Some Observations of Internet Stream Lifetimes CAIDA/WIDE, Los Angeles, 12 Mar 05 Nevil Brownlee CAIDA and The University of Auckland Internet Stream Lifetimes, CAIDA/WUDE 05 – p.1/20
Overview Introduction, traffic flows Streams, stream density plots (packets and bytes) NeTraMet: implementation, performance Streams and packets at Auckland Usage metering, strategies to reduce meter overhead Effect of ignoring small streams Conclusion Internet Stream Lifetimes, CAIDA/WUDE 05 – p.2/20
Introduction A traffic flow is an abstraction representing the set of packets involved in some network activity There are two main classes of flows CPB (unidirectional, 5-tuple, fixed timeout). Also known as microflows RTFM (bidirectional, general, fixed timeout). User writes a ruleset to specify flows using values for a large set of attributes , and specifying direction Streams are subsets of RTFM flows (bidirectional, 5-tuple, dynamic timeout) more details later . . . Internet Stream Lifetimes, CAIDA/WUDE 05 – p.3/20
Traffic rate plots Count bytes in five flows for different kinds of traffic Match packets on protocol and port number: SSL = TCP 443, web = TCP 80, nw TCP = other TCP ports UDP = all UDP , other = all other protocols Auckland inbound bytes by kind, stacked bar plots, 1-2 Oct 04 NZST) BB2 ’to’ bytes by kind, stacked bar plots, 5-6 Dec 03 (PST) Mb/s Mb/s 20 800 750 700 650 15 600 550 500 450 10 400 350 300 250 5 200 150 100 50 0 0 00:00 06:00 12:00 18:00 00:00 06:00 12:00 18:00 00:00 18:00 21:00 00:00 03:00 06:00 09:00 12:00 15:00 18:00 10/01 10/01 10/01 10/01 10/02 10/02 10/02 10/02 10/03 12/05 12/05 12/06 12/06 12/06 12/06 12/06 12/06 12/06 local time local time SSL web nw TCP UDP other SSL web nw TCP UDP other Ca Backbone, 6 Dec 03 (PST) U Auckland, 1-2 Oct 04 (NZST) Internet Stream Lifetimes, CAIDA/WUDE 05 – p.4/20
Streams – why are they useful? Streams allow NeTraMet to compute metrics for components of flows, e.g. RTTs and IATs NeTraMet can return distributions of those metrics as attributes for such flows For the stream-distribution attributes .. lifetimes < = 15m are counted directly longer streams are treated as fl ows; we sum their data each interval to produce distributions with lifetimes up to 30,000s ( ≈ 8h) The five different kinds are summed to produce ‘total traffic’ distributions at 10m intervals Internet Stream Lifetimes, CAIDA/WUDE 05 – p.5/20
Stream & byte density vs lifetime plots Cumulative distributions, totals vs stream lifetime at PAIX, Fri 12 Dec 03 (PST) Cumulative distributions, totals vs stream lifetime at Auckland, 1-2 Oct 04 (NZST) % 100 % 100 inbound streams total inbound bytes total 90 90 80 80 70 70 60 60 50 50 40 40 30 30 20 20 10 10 outbound streams total outbound bytes total 0 0 0.01 0.1 1 10 100 1000 10000 0.01 0.1 1 10 100 1000 10000 stream lifetime (s) stream lifetime (s) Ca Backbone, 6 Dec 03 (PST) U Auckland, 1-2 Oct 04 (NZST) At both sites, 95% of streams last ≤ 10s At U Auckland, up to 65% of the bytes are in streams ≤ 10s On the Ca backbone, only 20% of the bytes are in streams ≤ 10s, and about 60% of the bytes are in streams ≤ 1000s! Internet Stream Lifetimes, CAIDA/WUDE 05 – p.6/20
NeTraMet implementation details NeTraMet is an RTFM meter – user must write ruleset(s) that specify: which flows to count which end-point is the source how much detail is to be reported Uses stream caching: does flow matching for first packet of stream, saves flow number(s) uses cached flow number(s) for later packets can’t cache for rulesets that use non-5-tuple attributes usually gets ≈ 90% cache hit rate Internet Stream Lifetimes, CAIDA/WUDE 05 – p.7/20
NeTraMet performance 1 Gb/s testbed, 1-processor meter, 1 DAG card 1500B frames, 1000Mb/s traffic NeTraMet sees 164 kp/s, reports 996.6 Mb/s 128B frames, 130 Mb/s of traffic NeTraMet sees 219 kp/s, reports 123.2 Mb/s Higher frames rate cause meter to ignore packets if they’re sustained for more than a second or two OC48 backbone, 2-processor meter, 2 DAG cards 600 Mb/s traffic NeTraMet sees 215 kp/s, no lost packets Tests performed in 2003 and 2004. Working on further speed improvements Internet Stream Lifetimes, CAIDA/WUDE 05 – p.8/20
