Network Measurement Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101

Slides:



Advertisements
Similar presentations
Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.
Advertisements

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
Firewalls and Intrusion Detection Systems
Network Measurement COS 461 Recitation
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization –All routers are identical –Network is flat. Not true in Practice Hierarchical.
Internet Measurement Jennifer Rexford. Outline Measurement overview –Why measure? Why model measurements? –What to measure? Where to measure? Internet.
Traffic Engineering With Traditional IP Routing Protocols
Internet Routing (COS 598A) Today: Detecting Anomalies Inside an AS Jennifer Rexford Tuesdays/Thursdays.
Traffic Engineering for ISP Networks Jennifer Rexford Internet and Networking Systems AT&T Labs - Research; Florham Park, NJ
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
1 Deriving Traffic Demands for Operational IP Networks: Methodology and Experience Anja Feldmann*, Albert Greenberg, Carsten Lund, Nick Reingold, Jennifer.
Network Measurement Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
CSCI 4550/8556 Computer Networks Comer, Chapter 20: IP Datagrams and Datagram Forwarding.
Inside the Internet. INTERNET ARCHITECTURE The Internet system consists of a number of interconnected packet networks supporting communication among host.
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
CS335 Networking & Network Administration Tuesday, April 20, 2010.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Measurement Techniques: Part 2B Packet monitoring Flow measurement Data interpretation.
Chapter 9 Classification And Forwarding. Outline.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Jennifer Rexford Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks Detecting.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Layer Moving datagrams. How do it know? Tom-Tom.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
OSI Model Routing Connection-oriented/Connectionless Network Services.
Guide to TCP/IP, Third Edition
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
Lecture 10 Overview. Border Gateway Protocol(BGP) De facto standard for Internet inter-AS routing allows subnet to advertise its existence to rest of.
FIREWALL Mạng máy tính nâng cao-V1.
The Network Layer. Network Projects Must utilize sockets programming –Client and Server –Any platform Please submit one page proposal Can work individually.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Unicast Routing Protocols  A routing protocol is a combination of rules and procedures that lets routers in the internet inform each other of changes.
Traffic Engineering for ISP Networks Jennifer Rexford Internet and Networking Systems AT&T Labs - Research; Florham Park, NJ
Advanced Computer Networks1 Efficient Policies for Carrying Traffic Over Flow-Switched Networks Anja Feldmann, Jenifer Rexford, and Ramon Caceres Presenters:
Routing protocols Basic Routing Routing Information Protocol (RIP) Open Shortest Path First (OSPF)
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 5. Passive Monitoring Techniques.
Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.
Using Measurement Data to Construct a Network-Wide View Jennifer Rexford AT&T Labs—Research Florham Park, NJ
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Traffic Engineering for ISP Networks Jennifer Rexford Internet and Networking Systems AT&T Labs - Research; Florham Park, NJ
Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.
Networking Fundamentals. Basics Network – collection of nodes and links that cooperate for communication Nodes – computer systems –Internal (routers,
Detection of Routing Loops and Analysis of Its Causes Sue Moon Dept. of Computer Science KAIST Joint work with Urs Hengartner, Ashwin Sridharan, Richard.
Jennifer Rexford Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks Network.
April 4th, 2002George Wai Wong1 Deriving IP Traffic Demands for an ISP Backbone Network Prepared for EECE565 – Data Communications.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
NETWORKING FUNDAMENTALS. Network+ Guide to Networks, 4e2.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Yaping Zhu with: Jennifer Rexford (Princeton University) Aman Shaikh and Subhabrata Sen (ATT Research) Route Oracle: Where Have.
1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.
BGP Routing Stability of Popular Destinations Jennifer Rexford, Jia Wang, Zhen Xiao, and Yin Zhang AT&T Labs—Research Florham Park, NJ All flaps are not.
Cisco Confidential © 2013 Cisco and/or its affiliates. All rights reserved. 1 Cisco Networking Training (CCENT/CCT/CCNA R&S) Rick Rowe Ron Giannetti.
1 Switching and Forwarding Sections Connecting More Than Two Hosts Multi-access link: Ethernet, wireless –Single physical link, shared by multiple.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Chapter 5 Network and Transport Layers
BGP Instability Jennifer Rexford
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Network Measurement Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101

Why Measure the Network? Scientific discovery – Characterizing traffic, topology, performance – Understanding protocol performance and dynamics Network operations – Billing customers – Detecting, diagnosing, and fixing problems – Planning outlay of new equipment

active measurements packet and flow measurements, link statistics topology, configuration, routing Types of Measurement end-to-end performance state traffic average download time of a web page link bit error rate link utilization end-to-end delay and loss active topologytraffic matrix demand matrix active routes TCP bulk throughput

