Passive traffic characterization and analysis in heterogeneous IP networks


Publication date



Høgskolen i Oslo. Avdeling for ingeniørutdanning

Document type


Master i nettverks- og systemadministrasjon


In this thesis we revisit a handful of well-known experiments, using modern tools, to see if results yielded from earlier experiments are valid for today’s heterogeneous networks. The traffic properties we look at are relevant for designing and optimizing network equipment, such as routers and switches, and when building corporate networks. We have looked at the characteristics of two different heterogeneous networks; a university network, and an ISP network. We have captured traffic from different weeks, and at different times of the day. We first describe the challenges involved with collecting, processing and analyzing traffic traces from high-speed networks. Then we then look at the various factors that contribute to uncertainty in such measurements, and we try to deduct these factors. The experiments involve collection and analysis of high-resolution traffic traces fromtwo operative networks, each ofwhich contains several gigabytes of network traffic data. We look at properties such as: Packet inter-arrival time distributions, packet size distributions, modeling packet arrivals (self-similarity versus Poisson), traffic per application (egress traffic per destination port), and protocol distributions. A simplistic attempt to quantify the volume of Peer-to-Peer (P2P) traffic inspecting both header data and payload is conducted to evaluate the efficiency of today’s methodology for identification (port numbers only). We have used freely available tools like TCPDump, Ethereal, TEthereal, Ntop, and especially the CAIDA CoralReef suite. The shortcomings of these tools for particular tasks have been compensated for by writing custom-made Perl scripts, proving that it is possible to do advanced analysis with fairly simple means. Our results reveal that there are in fact measurable differences in terms of packet inter-arrival time distributions and statistical properties in the two networks. We also find significant differences in the application distribution, and the deployment of new technologies such as Multicast.


Permanent URL (for citation purposes)