1 Network Measurements Les Cottrell – SLAC Lecture # 4 presented at the 26 th International Nathiagali Summer College on Physics and Contemporary Needs, 25 th June – 14 th July, Nathiagali, Pakistan Partially funded by DOE/MICS Field Work Proposal on Internet End-to-end Performance Monitoring (IEPM), also supported by IUPAP
2 Overview Why is measurement difficult yet important? LAN vs WAN SNMP Effects of measurement interval Passive Active –Tools Trouble shooting –Tools, how to find things & who to tell
3 Why is measurement difficult? Internet's evolution as a composition of independently developed and deployed protocols, technologies, and core applications Diversity, highly unpredictable, hard to find “invariants” Rapid evolution & change, no equilibrium so far –Findings may be out of date Measurement not high on vendors list of priorities –Resources/skill focus on more interesting an profitable issues –Tools lacking or inadequate –Implementations are flaky & not fully tested with new releases ISPs worried about providing access to core, making results public, & privacy issues The phone connection oriented model (Poisson distributions of session length etc.) does not work for Internet traffic (heavy tails, self similar behavior, multi-fractals etc.)
4 Why is measurement important? End users & network managers need to be able to identify & track problems Choosing an ISP, setting a realistic service level agreement, and verifying it is being met Choosing routes when more than one is available Setting expectations: –Deciding which links need upgrading –Deciding where to place collaboration components such as a regional computing center, software development –How well will an application work (e.g. VoIP)
5 LAN vs WAN Measuring the LAN –Network admin has control so: Can read MIBs from devices Can within limits passively sniff traffic Know the routes between devices –Manually for small networks –Automated for large networks Measuring the WAN –No admin control, unless you are an ISP Cant read information out of routers May not be able to sniff/trace traffic due to privacy/security concerns Don’t know route details between points, may change, not under your control, may be able to deduce some of it –So typically have to make do with what can be measured from end to end with very limited information from intermediates equipment hops.
6 SNMP ( Simple Network Management Protocol) Example of an Application, usually built on UDP Defacto standard for network management Created by IETF to address short term needs of TCP/IP Consists of: –Management Information Bases (MIBs) Store information about managed object (host, router, switch etc.) – system &status info, performance & configuration data –Remote Network Monitoring (RMON) is a management tool for passively watching line traffic –SNMP communication protocol to read out data and set parameters Polling protocol, manager asks questions & agent responds
7 SNMP Model NMS contains manager software to send & receive SNMP messages to Agents Agent is a software component residing on a managed node, responds to SNMP queries, performs updates & reports problems MIB resides on nodes and at NMS and is a logical description of all network management data. TCP/IP net Agent MIB Agent MIB Agent MIB Agent MIB Agent MIB Agent MIB Network Management Station(NMS)
8 SNMP version 1 limitations Authentication is inadequate: –Password (community string) placed in clear in SNMP messages MIB variables must be polled separately, i.e. entire MIB cannot be fetched with single command SNMPv2 and v3 attempt to address these and other limitations Despite limitations, SNMP has been a big success –Provides device and link utilization (byte, packets) and errors –Lot of facilities/tools built around SNMP to provide reports for sites –Security concerns limit access typically to very limited set of owner/admins E.g. ISPs won’t let you poll their devices
9 SNMP Examples Using MRTG to display Router bits/s MIB variable CERN trans- Atlantic traffic
10 Averaging intervals Typical measurements of utilization are made for 5 minute intervals or longer in order not to create much impact. Interactive human interactions require second or sub-second response So it is interesting to see the difference between measurement made with different time frames.