Traffic Measurement 4

Packet Monitoring Definition – Passively collecting IP packets on one or more links – Recording IP, TCP/UDP, or application-layer traces Scope – Fine-grain information about user behavior – Passively monitoring the network infrastructure – Characterizing traffic and diagnosing problems

Monitoring a LAN Link Host A Host B Monitor Shared media (Ethernet, wireless) Host A Host B Host C Monitor SwitchSwitch Multicast switch Host A Host B Bridge/ Monitor Monitor integrated with a bridge

Monitoring a WAN Link Router ARouter B Monitor Splitting a point-to-point link Router A Line card that does packet sampling

Selecting the Traffic Filter to focus on a subset of the packets – IP addresses/prefixes (e.g., to/from specific sites) – Protocol (e.g., TCP, UDP, or ICMP) – Port numbers (e.g., HTTP, DNS, BGP, Napster) Collect first n bytes of packet (snap length) – Medium access control header (if present) – IP header (typically 20 bytes) – IP+UDP header (typically 28 bytes) – IP+TCP header (typically 40 bytes) – Application-layer message (entire packet)

Analysis of IP Header Traces Source/destination addresses – Identity of popular Web servers & heavy customers Distribution of packet delay through the router – Identification of typical delays and anomalies Distribution of packet sizes – Workload models for routers Burstiness of the traffic on the link over time – Provisioning rules for allocating link capacity Throughput between pairs of src/dest addresses – Detection and diagnosis of performance problems

TCP Header Analysis Source and destination port numbers – Popular applications; parallel connections Sequence/ACK numbers and packet timestamps – Out-of-order/lost packets; throughput and delay Number of packets/bytes per connection – Web transfer sizes; frequency of bulk transfers SYN flags from client machines – Unsuccessful requests; denial-of-service attacks FIN/RST flags from client machines – Frequency of Web transfers aborted by clients

Packet Contents Application-layer header – HTTP and RTSP request and response headers – FTP, NNTP, and SMTP commands and replies – DNS queries and responses; OSPF/BGP messages Application-layer body – HTTP resources (or checksums of the contents) – User keystrokes in Telnet/Rlogin sessions

Application-Layer Analysis URLs from HTTP request messages – Popular resources/sites; benefits of caching Meta-data in HTTP request/response messages – Content type, cacheability, change frequency, etc. – Browsers, protocol versions, protocol features, etc. Contents of DNS messages – Common queries, error frequency, query latency Contents of Telnet/Rlogin sessions – Intrusion detection (break-ins, stepping stones)

Flow Measurement (e.g., NetFlow)

flow 1flow 2flow 3 flow 4 IP Flows Set of packets that “belong together” – Source/destination IP addresses and port numbers – Same protocol, ToS bits, … – Same input/output interfaces at a router (if known) Packets that are “close” together in time – Maximum spacing between packets (e.g., 30 sec) – E.g.: flows 2 and 4 are different flows due to time

Flow Abstraction Not exactly the same as a “session” – Sequence of related packets may be multiple flows – Related packets may not follow the same links – “Session” is hard to measure from inside network Motivation for this abstraction – As close to a “session” as possible from inside – Router optimization for forwarding/access-control – … might as well throw in a few counters

Traffic Statistics (e.g., Netflow) Packet header info – Source and destination addresses and port #s – Other IP & TCP/UDP header fields (protocol, ToS) Aggregate traffic information – Start and finish time (time of first & last packet) – Total # of bytes and number of packets in the flow – TCP flags (e.g., logical OR over sequence of packets) start finish 4 packets 1436 bytes SYN, ACK, & FIN SYN ACK FIN

Recording Routing Information Input and output interfaces – Input interface is where packets entered the router – Output interface is “next hop” in forwarding table Source and destination IP prefix (mask length) – Longest prefix match on src and dest IP addresses Switching Fabric Processor Line card BGP table forwarding table

Measuring Traffic as it Flows By input output source AS source prefix source dest AS dest prefix dest intermediate AS Source and destination: IP header Source and dest prefix: forwarding table or BGP table Source and destination AS: BGP table

Packet vs. Flow Measurement Basic statistics (available from both techniques) – Traffic mix by IP addresses, port numbers, protocol – Average packet size Traffic over time – Both: traffic volumes on medium-to-large time scale – Packet: burstiness of the traffic on a small time scale Statistics per TCP connection – Both: volume of traffic transferred over the link – Packet: frequency of lost or out-of-order packets

