This project grew out of a request for information about stream sizes as observed for real traffic on a busy Internet link.
Five new distribution-valued attributes have been implemented, which are not among those in the New Attributes RFC. These attributes are:
- FlowTime: Lifetime (in microseconds) of streams within a flow
- ToFlowPDUs: Number of Source -> Destination packets for streams within a flow
- FromFlowPDUs: Number of Destination -> Source packets for streams within a flow
- ToFlowOctets: Number of Source -> Destination bytes for streams within a flow
- FromFlowOctets: Number of Destination -> Source bytes for streams within a flow
Data for the plots below was collected using the flow_stats_master.srl ruleset, which builds only two flows - one for TCP packets, the other for UDP packets. The distributions use 100 bins with logarithmic ranges as follows:
- *FlowPDUs: 1 to 50,000 packets
- *FlowOctets: 100 Bytes to 5 MBytes
- FlowTime: 10 milliseconds to 10 minutes
Reading the flow data from the meter was complicated by the fact that two 100-bin distributions require about 1200 bytes in an SNMP packet. (In contrast, if 50-bin distributions provided enough resolution, then all five could easily fit into a single SNMP packet.) NeMaC handles the size problem by allowing you to download a ruleset (in this case flow_stats_master.srl and set it running. Then, a new copy of NeMaC is started that runs three separate rulesets: flow-stats-1.srl, flow-stats-2.srl, and flow-stats-3.srl. It is these three rulesets that read the five distribution-valued attributes.
The following plots resulted using the rulesets above.
From Flow Bytes (Octets)
Distributions were read from the meter at five-minute intervals, and their median (green), third quartile (blue), 95th percentile (magenta) and maximum (red) plotted. The first plot shows FromFlowOctets, i.e., the number of bytes traveling from Destination to Source (in to SDSC) for TCP and UDP streams which timed out in each five-minute interval.
The plot covers about 28 hours over Sunday, Monday, and Tuesday, 18-20 June 2000. For TCP streams, the maximum is pegged high at the overflow bin, while the 95th percentile is much lower, about 20 kB or less. This distribution is therefore heavy-tailed.
At about 0930 on Monday the third quartile suddenly drops right down to the bottom bin, i.e. 100 bytes or less, and remains there until late in the evening. This event is apparent to a lesser extent in the UDP plot, and also in the FromFlowPDUs plot, but not at all in the ToFlowOctets or ToFlowPDUs plots that follow:
From Flow Packets (PDUs)
To Flow Bytes (Octets)
To Flow Packets (PDUs)
This plot shows how FlowTime, i.e. stream lifetimes, vary for TCP and UDP flows. For TCP, the lifetime distribution is fairly stable, except for the first quartile being lower in the early hours of Tuesday morning. The UDP plot is similar to the TCP one for FromFlowOctets, with a dramatic drop in its third quartile at about 0930 on Monday.
In an attempt to see how the distributions changed at 0930 on Monday 19 June, I plotted them for the intervals ending at 0900 and 1000 on that Monday. The y asix on these plots shows the number of streams counted in each bin.
For TCP streams, the FlowOctets plots (red line) show two changes. First, the number of very small streams has increased from around 20,000 to about 50,000. Second, flows in the size range 1 to 100kByte have dropped from about 700 to about 200. There are similar - but smaller scale - changes in the other three attributes.
Flow Bytes (Octets) at 0900
Flow Bytes (Octets) at 1000
For TCP FromFlowPDUs, the number of very small (single packet) streams decreased. Streams in the range 5 to 500 also decreased noticeably, reflecting the drop in the distribution's third quartile. A similar, but smaller, drop is visible for UDP FromFlow distribution, while the ToFlowPDUs distributions hardly changed at all.
Flow Packets (PDUs) at 0900
Flow Packets (PDUs) at 1000
For TCP FlowTimes there was almost no change in the distributions, while for UDP FlowTimes the number of very short-lived streams increased while the number of streams lasting for about 20 to 600 ms dropped noticeably.
Flow Times at 0900
Flow Times at 1000
Discussion / Summary
The changes in the distributions correspond well with the changes observed in the stream history (percentiles for five-minute distribution) plots. To summarize:
- Stream distributions are fairly stable over long periods of time.
- For TCP, 75% of the streams contained less than 10 packets and less than 2 kBytes. UDP streams were even smaller.
- For TCP, 95% of the streams were less than 20 packets long, and carried less than 20 kBytes. Again, UDP streams were smaller.
- For TCP, 50% of the streams last less than about 600 ms, and 95% of them last less than 10 seconds. UDP streams are generally shorter than TCP streams.
- All these distributions are heavy-tailed. For example, many of the distributions had a few streams lasting more than 10 minutes.