Streams vs time at Auckland Packets and Active Streams each second at Auckland, Fri 1 - Sat 2 Oct 04 (NZST) packet/s count active streams 100000 10000 1000 100 04:00 08:00 12:00 16:00 20:00 00:00 04:00 10/01 10/01 10/01 10/01 10/01 10/02 10/02 local time ⋆ Stream numbers follow the packet rate ⋆ Peak around midnight, 2 Oct, was not part ⋆ High spikes about every 3 hours of the diurnal pattern – it didn’t recur Internet Stream Lifetimes, CAIDA/WUDE 05 – p.9/20
Details of Auckland stream spikes Packets and Active Streams each second at Auckland, on Fri 1 Oct 04 (NZST) count 100000 packet/s active streams 10000 1000 16:26 16:28 16:30 16:32 16:34 16:36 16:38 16:40 16:42 16:44 local time count 100000 packet/s active streams 10000 1000 21:16 21:18 21:20 21:22 21:24 21:26 21:28 21:30 21:32 21:34 local time ⋆ Note that increase in streams ≫ increase in packet rate! Internet Stream Lifetimes, CAIDA/WUDE 05 – p.10/20
Usage metering at Auckland High peaks in stream numbers load the meter, especially if many of them map to new flows Such peaks load the meter reader (data collection system) too We want to understand the peaks so that we can summarise them as special kinds of flow To start with, what is the effect of ignoring streams ≤ K packets in size? What % of bytes are ignored for various K values? Internet Stream Lifetimes, CAIDA/WUDE 05 – p.11/20
Auckland byte density vs stream packets Cumulative % bytes vs Stream Size (packets), Auckland, Fri 1 Oct 04 (NZST) % 100 outbound bytes v pkts inbound bytes v pkts 90 80 70 60 50 40 30 20 10 0 0 5 10 15 20 25 30 35 40 packets ⋆ Three hours of data, 10-minute intervals ⋆ But one interval looks different !? ⋆ Seems safe to ignore streams ≤ 6 packets Internet Stream Lifetimes, CAIDA/WUDE 05 – p.12/20
Intervals with high small-stream % Inbound rate UDP non-web web SSL other 2110 0.15 2.91 8.85 0.51 0.03 2120 1.66 2.23 10.15 0.52 0.04 2130 0.21 1.37 9.86 0.50 1.09 Outbound rate UDP nonweb web SSL other 2110 0.10 1.47 3.31 0.73 0.03 2120 0.10 0.92 3.34 0.850 0.03 2130 0.10 3.71 3.54 0.859 0.07 Tables show Mb/s rate for each traffi c kind Seldom saw low outbound non-web TCP , often saw high inbound UDP High inbound UDP rate most small streams don’t generate a response those that do dominate outbound traffi c Internet Stream Lifetimes, CAIDA/WUDE 05 – p.13/20
Auckland in+out byte density Cumulative % bytes vs Stream Size (packets), Auckland, 1-2 Oct 04 (NZST) % 100 in+out bytes v pkts 90 80 70 60 50 40 30 20 10 0 0 5 10 15 20 25 30 35 40 packets ⋆ Two days of data, 10-minute intervals ⋆ Need to understand the small streams ⋆ ‘Outlier’ traces similar to previous plot ⋆ Can’t just focus on the elephants Internet Stream Lifetimes, CAIDA/WUDE 05 – p.14/20
What happens if we ignore small streams? Packets and Active Streams each second at Auckland, Thu 7 - Fri 8 Oct 04 (NZDT) packet/s count active flows 100000 active streams 10000 1000 100 16:00 20:00 00:00 04:00 08:00 12:00 10/07 10/07 10/08 10/08 10/08 10/08 local time ⋆ Similar to earlier plot ⋆ Flows track streams, no spikes ⋆ Here we show number of fl ⋆ Confi rms that spikes come from short streams ows too Internet Stream Lifetimes, CAIDA/WUDE 05 – p.15/20
Ignoring small streams – detail plot Packets and Active Streams each second at Auckland, Thu 7 - Fri 8 Oct 04 (NZDT) packet/s count active flows 100000 active streams 10000 1000 100 22:00 22:30 23:00 23:30 00:00 00:30 01:00 10/07 10/07 10/07 10/07 10/08 10/08 10/08 local time ⋆ Flows build up during interval, ⋆ Average number of fl ows remains stable then drop when meter is read even during stream spikes Internet Stream Lifetimes, CAIDA/WUDE 05 – p.16/20
Counting the ignored packets We modified the NeTraMet meter to count bytes from ignored streams Counts are in LtMinStreamPDUs and LtMinStreamOctets distributions, held in a special LtMin flow We plotted the sum of these distributions for two days of 10-minute intervals . . . Internet Stream Lifetimes, CAIDA/WUDE 05 – p.17/20
Packets & bytes ignored in small streams % packets and bytes ignored at Auckland, Mon 14 - Tue 15 Dec 04 (NZDT) % ignored byte % 30 ignored packet % 10 3 1 0.3 00:00 04:00 08:00 12:00 16:00 20:00 00:00 12/15 12/15 12/15 12/15 12/15 12/15 12/16 local time ⋆ Ignored bytes below 2% except during spikes ⋆ Less than 7% of intervals ⋆ Ignored packets stays below 10% similarly (about 1 in 15) are spikes Internet Stream Lifetimes, CAIDA/WUDE 05 – p.18/20
Recommend
More recommend