HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Contents • Course arrangements • Who, what, why measure? Introduction lecture • Active & Passive measurements • Single-point & Multi-point measurements • IP (v4 & v6) packet structure Lecture slides for S-38.3183 Internet traffic measurements and measurement analysis – TCP and UDP structure 16.3.2006 – packet selection for measurements, masking Mika Ilvesmäki • Flow as a measurement concept • Security & legislation Networking laboratory HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) Course details Course contents • New course, so everything is done for the first time! • Course material • 4-6 exercises (Matlab etc.) – Lecture notes, chapter or two from an (hopefully) upcoming book • ~12 lectures • Course aim is to give basic knowledge on packet and flow measurements in IP networks – Remember to sign via WWWTopi! – Focus is on layers 3 and 4 (IP and TCP) • 4-6 exercises (mandatory) • Course material – Weekly returns, hard deadline 28.4.2005. No extensions will be granted. – Lectures – Matlab experience required – Lecture slides – Programming skills recommended – Exercise materials – In addition to correctness of the answers, the work process – ”Chapter 2” influences the grading of the exercises! – Selected scientific articles • Grading based on final exam. Points gathered from exercises • After the course you should may replace some points in the final exam. – Master basic statistical tools • Final exam 10.5.2006 9am-12, hall S3 – Be able to perform traffic analysis of packet and flow phenomena – Remember to sign up! • And make basic conclusions – Understand different types of measurements •1
HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) Contact information Why measure? • Course webpages are the main media for • To give background to new theories communication – to verify existing theories • General: mika.ilvesmaki@netlab.hut.fi – > traffic and network characterization – Reception on thursdays (16.3-6.4.2005) after the • To get knowledge of the network status afternoon lecture for 30 minutes. – availability • Exercises: Please contact the exercise lecturer – use of resources • Other personnel: – security status – markus.peuhkuri@netlab.hut.fi – > network monitoring and control – marko.luoma@netlab.hut.fi HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) Who measures? What is there to measure? • Users • Network events – The event itself – Application performance monitoring • Count of packets – End-to-end performance – The size or some other quantitative property of the • Operators event itself – Billing information • Packet size, flow duration – Performance indicators – Inter-event relation • link utilization, error and loss rates, delays • Frequency of events, the time between two events • Protocol/Applications behaviour and analysis • Vendors/manufacturers – Requires assembling the packets to messages, – Design improvement content, protocol state etc. •2
HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) Measurement types Mode: Passive measurements • Mode: active or passive • No interference to network • Location: single point - multipoint • Huge amounts of data – Several packets are needed to get accurate information on Active + single point Active + multipoint the network – Cf. to sampling. One packet is one sample of the network Mode Complexity status, several packets are several samples. – Data compression necessary Passive + single Passive + multipoint • Data capture – Data copying point – Passive listening – Pass-through Location HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) Passive measurement objectives Mode: Active measurements • Measurement probes (packets) injected • Arrival process characterization into the network -> increases the – Packets, flows, applications network load and may lead to excess • Network status & traffic profiles traffic • General measures • Measure for BW capacity, packet delay, – Utilization, traffic trends etc. packet loss, or RTT • End-to-end • Hop-by-Hop (Tunnels) • Link-by-link •3
HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) Active measurement objectives Type: Measurements at one point • Current network status • Measurements done at one point make it possible to analyze – Current available bandwdith estimation – Count of events, event InterArrivalTimes, – Current packet loss characteristics content, volume throughput, round trip – Current delay characteristics times (RTT) – Current routing status • Analyzing packet contents we can also perform – Protocol/Application analysis HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) Mode+Type: Active 1-point and multi-point Type: Multipoint measurements • Measurements in two or more points make it possible to analyze and study • Active measurement: – Delays, – Probe sent and response is someway automated from the network by design – Traffic matrices • Traffic directionality • In multi-point active measurements the – Clock synchronization other end is ready to send response. – Routing behavior •4
HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) IP-packet structures TCP/UDP packet structure TCP IPv4 IPv6 Version Priority Flow Label (20 bits) (4 bits) (8 bits) Source port (16 bits) Destination Port (16 bits) Must Payload Length (16 bits) Next Header (8 bits) Hop Limit (8 bits) Sequence number (32 bits) Delay Thru- Relia- Cost Be Precedence (3 bits) (1 bit) put bility (1 bit) Zero (1 bit) (1 bit) (1 bit) Acknowledgement number (32 bits) U A P R S F Data offset Source Address (128 bits) Reserved Window (16 bits) R C S S Y I (4 bits) (6 bits) G K H T N N Checksum (16 bits) Urgent pointer (16 bits) Version IHL Type of Service Total Length (16 bits) UDP (4 bits) (4 bits) (8 bits) Flags Identification (16 bits) Fragment offset (16 bits) Options (24 bits) Padding (8 bits) (4 bits) Time to Live (8 bits) Protocol (8 bits) Header Checksum (16 bits) Source port (16 bits) Destination Port (16 bits) Source Address (32 bits) Destination Address (128 bits) Length (16 bits) Checksum (16 bits) Destination Address (32 bits) Options (24 bits) Padding (8 bits) HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, D.Sc. (Tech.) Mika Ilvesmäki, D.Sc. (Tech.) Where’s the info on the packet contents? Grouping packets into flows • Packet header information – layers 1 and 2 do not contain any information on packet • Concept of flow is based on TCP connections content – Using the TCP protocol, all connections are handled via the – layer 3 (IP) identifies the sending source and receiving SYN and FIN control mechanism. It is therefore possible to destination and the upper layer 4 protocol (TCP/UDP) watch the traffic on a network, check for SYN and FIN • oversimplification: who sends packets where packets and thereby aggregate everything with identical service number, source and destination address etc between – layer 4 (UDP/TCP) identifies the port numbers used at the SYN and FIN packet into one ``flow''. source and destination • The strength of this approach is that the detection of beginning • oversimplification: what application is used and end of a TCP connection based flow is relatively easy. • source identifies the application that originates the packet and • UDP? the destination tells us where the packets are headed • Flow: Packet train model by Jain • Layers 3 and 4 are the first ones that contain any information on the application that the user is using to – A packet train is a burst of packets arriving from the same source and heading to the same destination. If the spacing create packets in the network. between two packets exceeds some inter-train gap, they are said to belong to different trains. •5
Recommend
More recommend
