Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CSCD 443/533 Advanced Networks Lecture 10 Usage and Network Measurement Fall 2013 Reading: See References at end.

Published byEthelbert Domenic Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "1 CSCD 443/533 Advanced Networks Lecture 10 Usage and Network Measurement Fall 2013 Reading: See References at end."— Presentation transcript:

1 1 CSCD 443/533 Advanced Networks Lecture 10 Usage and Network Measurement Fall 2013 Reading: See References at end

2 Historical Internet Usage Patterns Measurement overview Why measure? What to measure? Where to measure? Challenges of Measurement Measurement tools Active: ping, traceroute Passive: packet, and flow monitoring Useful Data Sets Topics

3 Internet Use Over Time Mentioned before... Internet has changed over time Began with email and has evolved towards our use of it for entertainment and education Internet architects and network engineers try to quantify this change in usage

4 Why study network use patterns? Why do we need to know this?

5 Internet Use is Important How people use Internet Important for predicting potential performance issues with Internet traffic ISP's and other providers must plan to satisfy demand Trends indicate that more and more traffic appears to have real-time characteristics Gaming, video, Skype and other VOIP technologies

6 Application Preferences Change Over Time

7 Another Graph of Applications

8 Itunes up to August 2008

9 Video Explodes

10 Online Gaming Explodes

11 On-line Social Network Games Games played on Social Network sites Like Facebook Facebook most popular destination for online games, with 83% of respondents saying they have played games there 28% have purchased in-game currency with real-world money One hundred million people are playing these games and about $1 billion in revenue is expected this year

12 Some Interesting Statistics YouTube Statistics

13 YouTube Statistics Since its inception http://www.website- monitoring.com/blog/2010/05/17/youtube-facts-and- figures-history-statistics/

14 Change in Internet Use 2008 to 2009

15 Internet Measurement

16 Why Measure the Internet The Internet is a man-made system, so why do we need to measure it?

17 Why Measure the Internet The Internet is a man-made system, so why do we need to measure it? Because we still don’t really understand it Because sometimes things go wrong Measurement for network operations Detecting and diagnosing problems What-if analysis of future changes Measurement for scientific discovery Characterizing a complex system as organism Creating accurate models that represent reality Identifying new features and phenomena

18 Why Measure the Internet - Continued Measurement of Internet Will Help us to better understand why it works Help us to diagnose known problems Help us to design new features that the Internet should provide to enable next-generation application requirements “Internet Measurements is key to the design of the next-generation Internet”

19 What to Measure What types of things would you measure?

20 What Can be Measured Traffic Load statistics Packet or flow traces Performance of paths Application performance, e.g,. Web download time Transport performance, e.g., TCP bulk throughput Network performance, e.g., packet delay and loss Network structure Topology, and paths on the topology Dynamics of the routing protocol

21 Where to Measure Short answer Anywhere you can! End hosts Application logs, e.g., Web server logs Sending active probes to measure performance Individual links/routers Load statistics, packet traces, flow traces Configuration state Routing-protocol messages or table dumps Alarms

22 Challenges of Internet Measurement Given list of AS's, is there a built-in tool/function, which outputs the topology of the Internet ? Given a path from source to destination, is there built-in a tool/function, which can determine how long a packet will take to travel to the destination ? Given a set of routers along the path of a packet, is there a built-in tool/function, which can determine the delays introduced by each of the routers ? The answer to all of these questions is NO!!!

23 Why don’t we have such functions The answer is two-worded: “Poor Observability” Reasons for this: Core Simplicity Layered architecture Hidden Pieces Administrative Barriers

24 Core Simplicity Keep It Simple Stupid (KISS) design principle Stateless nature w.r.t connections/flows End-to-End argument As network elements do not track packets individually, interaction of traffic with the network is hard to observe

25 Layered Architecture IP hourglass model hides details of lower level layers While this provides abstraction improving interoperability, it impedes detailed visibility of lower layers Hence, even detailed measurements such as packet capture cannot detect differences between two types of links

26 Hidden Pieces - “Middleboxes” Firewalls – provide security Traffic Shapers – assist in traffic management Proxies – improve performance NAT boxes – utilize IP address space efficiently Each of these impedes visibility of network components. E.g.: Firewalls may block active probing requests NATs hide away the no. of hosts and the structure of the network on the other side

27 Administrative Barriers Owing to the competition-sensitive nature of the data required (topology, traffic etc.), ISPs actively seek to hide these details from outside discovery Information that they do provide are often simplified. E.g.: Instead of publishing router-level topologies, ISPs often publish PoP-level topologies

28 Measurement Tools

29 Measurement Tools Classification Active Measurement Passive Measurement Fused/Combined Measurement Bandwidth Measurement Latency Measurement Geolocation Others

