Tracking down Traffic Dario Bonfiglio Marco Mellia Michela Meo - - PowerPoint PPT Presentation

tracking down traffic
SMART_READER_LITE
LIVE PREVIEW

Tracking down Traffic Dario Bonfiglio Marco Mellia Michela Meo - - PowerPoint PPT Presentation

Feb 11, 2023 549 likes •887 views

Tracking down Traffic Dario Bonfiglio Marco Mellia Michela Meo Nicolo Ritacca Dario Rossi Agenda A few words about Skype Known facts Preliminary definitions Investigate Skype Traffic Voice traffic Reaction to

slide-1
SLIDE 1

Tracking down Traffic

Dario Bonfiglio Marco Mellia Michela Meo Nicolo’ Ritacca Dario Rossi

slide-2
SLIDE 2

Agenda

  • A few words about Skype

– Known facts – Preliminary definitions

  • Investigate Skype “Traffic”

– Voice traffic

  • Reaction to network performance degradation

– Signaling traffic

  • Signaling patterns & peer selection

– Users’ behavior

  • Please, see the paper
slide-3
SLIDE 3

Why Skype ?

  • Skype is very popular

– More than 100M users, 5% of all VoIP traffic – Easy to use, many free services

  • voice / video / chat / data transfer over IP
  • Understanding Skype is a challenging task

– Closed design, proprietary solutions – Almost everything is encrypted – Uses a P2P architecture – Lot of different flavors

slide-4
SLIDE 4

Skype for Dummies

  • Architecture

– P2P design

slide-5
SLIDE 5

Skype for Dummies

  • Architecture

– P2P design

  • Service traffic

– Voice calls – Video calls – Chat – Data transmission

slide-6
SLIDE 6

Skype for Dummies

  • Architecture

– P2P design

  • Service traffic

– Voice calls – Video calls – Chat – Data transmission – Skypeout/Skypein

slide-7
SLIDE 7

Skype for Dummies

  • Architecture

– P2P design

  • Service traffic

– Voice calls – Video calls – Chat – Data transmission – Skypeout/Skypein

  • Signaling traffic

– Login & auth. – Look for buddies – ….

slide-8
SLIDE 8

Methodolody

  • Service traffic

– Small scale active testbed – Controlled bandwidth, packet loss – voice service, many Codecs, TCP/UDP traffic

  • Signaling traffic

– Passive measurement technique – Adopt a black-box approach – Inspect and quantify UDP signaling – Classification framework:

300.103 external peers D.Bonfiglio, M.Mellia, M.Meo, D.Rossi, P.Tofanelli, Revealing Skype Traffic: When Randomness Plays with You, SIGCOMM'07 7000 hosts 1700 peers

slide-9
SLIDE 9

Preliminary Definition

  • Useful information

– At installation, Skype chooses a port at random – The port is never changed (unless forced by the user) – All traffic multiplexed over the same socket (UDP preferably)

Skype flow

– A sequence of packets

  • riginated from a Skype

peer (and destined to another skype peer) – Flow starts when the first packet is observed – Flow ends when no packet is observed for a given inactivity timeout (200s)

(IP addr, UDP port)

Skype peer

– A Skype peer can be identified by its endpoint – Consider only peers that were ever observed making a call

slide-10
SLIDE 10

Skype Source Model

Sk Skyp ype Mess ssage ge TC TCP/ P/UD UDP IP IP

slide-11
SLIDE 11

Service traffic

Codec Impact

slide-12
SLIDE 12

Service Traffic: Normal Condition

Bitrate [kbps]

Time [s]

50 100 150 200 250 10 20 30 40 50 60 ISAC iLBC iPCM-WB PCM G729

Aggressive Startup Smooth Transient Normal Behavior

slide-13
SLIDE 13

600 400 200 10 20 30 40 50 60 PCM 900 600 300 iPCM-WB 300 200 100 iLBC 100 50 G729 300 200 100 ISAC

Service Traffic: Normal Condition

Message Payload [Bytes]

Time [s]

slide-14
SLIDE 14

Service Traffic: Normal Condition

IPG [ms]

Time [s]

10 20 30 40 50 60 70 10 20 30 40 50 60 ISAC iLBC iPCM-WB PCM E2O G729

slide-15
SLIDE 15

Service traffic

Transport Layer Impact

slide-16
SLIDE 16

Service Traffic: TCP vs UDP

20 40 60 80 B - UDP B - TCP 30 60 90 IPG - UDP IPG - TCP 50 100 150 200 250 10 20 30 40 50 60 L - UDP L -TCP

Time [s] Time [s] Time [s]