11 Utilization with different averaging times Same data, measured Mbits/s every 5 secs Average over different time intervals Does not get a lot smoother May indicate multi-fractal behavior 5 secs 5 mins 1 hour
12 Averages vs maxima Maximum of all 5 sec samples can be factor of 2 or more greater than the average over 5 minutes
13 Lot of heavy FTP activity The difference depends on traffic Only 20% difference in max & average
14 Passive vs. Active Monitoring Active injects traffic on demand Passive watches things as they happen –Network device records information Packets, bytes, errors … kept in MIBs retrieved by SNMP –Devices (e.g. probe) capture/watch packets as they pass Router, switch, sniffer, host in promiscuous (tcpdump) Complementary to one another: –Passive: does not inject extra traffic, measures real traffic Polling to gather data generates traffic, also gathers large amounts of data –Active: provides explicit control on the generation of packets for measurement scenarios testing what you want, when you need it. Injects extra artificial traffic Can do both, e.g. start active measurement and look at passively
15 Passive tools SNMP Hardware probes e.g. Sniffer, NetScout, can be stand-alone or remotely access from a central management station Software probes: snoop, tcpdump, require promiscous access to NIC card, i.e. root/sudo access Flow measurement: netramet, OCxMon/CoralReef, Cisco/Netflow
16 Example : Passive site border monitoring Use Cisco Netflow in Catalyst 6509 with MSFC, on SLAC border Gather about 200MBytes/day of flow data The raw data records include source and destination addresses and ports, the protocol, packet, octet and flow counts, and start and end times of the flows –Much less detailed than saving headers of all packets, but good compromise –Top talkers history and daily (from & to), tlds, vlans, protocol and application utilization Use for network & security
17 Simplified SLAC DMZ Network, 2001 swh-root Swh-dmz rtr-msfc-dmz slac-rt1.es.net ESnet Stanford Internet2 OC12 link 622Mbps 155Mbps OC3 link(*) SLAC Internal Network (*) Upgrade to OC12 has been requested (#) This link will be replaced with a OC48 POS card for the 6500 when available Etherchannel 4 gbps 10Mbps Ethernet 1Gbps Ethernet NTON 2.4Gbps OC48 link (#) 100Mbps Ethernet Dial up &ISDN
18 SLAC Traffic profile SLAC offsite links: OC3 to ESnet, 1Gbps to Stanford U & thence OC12 to I2 OC48 to NTON Profile bulk-data xfer dominates SSH FTP HTTP Mbps in Mbps out Last 6 months 2 Days bbftp iperf
19 Top talkers by protocol Hostname MBytes/day (log scale) Volume dominated by single Application - bbftp
20 Time series UDP TCP Outgoing Incoming Cat q vs. ISL
21 Flow sizes Heavy tailed, in ~ out, UDP flows shorter than TCP, packet~bytes 75% TCP-in < 5kBytes, 75% TCP-out < 1.5kBytes (<10pkts) UDP 80% < 600Bytes (75% < 3 pkts), ~10 * more TCP than UDP Top UDP = AFS (>55%), Real(~25%), SNMP(~1.4%) SNMP Real A/V AFS file server
22 Power law fit parameters by time Just 2 parameters provide a reasonable description of the flow size distributions
23 Flow lengths Distribution of netflow lengths for SLAC border –Log-log plots, linear trendline = power law –Netflow ties off flows after 30 minutes –TCP, UDP & ICMP “flows” are ~log-log linear for longer (hundreds to 1500 seconds) flows (heavy-tails) –There are some peaks in TCP distributions, timeouts? Web server CGI script timeouts (300s), TCP connection establishment (default 75s), TIME_WAIT (default 240s), tcp_fin_wait (default 675s) TCPUDP ICMP
24 Flow lengths 60% of TCP flows less than 1 second Would expect TCP streams longer lived –But 60% of UDP flows over 10 seconds, maybe due to heavy use of AFS
25 Some Active Measurement Tools Ping connectivity, RTT & loss –flavors of ping, fping, NIKHEF ping –but blocking & rate limiting Alternative synack, but can look like DoS attack Sting: measures one way loss Traceroute –How it works, what it provides –Reverse traceroute servers –Traceroute archives Combining ping & traceroute, –traceping, pingroute Pathchar, pchar, pipechar, bprobe etc. Iperf, netperf, ttcp, FTP …