Collecting Flow Measurements Router A Route CPU that generates flow records …may degrade forwarding performance Router A Line card that generates flow records …more efficient to support measurement in each line card Router ARouter B Monitor Packet monitor that generates flow records …third party CPU

Mechanics: Flow Cache Maintain a cache of active flows – Storage of byte/packet counts, timestamps, etc. Compute a key per incoming packet – Concatenation of source, destination, port #s, etc. Index into the flow cache based on the key – Creation or updating of an entry in the flow cache #bytes, #packets, start, finish packet key header key

Mechanics: Evicting Cache Entries Flow timeout – Remove flows not receiving a packet recently – Periodic sequencing to time out flows – New packet triggers the creation of a new flow Cache replacement – Remove flow(s) when the flow cache is full – Evict existing flow(s) upon creating a cache entry – Apply eviction policy (LRU, random flow, etc.) Long-lived flows – Remove flow(s) persisting a long time (e.g., 30 min)

Measurement Overhead Per-packet overhead – Computing the key and indexing flow cache – More work when the average packet size is small – May not be able to keep up with the link speed Per-flow overhead – Creation and eviction of entry in the flow cache – Volume of measurement data (# of flow records) – Larger # of flows when #packets per flow is small – May overwhelm system collecting/analyzing data

Sampling: Packet Sampling Packet sampling before flow creation – 1-out-of-m sampling of individual packets – Create of flow records over the sampled packets Reducing overhead – Avoid per-packet overhead on (m-1)/m packets – Avoid creating records for many small flows time not sampled two flows timeout

BGP Monitoring 25

Motivation for BGP Monitoring Visibility into external destinations – What neighboring ASes are telling you – How you are reaching external destinations Detecting anomalies – Increases in number of destination prefixes – Lost reachability or instability of some destinations Input to traffic-engineering tools – Knowing the current routes in the network Workload for testing routers – Realistic message traces to play back to routers

BGP Monitoring: A Wish List Ideally: knowing what the router knows – All externally-learned routes – Before applying policy and selecting best route How to achieve this – Special monitoring session on routers that tells everything they have learned – Packet monitoring on all links with BGP sessions If you can’t do that, you could always do… – Periodic dumps of routing tables – BGP session to learn best route from router

Using Routers to Monitor BGP Talk to operational routers using SNMP or telnet at command line (-) BGP table dumps are expensive (+) Table dumps show all alternate routes (-) Update dynamics lost (-) restricted to interfaces provided by vendors Establish a “passive” BGP session from a workstation running BGP software (+) BGP table dumps do not burden operational routers (-) Receives only best routes from BGP neighbor (+) Update dynamics captured (+) not restricted to interfaces provided by vendors eBGP or iBGP

Atlanta St. Louis San Francisco Denver Cambridge Washington, D.C. Orlando Chicago Seattle Los Angeles Detroit Houston New York Phoenix San Diego Austin Philadelphia Dallas 2 Kansas City Collect BGP Data From Many Routers Route Monitor BGP is not a flooding protocol

BGP Table (“show ip bgp” at RouteViews) Network Next Hop Metric LocPrf Weight Path * i * i * i * i * i *> i * i * / i * i *> i * i * i * i AS 80 is General Electric, AS 701 is UUNET, AS 7018 is AT&T AS 3786 is DACOM (Korea), AS 1221 is Telstra

Event 1Event 2Event 3 Event 4 BGP Events Group of BGP updates that “belong together” – Same IP prefix, originating AS, or AS_PATH Updates that are “close” together in time – Maximum spacing between packets (e.g., 30 sec) – E.g.: events 2 and 4 are separated in time

Assignment #4 Due Dean’s Date 32

Measurement Analysis Two data sets – Netflow traffic measurements – BGP update messages and routing tables Traffic analysis – Packet and flow sizes – Application break-down – Popularity of traffic sources Routing analysis – Frequency of update messages by IP prefixes – Dynamics of BGP convergence 33

Measurement Analysis Parsing the data Extracting relevant fields Combining data across measurement records Generating tables of results Plotting results (e.g., Gnuplot, Excel, Matlab) Understanding the Internet better Use any languages and tools – And work with a partner 34

Conclusions Measurement is crucial to network operations – Measure, model, control – Detect, diagnose, fix Network measurement is challenging – Large volume of measurement data – Multi-dimensional data Great way to understand the Internet – Popular applications, traffic characteristics – Internet topology, routing dynamics

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.