Local Area Network Layer-2 Topology Mapping

Doron PeledDoron PeledMichal RimmerMichal RimmerSupervisor: Zigi WalterSupervisor: Zigi Walter

Networked Software Systems LabNetworked Software Systems Lab Department of Electrical Engineering Department of Electrical Engineering

Technion - Israel Institute of TechnologyTechnion - Israel Institute of Technology

Winter semester 2009

DescriptionDescription Goal: Determining the layer-2 topology for an unknown LAN.

Means: One end-point member of the LAN, without any special equipment.

The Challenge: Layer-2 equipment has no signature of its own in the LAN so there is no known straightforward way to map the LAN’s layer-2.

Our solution: A statistical estimation approach that we have developed. This approach is based on correlation measures that was used in the articles [1],[2] .

[1] “Network Radar: Tomography from Round Trip Time Measurements” , Yolanda Tsang, Mehmet Yildiz, Paul Barford, Robert Nowak[2] “Maximum Likelihood Network Topology Identification from Edge-based Unicast Measurements” , Mark Coates, Rui Castro, Robert Nowak

a b c dS

Unknown LANUnknown LAN

Our Solution – The Mathematical Our Solution – The Mathematical ConceptConcept

Estimate the shared path between each 2 members by finding statistic correlation behavior between members of the LAN:

The solution is based on sending a large number of combinations to all possible combination of couple LAN members.

Each combination is 2 ICMP messages (pings) sent to 2 different members in the LAN.

The estimation of the path which 2 members of the LAN are sharing is based on the RTT (Round Trip Time) data which was collected and analyzed by our tools.

By cross analyzing all the statistics which is gathered it is possible to estimate the topology of the LAN.

a b c dS

R

Split Point

Shared Path

between a and b

Our Solution – The Software Our Solution – The Software ToolsTools Packet Generator (we developed in C++ , Linux) :

Prepares and sends the ICMP combinations rapidly. Designed to send all the messages in the same combinations as adjust as possible.

Wireshark Sniffer (Open Source in C++, Linux): Records all network traffic. For this solution we record only ICMP protocol

by a built in filter.

Parser (we developed in Perl , Linux): By parsing the huge Wireshark output files we receive smaller files

containing only relevant information in the right format for the Results Analyzer. Also, we filter any package which is not a ping or the response (“pong”) between the relevant members.

Results Analyzer (we developed in Matlab, Windows) : Analyzes the data and gives the statistics results in tables and graphs.

Overview - source computerOverview - source computer

WireShark(open source)

NE

TW

OR

K A

DP

TE

R Packet

Generator)c(++

Ou

tpu

t F

ile

Parser(Perl)

Ou

tpu

t F

ileStatistics

Analyze Function (Matlab)

ONLINE Software Tools

“real time”

OFFLINESoftware Tools

Hardware

Examples and Results

Results: All the tools were examined and proved to be working correctly. From all the experiments the final results were inconclusive, yet

have shown that our suggested approach is probable.

1450 1500 1550 1600

2.05

2.1

2.15

2.2

2.25

2.3

x 10-4

Combo number

RT

T [

sec]

RTT Raw Data

132.68.61.238

132.68.61.222Avrege

132.68.61.238

Avrege132.68.61.222

1200 1220 1240 1260 1280 1300

2

2.2

2.4

2.6

2.8

3

3.2

3.4

x 10-4

Combo numberR

TT

[se

c]

RTT Raw Data

132.68.56.164

132.68.49.191Avrege

132.68.56.164

Avrege132.68.49.191

High correlation behavior of RTT 2 members which share the same layer-2 switch in the LAN

Low correlation behavior of RTT 2 members which are distant from each other in the layer-2 topology