Transcript Internet Traffic Monitoring and Analysis

1. Introduction
Internet Traffic Monitoring and Analysis:
Methods and Applications
(1)
POSTECH
DP&NM Lab.
1. Introduction - Evolving IP Network Environment
 WAN: SONET/SDH (OC3, OC12, OC48, OC192), ATM,
WDM/DWDM
 LAN: 10/100 Mbps to 1 Gbps to 10 Gbps Ethernet
 Broadband Internet Access: Cable Modem, xDSL, ISDN,
FTTx
 Wireless Access: WLAN (IEEE 802.11), Wireless Internet,
3G, Wibro/WiMax, 4G
 Wired/Wireless Convergence: Softswitch, Media Gateway,
NGCN
Internet Traffic Monitoring and Analysis:
Methods and Applications
(2)
POSTECH
DP&NM Lab.
1. Introduction – Growth of Internet Users
The number of Internet users is growing
Source : www.internetworldstats.com
Internet Traffic Monitoring and Analysis:
Methods and Applications
(3)
POSTECH
DP&NM Lab.
1. Introduction – Growth of Internet Users
Source : www.internetworldstats.com
Internet Traffic Monitoring and Analysis:
Methods and Applications
(4)
POSTECH
DP&NM Lab.
1. Introduction – Growth of Internet Traffic
Internet traffic has increased dramatically
Cisco forecasts 44 Exabytes per month of IP traffic in 2012
(Exabyte = 1 million terabytes = 260 bytes)
Internet Traffic Monitoring and Analysis:
Methods and Applications
(5)
Source: Cisco
POSTECH
DP&NM Lab.
1. Introduction – Reliance on Internet
The Internet generated revenue has been increasing rapidly!
Source : Business Insider
 Internet plays important role in world economy
Internet Traffic Monitoring and Analysis:
Methods and Applications
(6)
POSTECH
DP&NM Lab.
1. Introduction – Internet Applications
 Stand-alone applications can now utilize networking
 Cooperative editing: Abiword, ACE, MS SharePoint Workspace
 Browser-based software: Google Docs, Google Wave
 Game console: Microsoft XBOX, Sony Playstation, Nintendo Wii
 New network applications
 Online games, shopping, banking, stock trading, network
storage, P2P applications
 VOD, EOD (Education on Demand), VOIP, IPTV
Online game
Internet Traffic Monitoring and Analysis:
Methods and Applications
VoIP
(7)
VOD
POSTECH
DP&NM Lab.
1. Introduction – Structure of Applications
 Client-Server
 Traditional structure
server
client
 Peer-to-Peer (P2P)
 New concept between file sharing and transferring
 Generates high volume of traffic
discovery, content,
transfer query
peer
peer
peer
 Structures of applications are changing!
Internet Traffic Monitoring and Analysis:
Methods and Applications
(8)
POSTECH
DP&NM Lab.
1. Introduction – Types of Traffic
 Static sessions vs. Dynamic sessions
connect
connect
Negotiate &
allocate
use static
protocol, port
use dynamic
protocol, port
disconnect
disconnect
control
data
 Bursty data transfer vs. Streaming data transfer
packet
network
packet
network
 Types of traffic are various and increasing!
Internet Traffic Monitoring and Analysis:
Methods and Applications
(9)
POSTECH
DP&NM Lab.
1. Introduction – Internet Protocol Distribution
protocol
Flows
Packets
Bytes
TCP
32,515
14.4%
1,797,176
86.3%
1,339,396,630
96.8%
UDP
54,561
24.2%
141,769
6.8%
27,812,586
2.0%
ICMP
138,253
61.3%
141,247
6.7%
15,720,410
1.1%
Others
125
0.0%
474
0.0%
32,160
0.0%
2003.09.16 – 19:36
POSTECH Internet Junction Traffic
 Transport Protocol Distribution
 The amount of UDP flows is increasing by P2P applications
 The amount of ICMP flows is increasing by Internet worms
Internet Traffic Monitoring and Analysis:
Methods and Applications
(10)
POSTECH
DP&NM Lab.
1. Introduction – Internet Protocol Distribution
protocol
Flows
Packets
Bytes
TCP
42,533
5.8%
1,677,721
38.7%
1,288,490,188
39.9%
UDP
678,800
93.4%
2,621,440
60.5%
1,932,735,283
59.9%
ICMP
4,452
0.6%
31,256
0.7%
2,516,582
0.1%
Others
445
0.0%
3,099
0.0%
570,726
0.0%
2011.03.28 – 18:15
POSTECH Internet Junction Traffic
 Transport Protocol Distribution
 The amount of UDP flows is increasing by P2P, gaming &
