CAIDA - OC48MON
Archived MagicPoint presentation slides, compiled into a single PDF document.
2001_oc48mon2001.pdf (18 slides, 1.1 MB)
Slide text transcript
Slide 1: university of california, san diego (ucsd)
university of california, san diego (ucsd) san diego supercompter center (sdsc) cooperative association for Internet data analysis (caida) kc@caida.org www.caida.org
Slide 2: outline
outline
measurements
hardware
data
analysis
results
traffic by applications
traffic by ASes
traffic by countries
`geographical' 3-D plots
conclusions
Slide 3: measurements: hardware
measurements: hardware DAG - PCI network monitoring cards: project at University of Waikato (New Zealand) computer science department http://dag.cs.waikato.ac.nz/ DAG4 card - ATM and PoS capture at OC48c 2.5 GBit/sec link rate exceeds PCI bus bandwidth, requires filtering & compression provides highly accurate timestamping timestamp sync across boards available via cable and GPS CAIDA/U.Waikato collaboration (subcontract)
Slide 4: measurements: data
measurements: data data provided by Waikato Applied Network Dynamics group http://wand.cs.waikato.ac.nz/ collected at Metromedia Fiber Network (MFN) backbone, San Jose, CA oc48mon2 link, one direction only duration: 76 minutes total 20:00 - 21:16 (PDT), 5 Aug 2001 volume: 32 GB of data
Slide 5: measurements: analysis
measurements: analysis use CoralReef software suite http://www.caida.org/tools/measurement/coralreef/ obtain quantitative parameters of captured traffic: Byte rates and Packet rates Flows Flow = (src IP, src port, dest IP, dest port, protocol) use NetGeo tool to map src/dst IP addresses to ASes and countries http://www.caida.org/tools/utilities/netgeo/ consider various aggregations of traffic: applications ASes countries
Slide 6: results: application characteristics
results: application characteristics - Well-known applications are determined from port numbers - Plot distributions of bytes, packets, and flows by applications
Slide 7: results: traffic by (top 10) applications
results: traffic by (top 10) applications by bytes www (79%) unclassified TCP (4%) kazaa - peer-to-peer file sharing system (for music) (2%) 1% or less: nntp - netnews; unclassified UDP; realaudio, smtp, napster, gnutella, ftp by packets www (67%) unclassified TCP/UDP (7%/3%) 1% or less: Halflife (game); ICMP (e.g., ping - small pkts); smtp; kazaa (large pkts), dns, realaudio, Starcraft (game) by flows www (69%) ICMP (16%) dns (3%) unclassified TCP (2%) asherons (game) (2%) 1% or less: smtp, unclassified UDP, ftp, https (secure http), Halflife
Slide 8: results: characteristics of traffic by ASes
results: characteristics of traffic by ASes
map IP addresses to their origin Autonomous Systems
consider distribution of bytes, packets, flows
- by source and destination ASes
top source ASes: Microsoft-AS-Block
also: Shawfiber, JNIC-ASN, Abovenet, ACTTG, Telus
top destination ASes:
Hanaro (Korea), Chinalink (China), Dacomnet (Japan), Thrunet (Korea)
Abovenet, AOL-Primehost, Chinanet-core-wan-north, Backbone-Guangdone-AP
Hotmail-AS: 5th by flows, 17th by bytes
Slide 9: results: traffic by countries/continents
results: traffic by countries/continents distribution of bytes, packets, flows by source and destination countries top source countries: US - 1st by bytes and packets, 2nd by flows Japan - 1st by flows, 2nd by bytes and packets also: Canada, United Kingdom, Hong Kong, Denmark (but: 10 times less bytes, packets, or flows than US or JP) top destination countries: Korea, US, China also: Japan, New Zealand, Taiwan, Australia AS analysis and geographical findings both reflect nature of traffic passing through MFN backbone: mostly directed to asia
Slide 10: results: flow interval spacing
results: flow interval spacing - packet interarrival time is _always_ less than 2s - 4s timeout sufficient to capture most application flows
Slide 11: results: 3D traffic matrices
results: 3D traffic matrices source/destinations pairs aggregated by continents/regions 3D plots use XRT-based tool http://www.caida.org/tools/utilities/graphing/graph_xrt3d.xml x/y axes - source/destination locations z-axis - logarithmic scale traffic volume (bytes, packets, or flows) examples follow (number of bytes shown in all plots)
Slide 12: results: 3D traffic matrices
results: 3D traffic matrices peaks: asia/n.amer/eur. -> asia; n.amer/eur. -> n.amer; n.amer/eur -> oceania
Slide 13: results: 3D traffic matrices
results: 3D traffic matrices
continents-to-asia: primary srcs - n.amer/asia/europe
primary dsts - south korea, china, japan, taiwan
east asia locations are primary traffic destinations for this link
Slide 14: results: 3D traffic matrices (continents)
results: 3D traffic matrices (continents) continents-to-africa: only 3 countries receive (little) traffic: .za, .eg, .bw
Slide 15: results: anomalies
results: anomalies we see the following unexpected traffic at our measurement location in San Jose, California, US: asia to asia - rather significant amount .uk to .eg (egypt) .uk to .tu (turkey) .fr to .fr and .uk to .uk .se (sweden) to .es (spain)
Slide 16: results: anomalies (example)
results: anomalies (example)
significant amount of asia-to-asia traffic passes through San Jose!
includes even same country traffic (e.g., .jp->.jp, .tw->.tw)
Slide 17: conclusions
conclusions we infer applications using port mappings dominated by WWW, filesharing, and gaming applications flow duration relatively short timeouts (i.e. 4 seconds) may be adequate traffic destinations dominated by East Asia (KR, TW, CN, JP) and US significant traffic `anomalies' through San Jose western europe - western Europe eastern asia - eastern asia
Slide 18: conclusions
conclusions unique first and only OC48 flow monitor worldwide caida's public tools analyze data without modification software implemented CoralReef, NeTraMet, custom routines (CAIDA) custom routines by U. of Waikato, others darpa/nsf/caida members funded software, data analysis, viz tools all prototypes backbone core now needs oc192/oc768 monitoring currently no such project exists