26 Ping ICMP client/server application built on IP –Client send ICMP echo request, server sends reply –Server usually in kernel, so reliable & fast User can specify number of data bytes. Client puts timestamp in data bytes. Compares timestamp with time when echo comes back to get RTT Many flavors (e.g. fping) and options –packet length, number of tries, timeout, separation … Ping localhost ( ) first, then gateway IP address etc. Type=8CodeChecksum IdentifierSequence number Optional data 24
27 Ping example syrup:/home$ ping -c 6 -s 64 thumper.bellcore.com PING thumper.bellcore.com ( ): 64 data bytes 72 bytes from : icmp_seq=0 ttl=240 time=641.8 ms 72 bytes from : icmp_seq=2 ttl=240 time= ms 72 bytes from : icmp_seq=3 ttl=240 time= ms 72 bytes from : icmp_seq=4 ttl=240 time=758.5 ms 72 bytes from : icmp_seq=5 ttl=240 time=482.1 ms --- thumper.bellcore.com ping statistics packets transmitted, 5 packets received, 16% packet loss round-trip min/avg/max = 482.1/880.5/ ms Repeat count Packet sizeRemote host RTT Missing seq # Summary
28 Traceroute UDP/ICMP tool to show route packets take from local to remote host -q 1 -m 20 lhr.comsats.net.pk traceroute to lhr.comsats.net.pk ( ), 20 hops max, 40 byte packets 1 RTR-CORE1.SLAC.Stanford.EDU ( ) ms 2 RTR-MSFC-DMZ.SLAC.Stanford.EDU ( ) ms 3 ESNET-A-GATEWAY.SLAC.Stanford.EDU ( ) ms 4 snv-slac.es.net ( ) ms 5 nyc-snv.es.net ( ) ms 6 nynap-nyc.es.net ( ) ms 7 gin-nyy-bbl.teleglobe.net ( ) ms 8 if bb5.NewYork.Teleglobe.net ( ) ms 9 if bb6.NewYork.Teleglobe.net ( ) ms ( ) ms ( ) ms 12 islamabad-gw2.comsats.net.pk ( ) ms 13 * 14 lhr.comsats.net.pk ( ) ms Probes/hop Max hops Remote host No response: Lost packet or router ignores
29 Traceroute technical details Rough traceroute algorithm ttl=1; #To 1 st router port=33434; #Starting UDP port while we haven’t got UDP port unreachable { send UDP packet to host:port with ttl get response if time exceeded note roundtrip time else if UDP port unreachable quit print output ttl++; port++ } Can appear as a port scan –SLAC gets about one complaint every 2 weeks.
30 Reverse traceroute servers Reverse traceroute server runs as CGI script in web server Allow measurement of route from other end. Important for asymmetric routes. See e.g. – CAIDA map of reverse traceroute servers –
31 Pingroute Run traceroute, then ping each router n times –helps identify where in route the problems start to occur Routers may not respond to pings, or may treat pings directed at them, differently to other packets
32 Path characterization Pathchar –sends multiple packets of varying sizes to each router along route –measures minimum response time –plot min RTT vs packet size to get bandwidth –calculate differences to get individual hop characteristics –measures for each hop: BW, queuing, delay/hop –can take a long time Pipechar –Also sends back-to-back packets and measures separation on return –Much faster –Finds bottleneck Bottleneck Min spacing At bottleneck Spacing preserved On higher speed links
33 Network throughput Iperf –Client generates & sends UDP or TCP packets –Server receives receives packets –Can select port, maximum window size, port, duration, Mbytes to send etc. –Client/server communicate packets seen etc. –Reports on throughput Requires sever to be installed at remote site, i.e. friendly administrators or logon account and password
34 Iperf example -p w 512K -P 3 -c sunstats.cern.ch Client connecting to sunstats.cern.ch, TCP port 5008 TCP window size: 512 KByte [ 6] local port connected with port 5008 [ 5] local port connected with port 5008 [ 4] local port connected with port 5008 [ ID] Interval Transfer Bandwidth [ 4] sec 19.6 MBytes 15.3 Mbits/sec [ 5] sec 19.6 MBytes 15.3 Mbits/sec [ 6] sec 19.7 MBytes 15.3 Mbits/sec Total throughput =3*15.3Mbits/s = 45.9Mbits/s TCP port 5006Max window size 3 parallel streams Remote host