30 Active Measurement - Ping Adding traffic for purposes of measurement Trade-offs between accuracy and overhead Need careful methods to avoid introducing bias Ping Host sends an ICMP ECHO packet to a target … and captures the ICMP ECHO REPLY Useful for checking connectivity, and RTT Only requires control of one of the two end-points

31 31 Active Measurement - Ping Issues Many routers filter out ICMP packets RTT includes end system processing time Not accurate for network performance Was not designed for performance ICMP

32 32 Active Measurement - Traceroute Used to find forward path to a host Algorithm Send an IP datagram with TTL=1 First router sends back ICMP time exceeded Then send a datagram with TTL=2 Continue till destination is reached/TTL expired

33 Active Measurement - Traceroute Time-To-Live field in IP packet header Source sends a packet with a TTL of n Each router along the path decrements the TTL “TTL exceeded” sent when TTL reaches 0 Traceroute tool exploits this TTL behavior source destination TTL=1 Time exceeded TTL=2 Send packets with TTL=1, 2, 3, … and record source of “time exceeded” message

34 Active Measurement - Challenges of Traceroute Non-participating network elements Some routers and firewalls don’t reply Inaccurate delay information Includes processing delays on the router CPU Round-trip vs. one-way measurements Paths may have asymmetric properties

35 Active Measurement - Challenges of Traceroute Measuring multiple paths Successive probes may traverse different paths Inferred path: A -> B -> Y A XY D BC Dest = D TTL = 1 B: “time exceeded” Dest = D TTL = 2 Y: “time exceeded”

36 36 More Active Measurement Other Tools iperf netperf bing ttcp http://www.caida.org/tools/taxonomy/performance.xml

37 37 Passive Measurement Monitoring that uses equipment that taps into a network and does not interfere with the flow of network traffic Hardware Example: Network Tap Software Example: Traffic sniffer

38 38 Passive Measurement - Packets Traffic Sniffer Older program, tcpdump, for Unix-based hosts Wireshark now for many OS's Dedicated measurement systems DAGMON (up to 10GE)‏

39 Passive Measurement - Packets Filter for subset of packets IP addresses/prefixes (e.g., to/from specific Web sites, client machines, DNS servers, mail servers)‏ Protocol (e.g., TCP, UDP, or ICMP)‏ Port numbers (e.g., HTTP, DNS, BGP, Napster)‏ Collect first n bytes of packet (snap length)‏ Medium access control header (if present)‏ IP header (typically 20 bytes)‏ IP+UDP header (typically 28 bytes)‏ IP+TCP header (typically 40 bytes)‏ Application-layer message (entire packet)‏

40 40 Passive Measurement - IP Flows Aggregate Traffic into IP Flows For larger levels of network not enough to monitor individual packets, too many.... Defined traffic as “flows” Pretty much all industrial routers support flow data

41 Passive Measurement - IP Flow An IP flow is a unidirectional series of IP packets Given protocol (and port where applicable), Travelling between a source and destination, Within a certain period of time

42 flow 1flow 2flow 3 flow 4 Aggregating Packets into IP Flows Set of packets that “belong together” Source/destination IP addresses and port numbers Same protocol, ToS bits, … Same input/output interfaces at a router (if known)‏ Packets that are “close” together in time Maximum spacing between packets (e.g., 15 sec, 30 sec)‏ Example: flows 2 and 4 are different flows due to time

43 Passive Measurement - IP Flow Look at Cisco's Netflow NetFlow creates a NetFlow cache entry that contains information for all active flows NetFlow cache is built by processing first packet of a flow through the standard switching path A flow record is maintained within the NetFlow cache for each active flow

44 Passive Measurement - IP Flow - Each flow record is created by identifying packets with similar flow characteristics and counting or tracking the packets and bytes per flow - Flow details or cache information is exported to a flow collector server(s) periodically based upon flow timers - The collector contains a history of flow information that was switched within Cisco device

45 CISCO Netflow Collector

46 NetFlow Data Characteristics What can you measure? Source and Destination addresses Input and Output interface numbers Source and Destination port numbers Layer 4 protocol Number of packets in the flow Total Bytes in the flow Time stamp in the flow

47 What can you do with Flow Data Aggregates traffic for monitoring Historical Traffic Flow Graphs of network utilization Graphs by protocol Graphs by IP address Tools have been developed around Netflow concept

48 Free Tools for Netflow Number of tools created to analyze Netflow data Many are free http://www.networkuptime.com/tools/netflow/ Most allow you to visualize traffic over time or by traffic type

49 FlowScan from U. Wisconsin FlowScan  Developed by Dave Plonka University of Wisconsin http://net.doit.wisc.edu/~plonka/FlowScan/  Freely-available network traffic reporting and visualization tool  Its development began in December 1998, and it was first released in March 2000. There are hundreds of users today, many campuses and ISPs FlowScan analyzes data exported by IP based routers

50 FlowScan counts IP flows by protocol, application, user population, or Internet connection  Protocols include TCP and UDP  Applications include email (SMTP), file sharing (P2P)‏  User populations are subnets such as schools or departments.  Internet connections are transit and peering links between Autonomous Systems What does FlowScan do?

