Report on

Traffic profile measurement and traffic driven network

reconfiguration

Guided by: Prof. Sanjay Srivastava

Submitted By : Jasneet Kaur (200911039)

Dhirubhai Ambani Institute of

Information and Communication Technology, Gandhinagar

August 2010
 Introduction
Traffic in broad terms can be defined as the density of data that is present in the network, that
may exist in the form of data traffic or control traffic. Various communication devices access
resources and also get requests to complete some task, so there is always a lot of request,
response and control data in the network. Be it a small network or a large one, all have traffic
which needs to be measured. Different network measurement are done to either
analyze/characterize network phenomena or to test new tools, protocols, systems. If a network is
not measured, we can’t have objective data about how it will perform, how will it behave and
grow and how to identify and diagnose the network problems.

What is to be measured?
Before any measurements can take place one must determine what to measure and monitor.
There are many commonly used network performance characteristics [4]:-

1. Latency: Latency is a time delay while one waits for something to happen. For many
kinds of network communications, once a packet (or group of packets) has been sent
from one computer to another, nothing appears to happen until an answering packet is
received in return. So a widely used measure of network latency is round-trip time (RTT),
the time for a packet to make the round trip from a client to a server and back. Many
component times contribute to network latency:
a).The time it takes a packet to travel along the physical links that make up its path
through the Internet (transport time)
b).The time it takes to pass through routers between those links (queuing and
transmission time)
c).The time required for the server to process an incoming packet and generate a response
packet (server response time)

2. Throughput & Bandwidth: Throughput is the rate at which data is sent through the
network, usually expressed in bits per second (bps), bytes per second (Bps) or packets per
second (pps). Throughput most commonly refers to the total data transfer rate for all
 traffic being carried, but it can be useful to measure throughput at finer granularity. Three
possible kinds of bandwidths that are interest of measure are
a).Capacity: it is the maximum throughput that a link or path can sustain. It is also
called as bottleneck bandwidth.
b).Available bandwidth: The portion of the capacity that is not being used during a given
interval of time. This is also called as residual bandwidth.
c).Bulk Transfer Capacity: The capacity that is associated with a new link on the path.

3. Response time: The time taken by the request of the end user to get accomplished the
network with all the resources that are available with it.

4. Arrival rate: The rate at which the packets are arriving at the interfaces of the networking
devices and elements. Generally, the rate at which packets arrive is considered to b a
Poisson distribution, but it has been shown that its not every time a Poisson distribution

5. Utilization: Network service is normally provided to a corporate site via one or more
physical links, each of which has a maximum data rate, known as the access rate of the
link. Link Utilization over a specified interval is simply the throughput for the link
expressed as a percentage of the access rate.

6. Loss: By default, many networks transport data and packets by best effort delivery.
Routers make every reasonable effort to forward packets, but may drop them depending
on the router's immediate local conditions.

The above things are there when we talk only about wired networks. With the wireless networks
coming into picture, measures involved do get a change. So for the Wireless Communication,
following also have to be taken onto account [2]:

1. Signal Strength.
2. Amount of power consumed.
3. Data bit rates.
4. Degree of coverage.
5. Session Related information (set up time, duration, list of applications, hand off time of access
points).
6. Link capacity.
7. Available and effective bandwidth.
8. Identification of bottleneck.

Where measurements be made?

The next thing that comes in picture is where to perform these measurements. There can be
multiple points in the network where any kind of measurement can be done. These points are
called as Vantage points. These vantage points can be application dependent.

Also an issue arises when we need to differentiate between wired and wireless network. For a
wired network these points can be ingress and egress routers, backbone routers, and gateway
routers. The count of these points differ in different kinds of network infrastructures like LAN
and WAN.

In case of WAN, the Points of Presence can be different and different kind of traffic might be
flowing at different points. Compared to LAN, where geographical area is less, measurements
tend to be same.

In case of wireless networks these points can be access points and some of the gateway routers.
For an ad hoc wireless network, where each node is itself a router, some of the nodes can become
a point of measurement.
 Important Terms
Network traffic measurement is the process of measuring the amount and type of traffic on a
particular network. This is especially important with regard to effective bandwidth management.

General Process of Traffic Management

TRAFFIC MEASUREMENT

TRAFFIC ANALYSIS

MANAGEMENT TECHNIQUES

RESULT EVALUATION
Feedback

FINAL RESULT

Controlling network traffic requires limiting bandwidth to certain applications, guaranteeing

minimum bandwidth to others, and marking traffic with high or low priorities. This exercise is
called traffic management.

