Written by Yu-Chung Cheng, John Bellardo, Peter Benko, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage Written by Yu-Chung Cheng, John Bellardo, Peter Benko, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage Jigsaw: Solving the Puzzle of Enterprise Analysis Analysis by Carlos Troncoso CS388 Wireless Security Analysis by Carlos Troncoso CS388 Wireless Security
February 28, 2008 Common problems in production Wireless Networks Conflicts with nearby wireless devices Bad AP channel assignments Microwave ovens interference Bad interaction between TCP and Rogue access points interference Poor choice of APs (weak signal) Incompatible user software/hardware Conflicts with nearby wireless devices Bad AP channel assignments Microwave ovens interference Bad interaction between TCP and Rogue access points interference Poor choice of APs (weak signal) Incompatible user software/hardware
February 28, 2008 Sounds Familiar? Helpdesk receives a phone call… User: “…my Internet connection is flaky… ” Support: “What happened?…” User: “Well Internet got disconnected and now it is very slow…” Support:“OK, let me check here…” User: “Wait!..wait…it’s working now….” Helpdesk receives a phone call… User: “…my Internet connection is flaky… ” Support: “What happened?…” User: “Well Internet got disconnected and now it is very slow…” Support:“OK, let me check here…” User: “Wait!..wait…it’s working now….”
February 28, 2008 Goal of Jigsaw To develop a deeper understanding of the dynamics and interactions in production wireless networks by reconstructing their behavior in its entirety.
February 28, 2008 Jigsaw Provides a single, unified view of all physical, link, network, and transport-layer activity on a production network.
February 28, 2008 Wireless traffic measure challenges: Ambient environmental interference Sender’s transmit power Distance to the receiver Strength of any simultaneous transmissions on nearby channels heard by the same receiver MAC (Media Access Control) protocol Traffic is based on TCP protocol that carries a set of complex dynamics Ambient environmental interference Sender’s transmit power Distance to the receiver Strength of any simultaneous transmissions on nearby channels heard by the same receiver MAC (Media Access Control) protocol Traffic is based on TCP protocol that carries a set of complex dynamics
February 28, 2008 Methodology Large-scale monitoring infrastructure deploying hundreds of radio monitors to gather traffic activity over the Wireless network (covering around 1million cubic feet) These monitors feed the centralized system Jigsaw to produce a precise global picture of the network activity. Large-scale monitoring infrastructure deploying hundreds of radio monitors to gather traffic activity over the Wireless network (covering around 1million cubic feet) These monitors feed the centralized system Jigsaw to produce a precise global picture of the network activity.
February 28, 2008 Methodology (continued) Large-scale Synchronization: achieved through a passive algorithm that synchronizes the hundreds of simultaneous traces Frame Unification: achieved by combining and merging duplicate traces to construct a single trace Multi-Layer Reconstruction: achieved by reconstructing raw frame data into a complete trace with all link and transport-layer conversations. Large-scale Synchronization: achieved through a passive algorithm that synchronizes the hundreds of simultaneous traces Frame Unification: achieved by combining and merging duplicate traces to construct a single trace Multi-Layer Reconstruction: achieved by reconstructing raw frame data into a complete trace with all link and transport-layer conversations.
February 28, 2008 Media Access Control protocol uses the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) to schedule and retry transmissions CSMA/CA has the hidden node problem protocol uses the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) to schedule and retry transmissions CSMA/CA has the hidden node problem
February 28, 2008 Hidden Node problem Creates co-channel interference from other transmitters Finding: CSMA/CA uses special RTS/CTS (Request to Send/Clear to Send) frames to handle this problem Hidden nodes are handled by Jigsaw (with exceptions) Creates co-channel interference from other transmitters Finding: CSMA/CA uses special RTS/CTS (Request to Send/Clear to Send) frames to handle this problem Hidden nodes are handled by Jigsaw (with exceptions) A Laptop B A sends data and Laptop sends an ACK Hidden Node: A sends data, Laptop‘s reception is interfered by B ?
February 28, 2008 Previous Related Work Researches measured traffic using less monitoring nodes Previous efforts focused on separate channels, or focused on small number of traces The Jigsaw approach focuses on large-scale online monitoring and complete multi-layer reconstruction. Researches measured traffic using less monitoring nodes Previous efforts focused on separate channels, or focused on small number of traces The Jigsaw approach focuses on large-scale online monitoring and complete multi-layer reconstruction.
February 28, 2008 Data Collection Environment Hardware Software Environment Hardware Software Department of Computer Science and Engineering University of California, San Diego
February 28, 2008 Environment Study was done at the University’s CS building 4 story building 500 users with 10 to 100 active client connections Study was done at the University’s CS building 4 story building 500 users with 10 to 100 active client connections
February 28, 2008 Hardware 2.8 GHz Pentium Server with 2 TB of Storage 40 sensor pods used for wireless infrastructure 4 radios in each sensor pod to capture all channels, timestamp, errors, etc. 2.8 GHz Pentium Server with 2 TB of Storage 40 sensor pods used for wireless infrastructure 4 radios in each sensor pod to capture all channels, timestamp, errors, etc.
February 28, 2008 Software Pebble Linux and MadWifi driver for each monitor Driver modified to capture even corrupted frames and physical errors Jigdump application to manage data capture Pebble Linux and MadWifi driver for each monitor Driver modified to capture even corrupted frames and physical errors Jigdump application to manage data capture
February 28, 2008 Trace Merging Trace merging is necessary to produce a coherent description of combined traces.