multimedia streaming applications
Internet Traffic Monitoring and Analysis:
Methods and Applications
(11)
POSTECH
DP&NM Lab.
1. Introduction – Port number usage in TCP/UDP
 Port Number Distribution in bytes
?
<1024
>=1024
2%
41%
?
98%
59%
<1024
>=1024
UDP Port Number Distribution
TCP Server Listening Port Number Distribution
 Proportion of Internet Applications
?
54%
21%
20%
HTTP
FTP
TELNET
SMTP
Others
5%
2003.09.16 – 19:36
0%
POSTECH Internet Junction Traffic
 Which applications generate this large amount of traffic?
Internet Traffic Monitoring and Analysis:
Methods and Applications
(12)
POSTECH
DP&NM Lab.
1. Introduction – Port number usage in TCP/UDP
 Port Number Distribution in bytes
?
0.75%
?
0.18%
< 1024
< 1024
99.25%
Others
TCP Server Listening Port Number Distribution
Others
99.82%
UDP Port Number Distribution
 Proportion of Internet Applications
11.403%
2.484%
?
http
ssl
tcp encap.
smtp
84.986%
pop
rtsp
ssh
2011.03.28 – 18:15
POSTECH Internet Junction Traffic
Others
 Which applications generate this large amount of traffic?
Internet Traffic Monitoring and Analysis:
Methods and Applications
(13)
POSTECH
DP&NM Lab.
1. Introduction – Motivation
 Needs of Service Providers
 Understand the behavior of their networks
 Provide fast, high-quality, reliable service to satisfy customers and
thus reduce churn rate
 Plan for network deployment and expansion
 SLA monitoring, Network security
 Increase Revenue!
 Usage-based billing for network users (like telephone calls)
 Marketing using CRM data
 Needs of Customers
 Want to get their money’s worth
 Fast, reliable, high-quality, secure, virus-free Internet access
To Satisfy Service Providers’ Needs to Satisfy Their
Customers!
Internet Traffic Monitoring and Analysis:
Methods and Applications
(14)
POSTECH
DP&NM Lab.
1. Introduction – Application Areas
 Network Problem Determination and Analysis
 Traffic Report Generation
 Intrusion & Hacking Attack (e.g., DoS, DDoS) Detection
 Service Level Monitoring (SLM)
 Network Planning
 Usage-based Billing
 Customer Relationship Management (CRM)
 Marketing
Internet Traffic Monitoring and Analysis:
Methods and Applications
(15)
POSTECH
DP&NM Lab.
1. Introduction – Issues in Traffic Monitoring
 Choices
 Single-point vs. Multi-point monitoring
 Number of probing or test packet generation point
 In-service vs. Out-of-service monitoring
 Whether monitoring should be executed during service or not
 Continuous vs. On-demand monitoring
 Monitoring executes continuously or by on-demand.
 Packet vs. Flow-based monitoring
 Collect packets or flows from network devices.
 One-way vs. Bi-directional monitoring
 Monitor forward path only / forward and return path
 Trade-offs




Network bandwidth
Processing overhead
Accuracy
Cost
Internet Traffic Monitoring and Analysis:
Methods and Applications
(16)
POSTECH
DP&NM Lab.
1. Introduction – Problems
 Capturing Packets





High-speed networks (Mbps  Gbps  Tbps)
High-volume traffic
Streaming media (Windows Media, Real Media, Quicktime)
P2P traffic
Network Security Attacks
 Flow Generation & Storage
 What packet information to save to perform various analysis?
 How to minimize storage requirements?
 Analysis
 How to analyze and generate data needed quickly?
 What kinds of info needs to be generated?  Depends on
applications
Internet Traffic Monitoring and Analysis:
Methods and Applications
(17)
POSTECH
DP&NM Lab.
1. Introduction – R&D Goals
 Develop methods to





Capture all packets
Generate flows
Store flows efficiently
Analyze data efficiently
Generate various reports or information that are suitable for various
application areas
 Develop a flexible, scalable traffic monitoring and analysis
system for high-speed, high-volume, rich media IP
networks
Internet Traffic Monitoring and Analysis:
Methods and Applications
(18)
POSTECH
DP&NM Lab.