Another related term is network monitoring that describes the use of a system that constantly
monitors a computer network for slow or failing systems and that notifies the network
administrator in case of outages via email, pager or other alarms. It is a subset of the functions
involved in network management. Efficient network monitoring is all about maintaining the
overall integrity of the network. It is important to know that the components that make up the
network are working properly. This involves checking on both the hardware and the software
that help to make up the functioning network. With proper network monitoring, problems can be
spotted early on and a step taken to correct the issue before it has a chance to cause major havoc.
Understanding network traffic behavior is essential for all aspects of network design and
operation:

1. Component design

2. Protocol design

3. Provisioning

4. Management

5. Modeling and simulation.

Issues related to measurements

1. The role of time

Many of the measurement tasks involve measuring round trip times, delays incurred, and
response time. All these measurements require synchronization in clocks at various measurement
points.[2]

Different kinds of clocks are appropriate for different sorts of measurement tasks. The external
time sources which can provide high quality reference time are US National Institute of
Standards & Technology (NIST) that operates three radio services that disseminates time
information. Another accurate external time source is Global Positioning System (GPS) which is
operated by US Department of Defense.GPS consists of a constellation of 32 satellites in 12 hour
orbits and is available worldwide.

Most measurements are done by standard PC hardware that has two clocks: a battery powered
hardware clock that keeps track of times when system is turned off and a software clock when
the system is running.

For achieving synchronization in different clocks Network Time Protocol (NTP) is followed.
2. Capturing data

Capturing data for measurement varies in technique, complexity, volume and difficulty
depending upon layer of the protocol stack. When the data is gathered at router or any other
lower level protocol layer, the key issue is the amount of the data that has to be examined. At
lower level, large amount of data are processed quickly. Their primary task is to facilitate quick
movement of traffic, doing measurements here can hamper the performance as maximum packet
delay and packet loss can occur here. Since traffic flows can be bursty it is hard to predict the
amount of resources that are required to manage all the things.

Moving up to the packet level data, the volumes of information remains large. Here packet level
traces as well as flow of packets between different end points is considered. Third level data i.e.
the application level data is easier to gather as compared to the lower levels.

3. Local vs. Remote vs Distributed data gathering.

Low level data is generally gathered locally in local area networks or within campus under some
administrative control. It is not feasible to trigger remote data gathering about routers and links
since they are often under strict administrative control that do not allow remote measurements.
But it is possible to target a remote link or a router remotely to try and obtain round trip time and
other traffic related information. Packet traces can be also be gathered locally. But the
application level data is generally captured in a remote and distributed manner.
 Types of Measurements
Network measurement requires hardware or software measurement facilities that attach directly
to network so that the required kind of measured data is collected. There are basically two kinds
of measurements methodologies used so as to gain output.

1. Active measurement: It requires extra data to be added to the current network so as to

perform measurements.

2. Passive measurement: It refers to capturing traffic that is generated by other users and
applications.

These measurements are performed using various tools that are available.

Active Measurement tools

1. Ping : It sends an ICMP ECHO packet to the target and captures ICMP REPLY packet. It
is used for checking connectivity to the target and for measuring instantaneous RTT
between the sender and the target.

2. OWAMP: If the delay information regarding only one direction is required to be

measured rather than using ping OWAMP is used. It requires a demon process to run on
the target which listens for and records probe packets sent by the sender.

3. Zing: It measures packet delay and loss in one direction on an end-to-end path. The ZING
sender emits UDP probe packets at Poisson-modulated intervals with timestamps and
unique sequence numbers and the receiver logs the probe packet arrivals. Users specify
the mean probe rate , the probe packet size, and the number of packets in a flight.

4. Traceroute: It uses the TTL field in the IP heard to extract information. It is basically
used to discover the topology of the network. A large scale measurement system that uses
traceroute to discover topology is skitter project.

Other active measurement methods is multicast probing where probes sent via multicast have
the property that a single probe is replicated by routers along the path so network conditions
experienced by one packet can be used as a reference to know about the network as a whole.
Passive measurement tools

Passive measurement are generally carried out by observing network traffic by collecting
packets from a link or network flow from a router, performing analysis on captured packets for
various purposes. This information is used to perform various traffic usage/characterization
analysis/intrusion detection.

