Presentation is loading. Please wait.

Presentation is loading. Please wait.

A First Look at Modern Enterprise Traffic

Published bySylvia Cozzens Modified over 9 years ago

Similar presentations

Presentation on theme: "A First Look at Modern Enterprise Traffic"— Presentation transcript:

1 A First Look at Modern Enterprise Traffic
Ruoming Pang, Princeton University Mark Allman (ICSI), Mike Bennett (LBNL), Jason Lee (LBNL), Vern Paxson (ICSI/LBNL), and Brian Tierney (LBNL)

2 The Question “What does the traffic look like in today’s enterprise networks?” Previous work LAN traffic [Gusella 1990, Fowler et.al. 1991] More recent work on individual aspects: Role classification [Tan et.al. 2003], Community of interest [Aiello et.al. 2005] Wide area Internet traffic measurements First study: [Cáceres 1989] … when the size of Internet was ~130,000 hosts … about the size of a large enterprise network today

3 Our First Look Which applications account for most traffic?
Who is talking to whom? What’s going on inside application traffic? Esp. ones that are heavily used but not well studied: Netware Core Protocol (NCP), Windows CIFS and RPC, etc. How often is the network overloaded? For all above, compare internal vs. wide area

4 Trace Collection Where: Lawrence Berkeley National Lab (LBNL)
A research institute with a medium-sized enterprise network Caveat: one-enterprise study “The traffic might look like …” How: tapping links from subnets to the main routers Caveat: only traffic between subnets

5 LBNL Trace Data Five data sets Over three months: Oct 2004 -- Jan 2005
Date Oct 4, 04 Dec 15, 04 Dec 16, 04 Jan 6, 05 Jan 7, 05 Duration 10min 1 hour Subnets 22 18 Traced Hosts 2,531 2,102 2,088 1,561 1,558 Packets 18M 65M 28M 22M Snaplen 1500 68 LBNL as an enterprise, research insitute … between subnets, meaning of ‘wide-area’. Five data sets Over three months: Oct Jan 2005

6 LBNL Trace Data Each trace covers a subnet
Date Oct 4, 04 Dec 15, 04 Dec 16, 04 Jan 6, 05 Jan 7, 05 Duration 10min 1 hour Subnets 22 18 Traced Hosts 2,531 2,102 2,088 1,561 1,558 Packets 18M 65M 28M 22M Snaplen 1500 68 Each trace covers a subnet Lasts ten minutes or one hour

7 LBNL Trace Data Two sets of subnets 2,000 hosts traced per data set D0
Date Oct 4, 04 Dec 15, 04 Dec 16, 04 Jan 6, 05 Jan 7, 05 Duration 10min 1 hour Subnets 22 18 Traced Hosts 2,531 2,102 2,088 1,561 1,558 Packets 18M 65M 28M 22M Snaplen 1500 68 Two sets of subnets 2,000 hosts traced per data set

8 LBNL Trace Data Subnets are traced two at a time
Date Oct 4, 04 Dec 15, 04 Dec 16, 04 Jan 6, 05 Jan 7, 05 Duration 10min 1 hour Subnets 22 18 Traced Hosts 2,531 2,102 2,088 1,561 1,558 Packets 18M 65M 28M 22M Snaplen 1500 68 Subnets are traced two at a time With four NIC’s on the tracing machine

9 LBNL Trace Data D0 D1 D2 D3 D4 Date Oct 4, 04 Dec 15, 04 Dec 16, 04 Jan 6, 05 Jan 7, 05 Duration 10min 1 hour Subnets 22 18 Traced Hosts 2,531 2,102 2,088 1,561 1,558 Packets 18M 65M 28M 22M Snaplen 1500 68 Packets with full payloads allow application-level analysis

10 Outline of This Talk Traffic breakdown Origins and locality
Which applications are dominant? Origins and locality Individual application characteristics

11 Network Layer: Is IP dominant?
Yes, most packets (96-99%) are over IP Caveat: inter-subnet traffic only Aside from IP: ARP, IPX (broadcast), etc.

12 Transport Layer Protocols seen:
TCP, UDP, ICMP Multicast: IGMP, PIM Encapsulation: IP-SEC/ESP, GRE IP protocol 224 (?) Is UDP used more frequently inside enterprise than over wide area Internet?

13 TCP vs. UDP / WAN vs. Enterprise Breakdown by Payload Bytes
80% traffic is internal TCP vs. UDP / WAN vs. Enterprise Breakdown by Payload Bytes

14 Breakdown of the first data set (D0)
80% traffic is internal Breakdown of the first data set (D0) (Bars add up to 100%)

15 80% (or more) payloads are sent within the enterprise.
80% traffic is internal 80% (or more) payloads are sent within the enterprise.

