POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 1.Introduction

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (2) 1. Introduction - Evolving IP Network Environment  WAN: SONET/SDH (OC3, OC12, OC48, OC192), ATM, WDM/DWDM  LAN: 10/100 Mbps to 1 Gbps to 10 Gbps Ethernet  Broadband Internet Access: Cable Modem, ADSL, VDSL  Wireless Access: WLAN (IEEE ), Wireless Internet  Wired/Wireless Convergence: Softswitch, Media Gateway, NGCN

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (3) 1. Introduction – Growth of Internet Use The number of Internet users is growing Source : Nua Inc. Internet traffic has increased dramatically Source: America’s Network  Internet usage is growing rapidly!

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (4) 1. Introduction – Reliance on Internet The Internet generated revenue has been increasing rapidly! Source : Active Media.  Internet’s importance and reliance are increasing!

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (5)  Stand-alone applications can now utilize networking  Cooperative editing: MS Word  Use of FTP: EditPlus, UltraEdit,…  Web page or HTML format  New network applications  Online games, shopping, banking, stock trading, network storage  VOD, EOD, VOIP 1. Introduction – Internet Applications Online gameVoIPVOD

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (6)  Peer-to-Peer (P2P)  New concept between file sharing and transferring  Generates high volume of traffic 1. Introduction – Structure of Applications  Structures of applications are changing!  Client-Server  Traditional structure client server peerdiscovery, content, transfer query peer

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (7)  Bursty data transfer vs. Streaming data transfer 1. Introduction – Types of Traffic  Static sessions vs. Dynamic sessions packet networkpacket  Types of traffic are various and increasing! Negotiate & allocate connect disconnect use dynamic protocol, port data connect disconnect control use static protocol, port network

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (8) 1.Introduction – Internet Protocol Distribution  Transport Protocol Distribution  The amount of UDP flows is increasing by P2P application  The amount of ICMP flows is increasing by Internet worm protocolFlowsPacketsBytes TCP 32, %1,797, %1,339,396, % UDP 54, %141,7696.8%27,812,5862.0% ICMP 138, %141,2476.7%15,720,4101.1% Others %4740.0%32,1600.0% – 19:36 POSTECH Internet Junction Traffic – 19:36 POSTECH Internet Junction Traffic

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (9) 1.Introduction – Port number usage in TCP/UDP  Port Number Distribution in bytes TCP Server Listening Port Number Distribution UDP Port Number Distribution  Proportion of Internet Applications – 19:36 POSTECH Internet Junction Traffic – 19:36 POSTECH Internet Junction Traffic ? ? ?  Which applications generate this large amount of traffic?

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (10) 1. Introduction – Motivation  Needs of Service Providers  Understand the behavior of their networks  Provide fast, high-quality, reliable service to satisfy customers and thus reduce churn rate  Plan for network deployment and expansion  SLA monitoring, Network security  Increase Revenue!  Usage-based billing for network users (like telephone calls)  Marketing using CRM data  Needs of Customers  Want to get their money’s worth  Fast, reliable, high-quality, secure, virus-free Internet access To Satisfy Service Providers’ Needs to Satisfy Their Customers!

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (11) 1. Introduction – Application Areas  Network Problem Determination and Analysis  Traffic Report Generation  Intrusion & Hacking Attack (e.g., DoS, DDoS) Detection  Service Level Monitoring (SLM)  Network Planning  Usage-based Billing  Customer Relationship Management (CRM)  Marketing

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (12) 1. Introduction – Issues in Traffic Monitoring  Choices  Single-point vs. Multi-point monitoring  Number of probing or test packet generation point  In-service vs. Out-of-service monitoring  Whether monitoring should be executed during service or not  Continuous vs. On-demand monitoring  Monitoring executes continuously or by on-demand.  Packet vs. Flow-based monitoring  Collect packets or flows from network devices.  One-way vs. Bi-directional monitoring  Monitor forward path only / forward and return path  Trade-offs  Network bandwidth  Processing overhead  Accuracy  Cost

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (13) 1. Introduction – Problems  Capturing Packets  High-speed networks (Mbps  Gbps  Tbps)  High-volume traffic  Streaming media (Windows Media, Real Media, Quicktime)  P2P traffic  Network Security Attacks  Flow Generation & Storage  What packet information to save to perform various analysis?  How to minimize storage requirements?  Analysis  How to analyze and generate data needed quickly?  What kinds of info needs to be generated?  Depends on applications

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (14) 1. Introduction – R&D Goals  Develop methods to  Capture all packets  Generate flows  Store flows efficiently  Analyze data efficiently  Generate various reports or information that are suitable for various application areas  Develop a flexible, scalable traffic monitoring and analysis system for high-speed, high-volume, rich media IP networks