1. BGP: The inter domain routing system implemented via BGP, determines how traffic is
exchanged among autonomous systems. Thus a BGP routing table provides a partial
information about the AS level topology- the connections between the ASes that are
present to support traffic exchange.

2. OSPF: Passive captures of all the link state announcements can be made within a routing
domain as OSPF uses flooding protocol that sends all announcements to all the
participating nodes.

3. Syslog: The logs that are maintained at the systems can be used for monitoring the traffic
flowing in the network. Web servers are generally configured to record information about
all client requests. Each line of the access log contains information on a single request for
a document.

4. SNMP data: Data available with MIBs for SNMP can be source of traffic data for
monitoring. SNMP maintains data related to whatever flows in the network in the forms of
databases called as Management Information Base (MIB).

5. Sniffers: Extra devices are attached with network that passively listens to whatever is
going on the network. The do not disturb the ongoing traffic but just records and maintain
traffic flows so as to analyze.
 Properties of Traffic
There are various properties of Traffic that can be important to measure in various settings. All
traffic can be viewed as a set of packets at the IP layer, thus the most basic view of network
would be collection of packets at passing through nodes and routers.

1. Structure of traffic

Starting with a single node, through which a collection of packets pass at some location
in the network we can observe and capture traffic in the form of some stochastic
process.[2]. We can characterize packets as
a). According to their arrival time at particular observation point like {An, n =0,1,2..}.
b). In the form of inter arrival time by set {In, n=1,2,..} where In=An –An-1.
c).In the form of time series of counts of traffic at some timescale T. For a fixed Time
interval T, it can be written as {Cn, n = 0,1,2…} where Cn = #{Am | nT < Am <= (n+1)T}.
d).For expressing in the terms of number of bytes contained in the packet arriving at each
interval: {Bn, n = 0,1,..} where Bn =∑nT<Am<=(n+1)T size(Am) and size(t) is size of the packet
arriving at time t.

The time series for byte count is the most commonly used measure of work load
represented by traffic, since it captures the amount of bandwidth consumed as packets
pass through routers. The time series of packet counts is useful for understanding the
workload generated by traffic on a per packet basis.

The higher level structure of traffic that is imposed by the upper layers namely, the
transport layer and the application layer. This structure is collection of ON/ OFF periods.
There are three levels of ON/OFF periods: at the lowest level, packets itself occur at
ON/OFF pattern (packet transmission followed by silence), above packet level, it forms a
train of packets from source to destination and above the packet train, collection of trains
form a session.

2. Flows

It is defined as a set of packets passing through an observation point during a time

interval, with all the packets having common properties[10].These common properties
 can be based on packet header information, characteristics of packet itself or how it is
processed. Flows can be classified as:
a). IP Flow: A set of packets distinguished by their source and destinations addresses or
any other function of their IP or transport header fields is called IP Flow.
b).Network defined flows: These are the flows that are defined with respect to particular
network’s workload. For a network, flow between ingress and egress routers or origin
and destination can be taken as an example.

3. Semantically distinct types of traffic

Most of the traffic consists of the transport of data between applications running on end
systems.
a).Control Traffic: It includes packets implementing routing protocols, measurement
packets and general control packets.
b).Malicious Traffic.
 Applicability of Traffic Measurements

Traffic measurements and modeling have a wide variety of activities. Two the most important
are

1. Performance analysis: It requires accurate traffic measurements in order to construct

models that are useful for answering questions related to throughput, packet loss, delay
induced in the network elements.

2. Network Engineering: It is concerned with the network configuration, capacity planning,

demand forecasting and traffic engineering for monitoring and improving network
conditions. Traffic engineering is a method of optimizing the performance of a
telecommunications network by dynamically analyzing, predicting and regulating the
behavior of data transmitted over that network [5]

Practical and Statistical Challenges in Traffic Measurements

Practical Issues

1. Observability: The architecture of the network tends to interfere with the easy
measurements that can be done with the network traffic. The emphases on the simplicity
and statelessness of routers lead to lack of observability at many points in the network.
Packet corruption, delay and loss at the lower layers are also not visible at the IP layer.
Also, distributed nature of networks does not allow to completely observe the data.

2. Data Volume: The mostly used form of traffic monitoring is full data packet capture. But
as the link speed increases the full packet capture becomes a challenge. There is huge
volume of data which is hard to manage and store.

