a first look at modern enterprise traffic
TRANSCRIPT
![Page 1: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/1.jpg)
A First Look atModern Enterprise Traffic
Ruoming Pang, Princeton UniversityMark Allman (ICSI), Mike Bennett (LBNL),
Jason Lee (LBNL), Vern Paxson (ICSI/LBNL),and Brian Tierney (LBNL)
![Page 2: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/2.jpg)
The Question“What does the traffic look like in today’s enterprise
networks?”
• Previous work– LAN traffic [Gusella 1990, Fowler et.al. 1991]– More recent work on individual aspects:
• Role classification [Tan et.al. 2003],• Community of interest [Aiello et.al. 2005]
• Wide area Internet traffic measurements– First study: [Cáceres 1989]
… when the size of Internet was ~130,000 hosts… about the size of a large enterprise network today
![Page 3: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/3.jpg)
Our First Look
• Which applications account for most traffic?• Who is talking to whom?• What’s going on inside application traffic?
– Esp. ones that are heavily used but not well studied:Netware Core Protocol (NCP), Windows CIFS andRPC, etc.
• How often is the network overloaded?
For all above, compare internal vs. wide area
![Page 4: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/4.jpg)
Trace Collection
• Where: Lawrence Berkeley National Lab (LBNL)– A research institute with a medium-sized enterprise
network• Caveat: one-enterprise study
– “The traffic might look like …”
• How: tapping links from subnets to the mainrouters
• Caveat: only traffic between subnets
![Page 5: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/5.jpg)
LBNL Trace Data
• Five data sets• Over three months: Oct 2004 -- Jan 2005
1,5581,5612,0882,1022,531TracedHosts
1500150068681500Snaplen28M22M28M65M18MPackets
1818222222Subnets1 hour1 hour1 hour1 hour10minDuration
Jan 7, 05Jan 6, 05Dec 16, 04Dec 15, 04Oct 4, 04DateD4D3D2D1D0
![Page 6: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/6.jpg)
LBNL Trace Data
• Each trace covers a subnet• Lasts ten minutes or one hour
1,5581,5612,0882,1022,531TracedHosts
1500150068681500Snaplen28M22M28M65M18MPackets
1818222222Subnets1 hour1 hour1 hour1 hour10minDuration
Jan 7, 05Jan 6, 05Dec 16, 04Dec 15, 04Oct 4, 04DateD4D3D2D1D0
![Page 7: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/7.jpg)
LBNL Trace Data
• Two sets of subnets• 2,000 hosts traced per data set
1,5581,5612,0882,1022,531TracedHosts
1500150068681500Snaplen28M22M28M65M18MPackets
1818222222Subnets1 hour1 hour1 hour1 hour10minDuration
Jan 7, 05Jan 6, 05Dec 16, 04Dec 15, 04Oct 4, 04DateD4D3D2D1D0
![Page 8: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/8.jpg)
LBNL Trace Data
• Subnets are traced two at a time– With four NIC’s on the tracing machine
1,5581,5612,0882,1022,531TracedHosts
1500150068681500Snaplen28M22M28M65M18MPackets
1818222222Subnets1 hour1 hour1 hour1 hour10minDuration
Jan 7, 05Jan 6, 05Dec 16, 04Dec 15, 04Oct 4, 04DateD4D3D2D1D0
![Page 9: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/9.jpg)
LBNL Trace Data
• Packets with full payloads allow application-levelanalysis
1,5581,5612,0882,1022,531TracedHosts
1500150068681500Snaplen28M22M28M65M18MPackets
1818222222Subnets1 hour1 hour1 hour1 hour10minDuration
Jan 7, 05Jan 6, 05Dec 16, 04Dec 15, 04Oct 4, 04DateD4D3D2D1D0
![Page 10: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/10.jpg)
Outline of This Talk
• Traffic breakdown– Which applications are dominant?
• Origins and locality
• Individual application characteristics
![Page 11: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/11.jpg)
Network Layer: Is IP dominant?
• Yes, most packets (96-99%) are over IP– Caveat: inter-subnet traffic only
• Aside from IP: ARP, IPX (broadcast), etc.
![Page 12: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/12.jpg)
Transport Layer
• Protocols seen:– TCP, UDP, ICMP– Multicast: IGMP, PIM– Encapsulation: IP-SEC/ESP, GRE– IP protocol 224 (?)
• Is UDP used more frequently insideenterprise than over wide area Internet?
![Page 13: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/13.jpg)
TCP vs. UDP / WAN vs. EnterpriseBreakdown by Payload Bytes
![Page 14: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/14.jpg)
Breakdown of the first data set (D0)(Bars add up to 100%)
![Page 15: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/15.jpg)
80% (or more) payloads are sent within the enterprise.