51  Horizontal axis is time, current time to the right.  Vertical axis indicates magnitude of measurement, usually in bits, packets, or flows per second  Outbound traffic is upwards, Inbound traffic is downwards  Colored bars show traffic classification and are stacked (not overlayed) to show the total Interpreting Graphs

52 Interpreting FlowScan Graphs

53 Workstation AWorkstation B Campus Flow probe connected to switch port in “ traffic mirror” mode Diagram by Mark Fullmer (author of flow-tools), 2002 Ethernet Flow Probe

54 Flow Data Useful for Anomalies Flow data useful in spotting traffic events Used heavily for mapping security incidents in addition to normal network events DoS events Popular software release

55 Outbound Distributed DoS flood from 30+ Campus Hosts ICMP DoS Traffic

56 The Same ICMP DDoS flood was also observed by FlowScan at another campus...

57 The Knight IRC Robot Coordinated via Internet Relay Chat (IRC) using "robots". Independent observations reported aggregates over 500Mbs The Same DDoS flood was also observed by FlowScan at other campuses...

58

59 Linux Release Events

60 Measurement Resources There are groups of academics/government trying to measure the Internet Have made data sets available to the public One notable group is CAIDA

61 What is CAIDA? Cooperative Association for Internet Data Analysis http://www.caida.org/ Goals include measuring and understanding the global Internet. Develop measurement and analysis tools Collect and provide Internet data: topology, header traces, routing, network security, DNS Visualization of the network

62 62 Walrus

63 Resources FlowScan:http://net.doit.wisc.edu/~plonka/FlowScan/http://net.doit.wisc.edu/~plonka/FlowScan/  http://wwwstats.net.wisc.edu http://wwwstats.net.wisc.edu Argus: http://www.qosient.com/argus/http://www.qosient.com/argus/ flow-tools:http://www.splintered.net/sw/flow-tools/http://www.splintered.net/sw/flow-tools/ cflowd, CoralReef: http://www.caida.org/http://www.caida.org/  tools/measurement/cflowd/  tools/measurement/CoralReef/ CAIDA Tools  http://www.caida.org/tools/utilities/ http://www.caida.org/tools/utilities/ Internet Fact Book (Really nice resource)‏  http://internetinnovation.org/factbook/

64 Measurements are anything but straightforward… Internet Measurement is key to designing the next generation communication network Fundamental design principles of the current internet make it harder for measuring various aspects of it Preliminary research has resulted in a set of basic tools and methods to measure aspects like topology, traffic etc. Accuracy of such methods is still an open question There is still a lot of ground to cover in this direction and this is where researchers like you come into the equation!

65 65 Next time No reading in the text on this topic

Download ppt "1 CSCD 443/533 Advanced Networks Lecture 10 Usage and Network Measurement Fall 2013 Reading: See References at end."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
FlowScan at the University of Wisconsin-Madison Copyright Dave Plonka and Perry Brunelli, 2001. This work is the intellectual property of the authors.

FlowScan at the University of Wisconsin-Madison Copyright Dave Plonka and Perry Brunelli, This work is the intellectual property of the authors.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
Internet Infrastructure Measurement: Challenges and Tools Prasad Narayana CS495: Internet Measurement and its Reverse Engineering Thursday Apr 13, 2006.

Internet Infrastructure Measurement: Challenges and Tools Prasad Narayana CS495: Internet Measurement and its Reverse Engineering Thursday Apr 13, 2006.
Internet Measurement Jennifer Rexford. Outline Measurement overview –Why measure? Why model measurements? –What to measure? Where to measure? Internet.

Internet Measurement Jennifer Rexford. Outline Measurement overview –Why measure? Why model measurements? –What to measure? Where to measure? Internet.
Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.

Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.
Inside the Internet. INTERNET ARCHITECTURE The Internet system consists of a number of interconnected packet networks supporting communication among host.

Inside the Internet. INTERNET ARCHITECTURE The Internet system consists of a number of interconnected packet networks supporting communication among host.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.

Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.

Internet Traffic Management Prafull Suryawanshi Roll No - 04IT6008.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.

Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
Networking Components

Networking Components

Similar presentations

Ads by Google