Telescope traces

Non-zero payload packets

Packet rates

Most of the packets collected at the telescope that contain at least one payload byte are generally UDP packets; in fact, the 99.99% of the TCP packets represent empty SYN packets that attempt to initiate three-way-handshake procedures.

In the February 2010 the traffic observed at the telescope manifested an increase in the non-zero payload UDP traffic mainly due to packets with 33 and 67 payload bytes (as shown in Figure 1).









Figure 1. Packet rates evaluating the packets corresponding to the most frequent numbers of payload bytes.

The observation interval includes February and the first days of March.







Analysing the content of UDP packets including the 33 and 67 payload bytes, we observed that they match the payload patterns of the Bittorrent protocol.





Port distribution

We then extracted and focused on the 33-bytes packets, evaluating the distribution of the UDP ports of the collected flows carring these packets. We separated the packets in flows, each one composed of the sequence of packets identified by the IP addresses and UDP ports that are collected before a timeout interval of 5 minutes. Figure 2 shows the cumulative distribution function of the source and destination port numbers for the flows composed of 33-bytes packets; they assume values distributed in the interval [0-65535].







Figure 2. Cumulative distribution functions (CDF) of the source and destination port numbers for

the 33-bytes packets, corresponding to the Bittorrent protocol.









IP sources and destinations

The increase of the Bittorrent UDP packets (carrying 33 payload bytes) and of the number of the corresponding IP sources is significant in the first days of February. Figure 3 shows the mapping of the IP sources that sent 33-bytes packets matching the Bittorrent protocol regular expression during three different days (February 6, 10 and March 10, 2010).

The destination IP addresses of these packets cover all the 44/8 network address space, but not uniformly distributed, as shown in Figure 4.





February 6, 2010

February 10, 2010

March 10, 2010



Figure 3. Mapping of the SRC IP addresses that sent Bittorrent 33-bytes packets to the telescope during the February 6, 10 and March 10, 2010.









February 6, 2010

February 10, 2010

March 10, 2010



Figure 4. Mapping of the DST IP addresses in the Bittorrent 33-bytes packets received at the telescope during the February 6, 10 and March 10, 2010.