed Measurements for Residential Internet Access Oana Goga, Renata Teixeira CNRS and UPMC Sorbonne Universites Workshop on Active Internet Measurements CAIDA, February 10th, 2011 Do residential Internet customers get what they pay for? July

708 views • 33 slides
DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet,

DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet,

QUEUING THEORY: EXPONENTIAL DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet, etc. Also: how can we describe how traffic is processed? What are some metrics? Rate at which people

945 views • 13 slides
WAN Measurement Carey Williamson Department of Computer Science University of Calgary WAN

WAN Measurement Carey Williamson Department of Computer Science University of Calgary WAN

CPSC 641: WAN Measurement Carey Williamson Department of Computer Science University of Calgary WAN Traffic Measurements There have been several studies of wide area network traffic (i.e., Internet traffic) We will look briefly at two

655 views • 13 slides
Informational Slides Internet Measurements Seminar

Informational Slides Internet Measurements Seminar

Technische Universitt Mnchen Informational Slides Internet Measurements Seminar http://www.cm.in.tum.de/teaching/2019-seminar-internet-measurements/ Vaibhav Bajpai, Trinh Viet Doan January, 2019 1 Technische Universitt Mnchen Outline

164 views • 5 slides
Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

6/7/2011 Outline State of the Internet Internet Governance Forum the World Malta Internet Traffic Statistics Introduction Usage and trends Internet Governance Definition/s History and today Launch of Malta I

84 views • 6 slides
Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet? Active measurement vs. passive

771 views • 31 slides
Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet? q Active measurement vs. passive

654 views • 31 slides
SNMP Traffic Measurements J urgen Sch onw alder j.schoenwaelder@iu-bremen.de

SNMP Traffic Measurements J urgen Sch onw alder j.schoenwaelder@iu-bremen.de

SNMP Traffic Measurements J urgen Sch onw alder j.schoenwaelder@iu-bremen.de International University Bremen Campus Ring 1 28725 Bremen, Germany http://www.ibr.cs.tu-bs.de/projects/nmrg/ urgen Sch onw slides.tex SNMP Traffic

1.09k views • 45 slides
INTERNET MEASUREMENTS ESNOG 10/4/2018 Barcelona (Janusz Jezowicz, Speedchecker Ltd)

INTERNET MEASUREMENTS ESNOG 10/4/2018 Barcelona (Janusz Jezowicz, Speedchecker Ltd)

MULTIPLATFORM INTERNET MEASUREMENTS ESNOG 10/4/2018 Barcelona (Janusz Jezowicz, Speedchecker Ltd) www.speedchecker.xyz Outline Introduction Choices of measurement platforms Coverage How to run measurements Sample

326 views • 17 slides
CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic

CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic

NASDAQ CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic Exchange, Infrastructure and Major Players. by Teresa Wan Sales Director Singapore Office Francois Lemaigre Sales VP - EMEA 2 Europe

159 views • 11 slides
Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous

Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous

Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous 1 Two open questions about BitTorrent locality AS 2 AS 3 # connections Internet Internet AS 1 Reduces traffic AS 4 AS 5 How far can we

366 views • 14 slides
Workshop on Active Internet Measurements CAIDA February 8-9, 2010 Julio Ibarra Center for

Workshop on Active Internet Measurements CAIDA February 8-9, 2010 Julio Ibarra Center for

Measurement Activities at AMPATH and Latin America Workshop on Active Internet Measurements CAIDA February 8-9, 2010 Julio Ibarra Center for Internet Augmented Research and Assessment Florida International University Outline About CIARA

183 views • 15 slides
Residential Internet Performance Measurements: The Future is Passive Renata Teixeira Director of

Residential Internet Performance Measurements: The Future is Passive Renata Teixeira Director of

Residential Internet Performance Measurements: The Future is Passive Renata Teixeira Director of Research at Inria, Paris Visiting Scholar at Stanford Univers ity Measuring residential Internet performance is crucial Home users

570 views • 43 slides
Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

19 Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019 https://ieeexplore.ieee.org/document/8737483 Motivations Reliable traffic modelling is important for network planning, deployment and management;

447 views • 29 slides
CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996

CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996

CS 557 Routing Measurements End to End Routing Behavior in the Internet Vern Paxson, 1996 Internet Routing Instability Labovitz, Malan, Jahanian, 1997 Spring 2013 End to End Routing Behavior Objective: Understand the actual behavior of

595 views • 22 slides
Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Universitt Tbingen Computer Networks and Internet Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof. Dr. Georg Carle Chair for Computer Networks and Internet University of Tbingen Germany

291 views • 8 slides
Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon, Laboratoire de Physique (UMR

716 views • 60 slides
The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max

The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max

The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max Planck Institute for Informatics Virtual 27-30 Oct 2020 RIPE81 Meeting COVID-19 and the Internet COVID-19 and the Internet 1 COVID-19 and

1.17k views • 55 slides
Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic classification? Communities of Interest for classification BLINC Profiling Internet Backbone Traffic What is missing here? Traffic

965 views • 81 slides
Understanding Broadband Traffic - Metrics, Measurements, and Policy Steven Bauer, Bill Lehr,

Understanding Broadband Traffic - Metrics, Measurements, and Policy Steven Bauer, Bill Lehr,

Understanding Broadband Traffic - Metrics, Measurements, and Policy Steven Bauer, Bill Lehr, David Clark CSAIL/MIT Oct 21, 2010 Outline The story of a $100,000 bug Why it (and hundreds of other details) matter to the FCC study of

718 views • 47 slides

More recommend