35 Active Measurement Projects PingER Amp Surveyor, RIPE NIMI NWS Skitter All projects measure routes For a detailed comparison see: –
36 PingER and AMP Both use ping to get RTT, loss etc. PingER 30 monitor sites, ~600 remote sites, 72 countries, > 3000 monitor-remote site pairs –Mainly for HENP, ESnet & XIWT –AMP uses dedicated PCs as monitors, ~ 115 (June, 2001) –Oriented to Internet 2, ~ 10 countries –Does mainly full mesh pinging
37 PingER Measurements from –32 monitors in 14 countries –Over 600 remote hosts –Over 72 countries –Over 3300 monitor-remote site pairs –Measurements go back to Jan-95 –Reports on RTT, loss, reachability, jitter, reorders, duplicates … Uses ubiquitous “ping” facility of TCP/IP Countries monitored –Contain 78% of world population –99% of online users of Internet
38 PingER cont. Monitor timestamps and sends ping to remote site at regular intervals (typically about every 30 minutes) Remote site echoes the ping back Monitor notes current and send time and gets RTT Discussing installing monitor site in Pakistan –provide real experience of using techniques –get real measurements to set expectations, identify problem areas, make recommendations –provide access to data for developing new analysis techniques, for statisticians etc.
39 Surveyor & RIPE, NIMI Surveyor & RIPE use dedicated PCs with GPS clocks for synchronization –Measure 1 way delays and losses –Surveyor mainly for Internet 2 –RIPE mainly for European ISPs NIMI (National Internet Measurement Infrastructure) more of an infrastructure for measurements and some tools (I.e. currently does not have public available data,regularly updated) –Mainly full mesh measurements on demand
40 Skitter Makes ping & route measurements to tens of thousands of sites around the world. Site selection varies based on web site hits. –Provide loss & RTTs –Skitter & PingER are main 2 sites to monitor developing world.
41 Trouble shooting Ping to localhost, ping to gateway & to remote host –Use IP address to avoid nameserver problems –Look for connectivity, loss & RTT –May need to run for a long time to see some patyhologies (e.g. bursty loss dues to DSL loss of sync) –Use synack or sting if ICMP blocked Traceroute to remote host Reverse traceroute from remote host to you Ping routers along route Look at history plots (PingER, AMP, Surveyor), when did problem start, how big an effect is it?
42 Trouble shooting Try user application Iperf to test throughput
43 “Where is” a host? Where is host? –Name server lookup to find hostname given IP address Server: localhost Address: Name: lhr.comsats.net.pk Address: –Use a whois server, e.g. (Americas & Africa) (Europe) (Asia) May identify site name, address, contact, etc, not all domains are in databases (e.g. will not find comsats.net.pk)
44 “Where is” a host – cont. Find the Autonomous System (AS) administering –Use reverse traceroute server with AS identification, e.g.: … 14 lhr.comsats.net.pk ( ) [AS COMSATS] 711 ms (ttl=242) –Get contacts for ISPs (if know ISP or AS): Gives ISP name, web page, phone number, , hours etc. –Review list of AS's ordered by Upstream AS Adjacency Tells what AS is upstream of an ISP –Look at real-time information about the global routing system from the perspectives of several different locations around the Internet Use route views at
45 “Where is” a host - cont. May be able to get latitude & longitude: – E.g. slac.stanford.edu
46 Who do you tell Local network support people Internet Service Provider (ISP) usually done by local networker –Use puck.nether.net/netops/nocs.cgi to find ISPpuck.nether.net/netops/nocs.cgi –Use to find upstream ISPswww.telstra.net/ops/bgp/bgp-as-upsstm.txt Give them the ping and traceroute results
47 More Information Tutorial on monitoring – RFC 2151 on Internet tools – Network monitoring tools – Ping – IEPM/PingER home site –www-iepm.slac.stanford.edu/www-iepm.slac.stanford.edu/ IEEE Communications, May 2000, Vol 38, No 5, pp
48 Not your normal Internet site Ames IXP: approximately 60-65% was HTTP, about 13% was NNTP Uwisc: 34% HTTP, 24% FTP, 13% Napster