Transcript Slide 1

A First Look at Modern
Enterprise Traffic
Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney
Princeton University, International Computer Science Institute,
Lawrence Berkeley National Laboratory (LBNL)
IMC2005 http://www.usenix.org/events/imc05/tech/
Report by: Loizos Konomou
EL933
Fall 2005
Prof: Yong Liu
Enterprise Network Traffic

Internet traffic has been studied a lot

Not many studies regarding internal
enterprise traffic

Study of internal network traffic of an
enterprise and compare it with the
wide area traffic
Enterprise Network Traffic
Measurements taken at 2 Central
Routers (One at a time)
 Pentium 4 2.2Ghz running FreeBSD
4.10
 4 NIC cards, capture unidirectional
traffic
 Measurement equipment able to
capture 2 interfaces at a time
 2 subnets at a time

Enterprise Network Traffic

Trace consists

Over 100 Hours of packet traces

8000 Internal Hosts

47000 External Hosts
Goals:
Understand the makeup of internal
network traffic (from the network layer
to the application layer)
 Gain sense of the patterns of locality
 Characterize application traffic in terms
of how intranet traffic differs from
Internet traffic characteristics
 Characterize applications heavily used
inside the enterprise but rarely outside
 Gain Understanding of the load being
imposed on modern enterprise networks

Overview of Traces
Network Protocols detected in traces

IP is the dominant Layer 3 Protocol
Transport Layer Protocols


TCP is dominant in Packets
UDP is dominant in connections.
Application Breakdown




Other-udp
Other-tcp
Misc
Net-mgmt
Streaming
Windows
Interactive
name
Bulk
Backup
Net-file
email
WEB
Other-udp
Other-tcp
Misc
Net-mgmt
Streaming
Windows
Interactive
name
Bulk
Backup
Net-file
email
WEB
Unicast Payload and Connections
Most traffic is internal.
Most of the external traffic is web
Most internal traffic in bytes is net-file and backup,
but the number of connections for these categories
are very small
Name resolution traffic small, but large number of
connections
Origins and Destinations
71-79% of traffic is within the network
 2-3% originates from inside with
destination outside
 6-11% originates from hosts outside
with destination inside
 5-10% is multicast sourced within the
network,
 4-7% is multicast sourced externally

Applications
Web traffic has more external traffic
than internal
 Email also both internal and external

SMTP and Secure IMAP dominate the
email protocols used
 POP3, LDAP


Name Services
DNS, Netbios, Service Locator, RPC
 Handful of servers account for most of
the DNS traffic.

Application Enterprise Specific Traffic

Windows Services




SMB/CIFS
NFS
NCP
DCE/RPC
CIFS Breakdown
Windows Services
DCE/RPC Functions
NFS Functions
Backup Services
Veritas
 Dantz


Large volume of traffic between small
number of hosts.
Summary
This study provides a broad view of
the enterprise traffic
 Limitations:

Data is specific to one Site
 Each Site is unique


General Idea about internal traffic

Sets the foundations for more deep
studies of internal network traffic