![[CAIDA - Cooperative Association for Internet Data Analysis logo]](/images/caida_globe_faded.png)
![[CAIDA]](/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}
Ongoing Research
Realtime Traffic Monitoring
CoralReef Monitoring of optical networks is done with an optical splitter which diverts a small fraction of the light from the optical fiber to the monitor device. The CoralReef report generator produces graphs and tables for various types of information found, including by protocols, application, and hosts measured in packet, bytes and flow tuples.
A list of Realtime traffic monitors at CAIDA is made available, as well as graphs and charts generated from their measurements.
Internet Traffic Classification
Internet traffic classification gains continuous attentions while many applications emerge on the Internet with obfuscation techniques. Related papers tend to try to classify whatever traffic samples a researcher can find, with no systematic integration of results. To fill this gap, we have created a structured taxonomy of traffic classification papers and their data sets. Furthermore, we hope to reveal issues and challenges in traffic classification.
Routing Asymmetry
Many people assume routing symmetry in traffic on Internet links, that is, they assume that they see both directions of a conversation flow across the same physical link. In fact, except at network edges, there exists in Internet traffic a routing asymmetry which will impair or invalidate the results of tools and models that assume otherwise.
Analyzing UDP usage in Internet traffic
Although it is still an accepted assumption that most Internet traffic is transmitted via the TCP protocol, we expect the rise of new streaming applications and new P2P protocols to increase the usage of UDP as a transport protocol. Performing an analysis on UDP usage in Internet traffic, we found that most UDP flows use random high ports and carry few packets with little content, consistent with its use as a signaling protocol for increasingly popular P2P applications.
Measuring the use of IPv4 address space utilization
To visualize and measure the use of IPv4 Internet address space as observed in traffic from a few core (OC192) U.S. backbone samples, we create heatmaps that use intensity of color (heat) to show the use of addresses belonging to the same network.
Publications
Publications regarding traffic analysis can be found under the Measurement Methodology category, but not all listed papers pertain specifically to traffic analysis.
Resources
Previously Completed Research
Remote physical device fingerprinting
In the paper, Remote physical device fingerprinting, we introduce the area of fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device's known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device's system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.
Spectroscopy of traceroute delays
In the paper, Spectroscopy of Traceroute Delays, we analyze delays of traceroute probes, i.e. packets that elicit ICMP TimeExceeded messages, for a full range of probe sizes up to 9000 bytes as observed on unloaded high-end routers. Our ultimate motivation is to use traceroute RTTs for Internet mapping of router and PoP (ISP point-of-presence) level nodes, including potentially gleaning information on equipment models, link technologies, capacities, latencies, and spatial positions. To our knowledge it is the first study to examine in a reliable testbed setting the detailed statistics of ICMP response generation.
We find that two fundamental assumptions about ICMP may not hold in some cases in modern routers, namely that ICMP delays are a linear function of packet size and that ICMP generation rate is equal to the capacity of the interface on which probes are received. The primary causes of these violations appear to be internal segmentation of packets into cells and limiting of ICMP packet rates and bit rates inside a router. Our results suggest that the linear model of packet delay as a function of packet size merits revisiting for certain router models and time resolutions. Our findings also suggest possibilities of developing new techniques for bandwidth estimation and router fingerprinting.