Capture suspended on Chicago monitor

At the end of March 2015 the Chicago to Seattle links were upgraded to 100Gig. Since our capture hardware is not capable of tapping these new links the San Jos e monitor is no longer capturing data. The last monthly trace was taken on March 19, 13:00-14:00 UTC; the report generator stopped at approximately 06:00 UTC on March 30. We are currently investigating our options for reviving this link.

Hardware

The infrastructure consists of 2 physical machines, numbered 1 and 2. Both machines have a single Endace 6.2 DAG network monitoring card. A single DAG card is connected to a single direction of the bi-directional backbone link. The directions have been labeled A (Seattle to Chicago) and B (Chicago to Seattle). Both machines have 2 Intel Dual-Core Xeon 3.00GHz CPUs, with 8 GB of memory and 1.3 TB of RAID5 data disk, running Linux 2.6.15 and DAG software version dag-2.5.7.1.

In a test environment both machines dropped less then 1% of packets with snaplen 48 at 100% OC192 line utilization, using a Spirent X/4000 packet generator sending packets with a quadmodal distribution, with peaks at 40, 576, 1500 and 4283 bytes.

Realtime Traffic Report Generator

Realtime traffic reporting for this monitor was available at

• https://www.caida.org/data/realtime/passive/?monitor=equinix-chicago-dirA (direction A)
• https://www.caida.org/data/realtime/passive/?monitor=equinix-chicago-dirB (direction B)

Since at OC192 line rates this hardware can't keep up with generating flow files that are needed for the realtime traffic reports, the reports are generated using flow estimation described in the paper Building a Better Netflow. The flow estimation tools that are used are part of the CoralReef suite of tools. Specifically, crl_anf is used with the following command line parameters:

crl_anf -b -A 500000 -f 500000 -Calignint -O %flow_file% -Cm=phy=pos %measurement_card%

The -b option outputs a binary format, for increased efficiency in writing and storage. The -A and -f options set the maximum number of entries in the tables for counting using the ANF and FCE algorithms, respectively. (Note: as of April 20th, 2008, this functionality is not yet part of a CoralReef release, as it has not been fully tested and documented.) -Calignint forces the (5-minute) intervals to align along 5-minute clock boundaries, so as to make it easier to compare intervals from different monitors, and -O specifies the output filename. The rest is for configuring the DAG card.

Traffic traces

The first passive traffic traces on this monitor were taken on March 19, 2008, during the Day in the Life of the Internet (DITL) Internet traffic data collection event and consisted of a 6-hour and a 1-hour packet header trace for a single direction (direction B) of the link. Since then each month a 1-hour trace has been recorded for both directions. The monthly traces from this monitor and the equinix-sanjose monitor are available to researchers (in anonymized form) in the CAIDA passive trace datasets:

• CAIDA Anonymized 2008 Internet Traces Dataset,
• CAIDA Anonymized 2009 Internet Traces Dataset,
• CAIDA Anonymized 2010 Internet Traces Dataset.
• CAIDA Anonymized 2011 Internet Traces Dataset.
• CAIDA Anonymized 2012 Internet Traces Dataset.
• CAIDA Anonymized 2013 Internet Traces Dataset.
• CAIDA Anonymized Internet Traces on IPv6 Day and IPv6 Launch Day Dataset.
• CAIDA Anonymized 2014 Internet Traces Dataset.

Some statistical information about this collection of 1-hour traces is available at

• https://www.caida.org/catalog/datasets/trace_stats/

Time Synchronization

Both physical machines are configured to synchronize their hardware clock via NTP. The DAG measurement cards have their own internal high-precision clock, that allows it to timestamp packets with 15 nanosecond precision. Every time a traffic trace is taken, The DAG internal clock gets synchronized to the host hardware clocks right before measurement starts. NTP accuracy is typically in the millisecond range, so at initialization the clocks on the individual DAG measurement cards can be off by a couple of milliseconds relative to each other. The precision (ie. timing within the packet trace) within a single direction of trace data is 15 nanosecond for the DAG files, and 1 microsecond for PCAP files.