16 Yes, UDP is used more frequently inside the enterprise.

17 Breakdown by Flows

18 Application Breakdown by Bytes
Bars for datasets, for a given position 100%. Application Breakdown by Bytes

19 NFS, Netware Core Protocol Application Breakdown by Bytes
net-file: NFS, Netware Core Protocol Bars for datasets, for a given position 100%. Application Breakdown by Bytes

20 Application Breakdown by Bytes
bulk: FTP, HPSS Bars for datasets, for a given position 100%. Application Breakdown by Bytes

21 Application Breakdown by Bytes
windows: Port 135, 139, and 445 Bars for datasets, for a given position 100%. Application Breakdown by Bytes

22 Bars for each data set add up to 100%
Bars for datasets, for a given position 100%. Bars for each data set add up to 100%

23 Internal Heavy-Weights
net-file: NFS NCP backup: Dantz Veritas NCP (hundreds message types) Internal Heavy-Weights

24 WAN Heavy-Weights WAN ≈ web +

25 name: DNS WINS misc: Calendar CardKey Breakdown by Flows

26 Summary of Traffic Breakdown
Internal traffic (vs. wide area) Higher volume (80% of overall traffic) A richer set of applications Traffic heavy-weights Internal: network file systems and backup WAN: web and

27 Outline Traffic breakdown Origins and locality
Fan-in/out distribution Individual application characteristics

28

29 Half of hosts have no wide-area fan-out (in one hour).

30 Internal fan-out has a fat tail.
SrvLoc Internal fan-out has a fat tail.

31 Most hosts have fan-in of no more than 10.

32 Outline Traffic breakdown Origins and locality
Fan-in/out distribution Individual application characteristics

33 Example Questions Is there a big difference between internal and wide area HTTP traffic? How different are DNS and WINS (netbios/ns)? What does Windows traffic do?

34 Internal HTTP traffic Automated clients vs. the rest:
Requests Bytes D0 D3 D4 Internal Scanners 20% 49% 19% 0.1% 0.9% 1% Google Devices 37% 8% 5% 96% 69% 48% Netware iFolder 0.2% 10% 0.0% 9% All other clients 42% 43% 66% 4% 30% 41% What is a google bot (internal google search box) Automated clients dominate the traffic.

35 DNS vs. WINS Where do queries come from?
DNS: both local and remote; most queries come from two mail servers WINS: local clients only; queries are more evenly distributed among clients Failure rate (excluding repeated queries) DNS: 11-21% WINS: 36-50% (!) Dig into DNS query failures

36 Windows Traffic Port numbers don’t tell much… Port 139 NETBIOS
File Sharing Port 445 CIFS/SMB LAN Browsing DCE/RPC Endpoint Mapper Port 135 File system is not file system Bro analysis (binpac?) DCE/RPC Services (logon, msgr, etc.) Dynamic Ports Port numbers don’t tell much…

37 Windows Traffic Application level analysis: Bro + binpac Port 139
NETBIOS File Sharing Port 445 CIFS/SMB LAN Browsing DCE/RPC Endpoint Mapper Port 135 File system is not file system Bro analysis (binpac?) DCE/RPC Services (logon, msgr, etc.) Dynamic Ports Application level analysis: Bro + binpac

38 Windows Traffic Breakdown
Majority of CIFS/SMB traffic is for DCE/RPC services Rather than file sharing Majority of RPC traffic By request: user authentication (netlogon), security policy (lsarpc) and printing (spoolss) By size: printing (spoolss)

39 Not Covered in This Talk …
Characteristics of more applications Network file systems: NFS and NCP Backup Further details about HTTP, DNS/WINS, and Windows traffic Network congestion

40 Conclusion A lot is happening inside enterprise Caveats
More packets sent internally than cross border A number of applications seen only within the enterprise Caveats One enterprise only Inter-subnet traffic Hour-long traces Subnets not traced all at once Header traces released for download! To come: traces with payloads (HTTP, DNS, …) Caveats (one enterprise/hour/inter-subnets)

41 (or search for “LBNL tracing”)
The End To download traces: (or search for “LBNL tracing”)

Download ppt "A First Look at Modern Enterprise Traffic"

Similar presentations

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
Copyright © 2005 Department of Computer Science CPSC 641 Winter 20111 WAN Traffic Measurements There have been several studies of wide area network traffic.

Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
The Transport Layer Chapter 6. The Transport Service Services Provided to the Upper Layers Transport Service Primitives Berkeley Sockets An Example of.

The Transport Layer Chapter 6. The Transport Service Services Provided to the Upper Layers Transport Service Primitives Berkeley Sockets An Example of.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Network Analyzer Example

Network Analyzer Example
Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.

Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.
Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,

Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,
Instructor & Todd Lammle

Instructor & Todd Lammle
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.

1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray
1 TCP/IP architecture A set of protocols allowing communication across diverse networks Out of ARPANET Emphasize on robustness regarding to failure Emphasize.

1 TCP/IP architecture A set of protocols allowing communication across diverse networks Out of ARPANET Emphasize on robustness regarding to failure Emphasize.
Lecture 8 Modeling & Simulation of Communication Networks.

Lecture 8 Modeling & Simulation of Communication Networks.
1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.

1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Workshop 1: Introduction to TCP/IP

Workshop 1: Introduction to TCP/IP

Similar presentations

Ads by Google