3. Data Sharing: Network measurement data and network traffic contain huge amounts of
sensitive information. Traces of full packets can be used to gain hidden and private
information of the users of the network which hinders the security and privacy of the
network service users.
Statistical Difficulties

1. Long tails and high variability: High variability in data means the data or the traffic that
is generated in the network is highly variable in nature. Due to instability of traditional
summary statistics like mean and variance, high variability data exhibits many small
observations mixed in with a few large observations. This is problematic for simulations
involving long tailed distributions which are very slow to reach a steady state. Another
issue is for choosing the best probabilistic model that fits for describing highly variable
data.

2. Stationarity and Stability: Stability refers to the consistency of traffic properties over
time and stationarity is a formal property of stochastic model. These two are related to the
time scales used for measuring the traffic. Different goals for traffic measurements are
associated with different assumptions about traffic stability. Performance analysis is
concerned with short timescales like hour or less and here the traffic is considered to be
stable over these timescales but network engineering is concerned with longer timescale
like from hours to weeks and years for which traffic stability cannot be guaranteed.

3. Auto correlation and memory in system behavior: Due to presence of buffers and
control algorithms that maintain past history, the current system behavior gets affected.
This leads to autocorrelation in system behavior i.e., system’s current behavior is similar
to recent past. These effects can be good or bad depending upon the events that occurred
in the past.

4. High dimensionality: Many of the traffic representations are done in multidimensional

time series, along with when the traffic is measured from a number of locations
differently pose a problem that is known as curse of dimensionality which prevents easy
visualization of data and complicates data modeling and analysis.
 Traffic Analysis
1. Time scales: Many issues in traffic analysis depend upon the time scale in which is used.
For time scales longer than hour or so are not considered to be stationary. Long time scale
network traffic can be thought of as possessing a predictable component and a stochastic
component (signal and noise). At shorter time scales, stationary models are used to
describe the network traffic.

2. Long Range Dependence and Self Similarity: Self-similarity describes the phenomenon
where a certain property of an object is preserved with respect to scaling in space and/or
time. If an object is self-similar, its parts, when magnified, resemble the shape of the
whole. It can be defined as “Self similarity is the property associated with one type of
fractal - an object whose appearance is unchanged regardless of the scale at which it is
viewed” [11]. Self-similar processes are the simplest way to model processes with long-
range dependence – correlations that persist (do not degenerate) across large time scales.
The same follows for ad hoc networks[13].

3. Packet Arrival process is not Poisson: Packets travel in trains, they also travel in tandem,
and do get clumped together, but the inter arrival times are not exponential and are not
independent. Current modeling shows that as the number of sources (Ethernet users)
increases, the traffic becomes smoother and smoother. Analysis shows that the traffic tends
to become less smooth and more bursty as the number of active sources increase. Were
traffic to follow a Poisson or Markovian arrival process, it would have a characteristic burst
length which would tend to be smoothed by averaging over a long enough time scale.
Rather, measurements of real traffic indicate that significant traffic variance (burstiness) is
present on a wide range of time scale.[14].
 Related Work and Current Research Areas
Traffic has been a very popular area of research. It has played role in number of applications like
traffic engineering and Quality of Service ensured delivery. Traffic measurements have been
done for long now and various techniques and tools are being developed for the same like
NetFlow, NeTraMet, skitter..etc. Various organizations work for making and improving the
standards in traffic and measurement area such as CAIDA.

N. Zhang and H. Bao [2] discuss the research that is done in communication networks that lays
stress on traffic engineering (TE). TE main objective is to optimize the performance of a network
through an efficient utilization of network resources. This paper discusses traffic technology and
load balancing in optical networks. Traffic engineering involves adapting the routing of traffic to
the network conditions, with the joint goals of good user performance and efficient use of
network resources. In the network planning and in the evaluation of the effects of the changes in
routing parameters, a network-wide view of traffic is crucial.

