Network Measurement/ManagementMotivationActive measurementspingtracerouteExample: traceroutetraceroute examplePassive measurementsExample from tcpdumpPassive IP flow measurementNetflow: exampleChallengesNeed for packet samplingPacket samplingSlide 15Slide 16Original trafficSlide 18Packet sampling in latest Cisco routerSlide 20Flow samplingFlow statistics from packet samplingFlow statistics from packet sampling (2)Rate and #active flows: aggregate trafficRate, #active flows: applicationSlide 26Flow splitting under samplingRates, #active flows: trade-offsSlide 29Inferring original flow statistics from packet sampled flow statisticsCharacteristics of interestEasy estimatesEstimating number of TCP flowsEstimating number of original TCP flows (2)Estimation AccuracySlide 361Network Measurement/Management motivationmeasurement strategiespassivesamplingactivenetwork tomography2Motivationservice providers, service usersmonitoringanomaly detectiondebuggingtraffic engineeringpricing, peering, service level agreementsarchitecture designapplication design3Active measurementsactive probe tools send stimulus (packets) into network; measure responsenetwork, transport, application layer probescan measure many thingsdelay/losstopology/routing behaviorbandwidth/throughputearliest tools use Internet Control Message Protocol (ICMP)4pinguses ICMP Echo capabilityC:\WINDOWS\Desktop>ping www.soi.wide.ad.jpReply from 203.178.137.88: bytes=32 time=253ms TTL=240Reply from 203.178.137.88: bytes=32 time=231ms TTL=240Reply from 203.178.137.88: bytes=32 time=225ms TTL=240Reply from 203.178.137.88: bytes=32 time=214ms TTL=240Ping statistics for 203.178.137.88:packets: Sent = 4, Received = 4, Lost = 0 (0% loss),approximate round trip times in milliseconds:Minimum = 214ms, Maximum = 253ms, Average = 230ms5traceroute diagnostic tool in widespread use by users and providersfinds outward path to given host, round trip times along path6Example: traceroute for n=1,2,…,nmaxsend pkt with TTL = npkt dies at nth routerrouter returns ICMP pkt with router addresstraceroute to mafalda.inria.fr (128.93.52.46), 30 hops max, 38 byte packets 1 cs-gw (128.119.240.254) 0.924 ms 0.842 ms 0.847 ms 2 lgrc-rt-106-8.gw.umass.edu (128.119.3.154) 1.089 ms 0.633 ms 0.499 ms 3 border4-rt-gi-7-1.gw.umass.edu (128.119.2.194) 0.914 ms 0.589 ms 0.647 ms12 inria-g3-1.cssi.renater.fr (193.51.180.174) 85.851 ms 85.930 ms 85.677 m13 royal-inria.cssi.renater.fr (193.51.182.73) 86.818 ms 86.395 ms 86.326 m14 193.48.202.2 (193.48.202.2) 87.635 ms 86.293 ms 86.495 ms15 rocq-gw-bb.inria.fr (192.93.1.100) 89.157 ms 88.419 ms 87.811 ms7traceroute example8Passive measurementsCapture packet data as it passes bypacket capture applications on hosts use packet capture filters (tcpdump) •requires access to the wire•promiscuous mode network ports to see other trafficflow-level, packet-level data on routers•SNMP MIBs•Cisco NetFlowhardware-based solutions•Endace, Inc.’s DAG cards – OC12/48/1929Example from tcpdump04:47:00.410393 sunlight.cs.du.edu.4882 > newbury.bu.edu.http: S 1616942532:1616942532(0) win 512 (ttl 64,id 47959) 04:47:03.409692 sunlight.cs.du.edu.4882 > newbury.bu.edu.http: S 1616942532:1616942532(0) win32120 (ttl 64, id 47963) 04:47:03.489652 newbury.bu.edu.http > sunlight.cs.du.edu.4882: S3389387880:3389387880(0) ack 1616942533 win 31744 (ttl 52, id 27319)04:47:03.489652 sunlight.cs.du.edu.4882 > newbury.bu.edu.http: . ack 1 win 32120 (DF) (ttl 64, id 47964)04:47:03.489652 sunlight.cs.du.edu.4882 > newbury.bu.edu.http: P 1:67(66) ack 1 win 32120 (DF) (ttl 64, id47965) 04:47:03.579607 newbury.bu.edu.http > sunlight.cs.du.edu.4882: . ack 67 win 31744 (DF) (ttl 52, id27469)04:47:04.249539 newbury.bu.edu.http > sunlight.cs.du.edu.4882: . 1:1461(1460) ack 67 win 31744 (DF) (ttl 52, id28879) 04:47:04.249539 newbury.bu.edu.http > sunlight.cs.du.edu.4882: . 1461:2921(1460) ack 67 win 31744(DF) (ttl 52, id 28880)04:47:04.259534 sunlight.cs.du.edu.4882 > newbury.bu.edu.http: . ack 2921 win 32120 (DF) (ttl 64, id 47968)04:47:04.349489 newbury.bu.edu.http > sunlight.cs.du.edu.4882: P 2921:4097(1176) ack 67 win 31744 (DF) (ttl52, id 29032)04:47:04.349489 newbury.bu.edu.http > sunlight.cs.du.edu.4882: . 4097:5557(1460) ack 67 win 31744 (ttl 52, id29033)10Passive IP flow measurementIP Flow defined as “unidirectional series of packets between source/dest IP/port pair over period of time”Identified by (IP protcol, src address, src port, dst address, dst port) exported by applications such as Cisco’s NetFlow11Netflow: exampleaddincourtesy, D. Plonka12Challengesflow observations are memory/processor intensivehow to do flow observations at high speeds use sampling13Need for packet samplingkeep cache of active flowsfor keys seen, but corresponding flow not yet terminatedpacket classificationeach arriving packet: cache lookup to match key•if match: modify cache entry, e.g., increment counters, adjust timers•else: instantiate new cache entrycache resources for high end routersmemory: 1,000s of active flows speed: look up at line rate lots of fast memory14Packet samplingconstruct flows from sampled packet stream (e.g. 1 in N periodic)call these “packet sampled flows”reduce effective packet ratereduces cost: slower memory sufficient15Packet samplingSimple example: recover original packet ratesample packets with probability qmeasure rate of sampled traffic (q)infer rate of original traffic (q)/q16IP flow: set of packets with same 5-tuple17Original traffic18Packet samplingrecovering original flow sizes not easy19Packet sampling in latest Cisco router20Original traffic21Flow sampling22Flow statistics from packet samplingmeasured flowsset of packets with common property, observed in some time periodcommon property: “key”: built from header fields (e.g. src/dst address, TCP/UDP ports)flow termination criteriainterpacket timeoutprotocol signals (e.g. TCP FIN)ageing, flushing, …flow 1 flow 2 flow 3flow 4time23Flow statistics from packet sampling (2)flow summariesreports of measured flows exported from routersflow key, flow packets/bytes, first/last packet time, router stateinversion and inferencerecover properties of original flows from packet sampled flow statistics24Rate and #active flows: aggregate