TCP/UDP have no impact

slide-17
SLIDE 17

Service traffic

Network Impact

slide-18
SLIDE 18

Service Traffic: Bandwidth Limit

20 40 60 80 100 Average Throughput Bandwidth limit 20 40 60 80 100 Framing 50 100 150 200 250 300 30 60 90 120 150 180 210 240 270 300 Time [s] Skype Message Size

Time [s] Time [s]

Skype performs congestion control

slide-19
SLIDE 19

Service Traffic: Packet Loss

100 200 300 400 500 100 200 300 400 500 2 4 6 8 10 10 20 30 40 50 60 100 200 300 400 500 2 4 6 8 10

Inter-Pkt Gap [ms] Payload [Bytes]

Loss % Time [s] Loss profile Aggressively tries to deal with losses… ...by multiplexing old and new voice blocks

Skype performs loss recovery

slide-20
SLIDE 20

Service traffic

Video Traffic

slide-21
SLIDE 21

Service Traffic: Video Source

200 400 600 800 B 20 40 60 80 IPG 300 600 900 10 20 30 40 50 60 Time [s] L

Time [s] Time [s]

Back-to-back video Massages => frame Usual IPG for pure audio messages Video messages are Bigger Voice messages are the same

Skype multiplexes different sources

slide-22
SLIDE 22

Signaling traffic

slide-23
SLIDE 23
  • 1500
  • 1000
  • 500

500 1000 1500 0 6 12 18 24

Signaling Traffic: Activity Pattern

  • Legend

– Consider a single client – Each dot is a packet – Top: outgoing, Bottom: incoming – For every new peer, increment the ID – For every old peer, use the previous ID Time [Hr]

In Out

Rather different patterns emerge from the plot

slide-24
SLIDE 24
  • 1500
  • 1000
  • 500

500 1000 1500 0 6 12 18 24

Signaling Traffic: Activity Pattern

  • Probes

– Single packet – Sent toward unknown peers – Reply possibly follows – No further traffic between the same peers pair – Majority of the flows Time [Hr]

In Out

Peer discovery is a continuous task

slide-25
SLIDE 25
  • 1500
  • 1000
  • 500

500 1000 1500 0 6 12 18 24

Signaling Traffic: Activity Pattern

  • Non-Probes

– Flows longer than one packet – Series of single-packet flows – Sent toward the same peer – Carry most signaling bytes Time [Hr]

In Out

Talk to super peers, notify buddies of status change, …

slide-26
SLIDE 26
  • 1500
  • 1000
  • 500

500 1000 1500 0 6 12 18 24

Signaling Traffic: All Peers

  • Probes

– Majority of the flows

  • Non-probes

– Carry most signaling bytes

  • Signaling bandwidth

– 95% generate <100 bps – Only 1% exceeds 1 Kbps

  • Signaling spread

– 95% of peers contact <40 peers (in 5 min) – 1% exceeds >75 (in 5 min) Time [Hr]

In Out

slide-27
SLIDE 27

Conclusions

  • Service traffic

– Active testbed – Skype implements a congestion control

  • Aggressive with losses
  • Conservative with

bottlenecks

  • Signaling traffic

– Passive measurement – Two different threads shapes the overlay

  • Probes
  • Non-Probes

– Signaling rate and spread

  • Very limited bitrate
  • Large number contacted

peers

  • User Characterization

– Number of calls per unit of time – Call duration for different services – Peer Lifetime

Details are in the paper, not in this talk 

  • Future Work

– Extensive measurement in different networks

  • Campus LAN
  • ADSL installation
  • Cellular Network
slide-28
SLIDE 28

Signaling Traffic: Peer Selection

  • RTT distance

– RTT between first request-reply packets – Probe RTT smaller w.r.t. non-probe traffic

Round Trip Time [ms]

0.004 0.008 0.012 10 100 1000 pdf Non-Probe Probe

0% 20% 40% 60%

Europe North America Asia South America Africa Oceania Non-Probe Probe

  • Geolocation breakdown

– Probes favor discovery

  • f nearby hosts

– Non-probes driven by social network

slide-29
SLIDE 29
slide-30
SLIDE 30
slide-31
SLIDE 31

Signaling Traffic: Peer Selection

10 20 30 40 50 60 70 80

  • 150
  • 100
  • 50

50 100 150 Latitude Longitude

slide-32
SLIDE 32

Signaling Traffic: Inferring Churn

PDF

0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08

6 12 18 24

Time [h]

Peer Lifetime Peer Deathtime