![Page 16: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/16.jpg)
Yes, UDP is used more frequently inside the enterprise.
![Page 17: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/17.jpg)
Breakdown by Flows
![Page 18: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/18.jpg)
Application Breakdown by Bytes
![Page 19: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/19.jpg)
Application Breakdown by Bytes
net-file:NFS, Netware Core Protocol
![Page 20: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/20.jpg)
Application Breakdown by Bytes
bulk:FTP, HPSS
![Page 21: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/21.jpg)
Application Breakdown by Bytes
windows:Port 135,
139, and 445
![Page 22: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/22.jpg)
Bars for each data set add up to 100%
![Page 23: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/23.jpg)
Internal Heavy-Weights
net-file:NFSNCP
backup:Dantz
Veritas
![Page 24: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/24.jpg)
WAN Heavy-WeightsWAN ≈ web + email
![Page 25: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/25.jpg)
Breakdown by Flows
name:DNS
WINS misc:CalendarCardKey
![Page 26: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/26.jpg)
Summary of Traffic Breakdown
• Internal traffic (vs. wide area)– Higher volume (80% of overall traffic)– A richer set of applications
• Traffic heavy-weights– Internal: network file systems and backup– WAN: web and email
![Page 27: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/27.jpg)
Outline
• Traffic breakdown
• Origins and locality– Fan-in/out distribution
• Individual application characteristics
![Page 28: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/28.jpg)
![Page 29: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/29.jpg)
Half of hosts have no wide-area fan-out (in one hour).
![Page 30: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/30.jpg)
Internal fan-out has a fat tail.
![Page 31: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/31.jpg)
Most hosts have fan-in of no more than 10.
![Page 32: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/32.jpg)
Outline
• Traffic breakdown
• Origins and locality– Fan-in/out distribution
• Individual application characteristics
![Page 33: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/33.jpg)
Example Questions
• Is there a big difference between internaland wide area HTTP traffic?
• How different are DNS and WINS(netbios/ns)?
• What does Windows traffic do?
![Page 34: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/34.jpg)
Internal HTTP traffic
Automated clients vs. the rest:
41%30%4%66%43%42%All other clientsNetware iFolderGoogle DevicesInternal Scanners
9%0.0%0.0%10%0.2%1%48%69%96%5%8%37%
1%0.9%0.1%19%49%20%D4D3D0D4D3D0
BytesRequests
Automated clients dominate the traffic.
![Page 35: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/35.jpg)
DNS vs. WINS
• Where do queries come from?– DNS: both local and remote; most queries come
from two mail servers– WINS: local clients only; queries are more
evenly distributed among clients• Failure rate (excluding repeated queries)
– DNS: 11-21%– WINS: 36-50% (!)
![Page 36: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/36.jpg)
Windows Traffic
Port 139
Port 445
Port 135
Dynamic Ports
CIFS/SMB
NETBIOS
DCE/RPCEndpoint Mapper
File Sharing
DCE/RPC Services(logon, msgr, etc.)
Port numbers don’t tell much…
LAN Browsing
![Page 37: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/37.jpg)
Windows Traffic
Port 139
Port 445
Port 135
Dynamic Ports
CIFS/SMB
NETBIOS
DCE/RPCEndpoint Mapper
File Sharing
DCE/RPC Services(logon, msgr, etc.)
Application level analysis: Bro + binpac
LAN Browsing
![Page 38: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/38.jpg)
Windows Traffic Breakdown
• Majority of CIFS/SMB traffic is for DCE/RPCservices– Rather than file sharing
• Majority of RPC traffic– By request: user authentication (netlogon), security
policy (lsarpc) and printing (spoolss)– By size: printing (spoolss)
![Page 39: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/39.jpg)
Not Covered in This Talk …
• Characteristics of more applications– Email– Network file systems: NFS and NCP– Backup– Further details about HTTP, DNS/WINS, and
Windows traffic• Network congestion
![Page 40: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/40.jpg)
Conclusion
• A lot is happening inside enterprise– More packets sent internally than cross border– A number of applications seen only within the enterprise
• Caveats– One enterprise only– Inter-subnet traffic– Hour-long traces– Subnets not traced all at once
• Header traces released for download!– To come: traces with payloads (HTTP, DNS, …)
![Page 41: A First Look at Modern Enterprise Traffic](https://reader031.vdocument.in/reader031/viewer/2022020703/61fb46932e268c58cd5c3f21/html5/thumbnails/41.jpg)
The EndTo download traces:
http://www.icir.org/enterprise-tracing(or search for “LBNL tracing”)