NeTraMet Streams, DNS Response
Nevil Brownlee, U Auckland / CAIDA
if SourcePeerType == IPv4 save;
else ignore;
if SourceTransType == TCP save;
else if SourceTransType == UDP save;
else ignore;
save FlowTime = 50.0.0!0 & 2.4.1!12000;
# 50 buckets, PP_NO_TEST, log-scale bins, 10 ms..120 s
count;
set flow_stats_demo;
format
FlowRuleSet FlowIndex FirstTime SourceTransType
" " ToPDUs FromPDUs " " ToOctets FromOctets
" (" FlowTime ")";
Medians of 5-minute distributions
can use dest port plus dest address to specify direction
define UCSD_SUB = 132.239/16;
define UCSD_EXTRN = 137.110/16;
define UCSD_CERF = 199.105.0/18;
define CAIDA = 192.172.226/24;
define SDSC_APOLLO = 192.31.21/24;
define SDSCNET_CBLK = 198.202.64/18; # Salk Institute
define UCSD = 128.54/16;
define MPL106 = 192.135.237/24;
define MPL4 = 192.135.238/24;
define SDSC2 = 132.249/16;
define SCRIPPSNET_BIG = 137.131/16; # Scripps Research Inst
define HYPERNET = 153.105/16; # Dimension Systems, Poway
define NET_NSI = 198.133.185/24; # Neurosciences institute
define SDSCFDDIDMZ = 198.17.46/24;
# First attempt at SDSC DNS response distributions
if SourcePeerType == IPv4 save;
else ignore; # Not IP
if SourceTransType == UDP save;
else ignore; # Not UDP
TestDestAddress; # Sets FlowClass and FlowKind
if FlowKind == 0 nomatch; # Not a root or gtld nameserver
else {
if DestTransAddress == DNS save; # Avoid meter warning msg
else ignore; # Not going to DNS port (shouldn't happen)
save ToTurnaroundTime1 = 50.11.0!0 & 2.3.14!700;
# 50 buckets, PP_UDP_DNS, log scale, 10**3 => 14..700 ms
count;
}
# ’Well-behaved’ attempt at SDSC DNS response distributions
define GOOD_NETS =
SCRIPPSNET_BIG, SDSCNET_CBLK, SDSC2, SDSC_APOLLO;
if FlowKind == 0 nomatch; # Not a root or gtld nameserver
else {
if DestTransAddress == DNS save; # Avoid meter warning msg
else ignore; # Not going to DNS port (shouldn't happen)
if SourcePeerAddress == (GOOD_NETS) {
save ToTurnaroundTime1 = 50.11.0!0 & 2.3.14!700;
# 50 buckets, PP_UDP_DNS, log scale, 10**3 => 14..700 ms
count;
}
}
Medians of 5-minute distributions
Medians of 5-minute distributions
Medians of 5-minute distributions
Medians of 5-minute distributions.
Filtered: at least 10 requests per 5-min interval
Medians of 5-minute distributions.
Medians of 5-minute distributions.
Filtered: at least 10 requests per 5-min interval
Medians of 5-minute distributions.
Filtered: at least 10 requests per 5-min interval