February 28, 2008 Trace Merging Requirements Synchronization: monitors timestamps by properly synchronizing all frames to a common reference time Unification: minimizes duplicate traces Efficiency: trace merging executes faster than real time radios Synchronization: monitors timestamps by properly synchronizing all frames to a common reference time Unification: minimizes duplicate traces Efficiency: trace merging executes faster than real time radios
February 28, 2008 Bootstrap synchronization Method finds set of reference points to synchronize the radios All clocks run at the same rate and Jigsaw system places each frame into a universal time by adjusting its timestamp Methodology allows frames on one channel to be related to timestamps on another Method finds set of reference points to synchronize the radios All clocks run at the same rate and Jigsaw system places each frame into a universal time by adjusting its timestamp Methodology allows frames on one channel to be related to timestamps on another
February 28, 2008 Unification After bootstrap synchronization, Jigsaw processes traces by time and unifies duplicate frames (instances) into single data structures called jframes
February 28, 2008 Jigsaw trace: jframe Monitors Time Received frames Received, with error Corrupted data Traces synchronized
February 28, 2008 Unification (continued) Basic unification: a linear scan is performed to group instances with the same timestamp Clock adjustment: because radio clock’s skew over time, jigsaw takes advantage of the unification method and resynchronizes each trace Managing skew and drift: if sensors do not detect frames in common, then jigsaw relies in the local clock of the radio sensor to assign a timestamp Basic unification: a linear scan is performed to group instances with the same timestamp Clock adjustment: because radio clock’s skew over time, jigsaw takes advantage of the unification method and resynchronizes each trace Managing skew and drift: if sensors do not detect frames in common, then jigsaw relies in the local clock of the radio sensor to assign a timestamp
February 28, 2008 Link and transport reconstruction After constructing a global view of the physical events, the next step is to reconstruct the link and transport layer traffic.
February 28, 2008 Link-Layer inference L2 Jigsaw identifies each transmission attempt from the sender and records subsequent responses MAC address are used to group frames to check whether transmission requests are being delivered successfully or not Jigsaw uses frame sequence number to reference groups of frames, but also deduces the presence of missing frames based on subsequent behavior of sender and receiver Jigsaw identifies each transmission attempt from the sender and records subsequent responses MAC address are used to group frames to check whether transmission requests are being delivered successfully or not Jigsaw uses frame sequence number to reference groups of frames, but also deduces the presence of missing frames based on subsequent behavior of sender and receiver
February 28, 2008 Transport inference L4 The transport analysis takes frame exchanges as input and reconstructs TCP flows based on the packet headers By capturing TCP ACKs, Jigsaw can record even the omitted frames shown in the packet The transport analysis takes frame exchanges as input and reconstructs TCP flows based on the packet headers By capturing TCP ACKs, Jigsaw can record even the omitted frames shown in the packet
February 28, 2008 Coverage Obtaining effective coverage for all transmissions is an evident challenge Monitors need to be precisely placed and properly configured to capture ALL data 97% of traffic was covered in this Jigsaw implementation Obtaining effective coverage for all transmissions is an evident challenge Monitors need to be precisely placed and properly configured to capture ALL data 97% of traffic was covered in this Jigsaw implementation
February 28, 2008 Analysis Global perspective provided by the distributed monitors Trace summary Interference g protection mode TCP loss rate inference Global perspective provided by the distributed monitors Trace summary Interference g protection mode TCP loss rate inference
February 28, 2008 Trace Summary High level characteristics of trace by collecting traffic from active APs Average of three observations made for every frame in the network Finding: management traffic (beacon, ARP) consumes 10% of the channel at a given time High level characteristics of trace by collecting traffic from active APs Average of three observations made for every frame in the network Finding: management traffic (beacon, ARP) consumes 10% of the channel at a given time
February 28, 2008 Interference Simultaneous transmission that causes frame loss Red color shows an example of physical interference caused by a Microwave oven Instantly detects and tags interference
February 28, g Protection mode Protection policy is extremely conservative Reduces performance Should only be used when b is present Protection policy is extremely conservative Reduces performance Should only be used when b is present
February 28, 2008 TCP loss rate inference The TCP reconstruction algorithm is used to assemble all flows that complete a handshake. TCP loss is dominant over physical traffic The TCP reconstruction algorithm is used to assemble all flows that complete a handshake. TCP loss is dominant over physical traffic
February 28, 2008 Present Jigsaw is an attempt to attain a high level of detailed analysis Jigsaw unifies traces from multiple passive wireless monitors to reconstruct a global view of network activity Jigsaw is only the building block to answer the questions Why is the network malfunctioning? How do I fix it? Jigsaw is an attempt to attain a high level of detailed analysis Jigsaw unifies traces from multiple passive wireless monitors to reconstruct a global view of network activity Jigsaw is only the building block to answer the questions Why is the network malfunctioning? How do I fix it?
February 28, 2008 Future Real-time system for automated detection and evaluation of poor network performance Identifies problem flows and isolates potential causes of poor performance Real-time system for automated detection and evaluation of poor network performance Identifies problem flows and isolates potential causes of poor performance
February 28, 2008 Questions?