M. Youssef et al [1]. discuss the wireless side of wireless networks. Wireless monitoring (WM)
is a passive approach for capturing wireless-side traffic with rich MAC/PHY layer information.
WM can suffer, however, from low capture performance, i.e., high measurement loss, due to the
unreliable wireless medium. There are three advantages to using WM. First, WM captures
detailed wireless-side traffic statistics. Second, WM provides per-frame wireless MAC/PHY
information, such as 802.11 MAC headers. Third, WM does not require any interaction with the
existing network. It uses multiple sniffers to be placed according to the SNR. Multiple sniffers
can reduce measurement loss in two ways. First, a single sniffer may not be able to observe all of
the frames sent to and from a particular AP, due to radio reception and range. By using multiple
sniffers, we can aggregate each sniffer’s local view to create a closer approximation of the AP’s
global view. Second, even if a sniffer had identical radio hardware and positioning to that of an
AP, it may be useful to observe the frames that the AP itself was unable to receive. It is an
improvement over [15], where one sniffer is used for measurement. Two serious drawbacks of
using a single sniffer: Each sniffer experiences severe loss in captured frames and each sniffer
only observes its local view, that is, the frames observed by one sniffer, which may differ from
the AP’s global view. This framework aims to improve the capture performance by using
multiple sniffers, placed according to SNR measurement.
W. Feng et.al [3] describes the results of the first comprehensive analysis of a range of popular
on-line, multiplayer, game servers. The results show that the traffic behavior of these servers is
highly predictable and can be attributed to the fact that current game designs target the saturation
of the narrowest, last-mile link. It is shown that the workload they impart consists of large,
highly periodic bursts of small packets with predictable long-term rates.. In addition to the
aggregate traffic behavior, it is also shown that game players themselves have interesting
session-time and geographic location distributions. Session-times of players are not heavy-tailed
and have a mean that is less than 30 min while the geographic locations of players exhibit
distinct time-of-day variations.

Interesting Research Problems

S. Suri et.al [16] and K. Wu et.al.[17] deal with profile based routing for wired and wireless
adhoc network resp. The traffic profiles are measured and they are used for estimation and
routing in future. The main problem considered here is Multi commodity problem which is
solved via reconfigurations done using the traffic profile estimation [16]. [17] discusses the
improvements in routing protocols for ad hoc networks that can be done through profile based
routing. It proposes an architecture for the network nodes, which can have information regarding
the current scenario of network.
 References
[1] J. Yeo , M. Youssef , T. Henderson , A. Agrawala, “An Accurate Technique for Measuring
theWireless Side ofWireless Networks”, International Workshop on Wireless Traffic
Measurements and Modeling, WitMeMo ’05

[2] M. Crovella and B Krishnamurthy, Internet Measurements: infrastructure, traffic &

applications.

[3] W. Feng, F. Chang, W. Feng, and J. Walpole,” A Traffic Characterization of Popular On-Line
Games”, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 13, NO. 3, JUNE 2005

[4] N. Brownlee and C. Loosley, Fundamentals of Internet Measurement: A Tutorial, CMG

Journal of Computer Resource Management, Issue 102, Spring 2001

[5] N. Zhang and H. Bao, “Research on Traffic Technology in Communication Network” ,

International Conference on Networking and Digital Society, 2009

[6] T. Henderson, D. Kotz, and I. Abyzov, “The changing usage of a mature campus-wide
wireless network” in Proceedings of MOBICOM ’04, pages 187–201. ACM Press, September
2004

[7] D. Kotz and K. Essien, “Analysis of a Campus-wide Wireless Network.”

[8] A. Balachandran, G.M. Voelker, P. Bahl, and V. Rangan.,” Characterizing User Behavior and
Network Performance in a Public Wireless LAN” in Proceedings of ACM SIGMETRICS ’02,
Marina Del Rey, CA, June 2002.

[9] M. Balazinska and P. Castro, “Characterizing Mobility and Network Usage in a Corporate
Wireless Local-Area Network”.

[10]J.Quittek, T.Zseby, B.Claise and S. Zander, “Requirements for IP Flow information export”.
RFC 3917.

[11] M. Crovella, A. Bestavros, Self-Similarity in World Wide Web Traffic: Evidence and
Possible Causes, IEEE/ACM TON, 1997.

[13] Q. Liang, Ad Hoc Wireless Network Traffic—Self-Similarity and Forecasting, IEEE

COMMUNICATIONS LETTERS, VOL. 6, NO. 7, JULY 2002

[14] T .Karagiannis, M.Molle, M.Falautsos , “A Nonstationary Poisson view of Internet

Traffic”, A.Broido; Infocom in 2004
[15]J. Yeo, M. Youssef, and A. Agrawala., “A Framework for Wireless LAN Monitoring and its
Applications”, In Third ACM Workshop on Wireless Security (WiSe’04), Philadelphia, PA,
October 2004.

[16 ] S. Suri, M. Waldvogel, D. Bauer, and P. R. Warkhede, “ Profile Based Routing and Traffic
Engineering”.

[17] K. Wu, J. Harmsf and E. S. Elmallaht, “Profile Based Routing in Wireless Ad Hoc
Networks”.