Measuring IP and TCP behavior on a Edge Node

This paper presents Tstat [1], a new tool for the collection and statistical analysis of TCP/IP traffic, able to infer TCP connection status from trace data. Discussing its use, we present some of the performance figures that can be obtained and the insight that such figures can give on TCP/IP protocols and the Internet. While field measures have always been the starting point for networks planning and dimensioning, their statistical analysis beyond simple traffic volume estimation is not so common. One of the main reasons is the enormous amount of possible performance figures that can be devised in TCP/IP networks. Tstat automatically derives about 80 different performance indices both at the IP and at the TCP level, allowing a very deep insight in the network performance. While standard performance measure, such as flow dimensions, traffic distribution, etc., remain at the base of traffic evaluation, more sophisticated indices, like the outof-order probability and gap dimension in TCP connections, obtained through data correlation between the incoming and outgoing traffic, give reliable estimates of the network performance also from the user perspective. Several of these indices are discussed on traffic measures performed for more than 2 months on the access link of our institution. I. TRAFFIC MEASURES IN THE INTERNET Planning and dimensioning of TLC networks was always based on traffic measures, upon which estimates and models are built to be used with the appropriate mathematical tools. While this process proved to be reasonably simple in traditional, circuit switched, telephone networks, it seems to be much harder in packet switched data networks, specially in the Internet, where the TCP/IP client-server communication paradigm, inherently introduces correlation among traffic relation both in space and time. While a large part of this difficulty lies in the failure of traditional modeling paradigms [2], [3], there are also several key points to be solved in performing the measures themselves and, most of all, in organizing the enormous amount of data that are collected through measures. First of all, the client-server communication paradigm implies that the traffic behavior does have meaning only when the This work was supported by the Italian Ministry for University and Scientific Research through the PLANET-IP Project. forward and backward traffic are jointly analyzed, otherwise half of the story goes unwritten, and should be hardly inferred. This problem makes measuring inherently difficult; it can be solved if measures are taken on the network edge, where the outgoing and incoming flows are necessarily coupled, but it can prove impossible in the backbone, where the peering contracts among providers often disjoint the forward and backward routes [4]. Second, data traffic must be characterized to a higher level of detail than voice traffic, since the ‘always-on’ characteristics of most sources and the nature itself of packet switching require the collections of data at the session, flow, and packet level, while circuit switched traffic is well characterized by the connection level alone. This is due to the source model of the traffic, which is well characterized and relatively simple in case of voice traffic, but more complex and variable in case of data networks, where different application models can coexist and interact together. Notice that, in the absence of CAC (Connection Admission Control) functions and in the presence of connectionless services, the notion of connection itself becomes quite fuzzy in the Internet. Finally, the complexity and layered structure of the TCP/IP protocol suite, requires the analysis of traffic at least at three different layers (IP, TCP/UDP, Application) in order to have a picture of the traffic clear enough to allow the interpretation of data. Starting from the pioneering work of Danzig [5], [6], [7] and of Paxons and Floyd [2], [8] in which the authors characterized the traffic of the ”first Internet” via measures, there has always been an increasing interest in the data collection, measure and analysis, to characterize either the network protocol or the users behavior. After the birth of the Web, lots of effort has been devoted to study caching and content delivery architecture, which intrinsically are based on the deep knowledge of the traffic and user behavior. Thus many works analyze traces at the application levels, typically log files of web servers or proxy servers [9], [10], [11]. These are then very helpful understand user behavior, but less interesting from the network point of view. Many projects are instead using real traffic traces, captured form large campus networks, like the work in [12], where the authors characterize the HTTP protocol by using