Characterizing the network behavior o PP traic Raaele Bolla, Marco Canini, Riccardo Rapuzzi, Michele Sciuto DIST - Department o Communication, Computer and System Sciences, University o Genoa Via Opera Pia 3, 5 Genova, ITALY {raaele.bolla, marco.canini, riccardo.rapuzzi, michele.sciuto}@unige.it Abstract Nowadays the majority o Internet traic is generated by peer-to-peer (PP) ile sharing applications. As the popularity o these applications has been increasing dramatically over the past ew years, it becomes increasingly important to analyze their behavior and to understand their eects on the network. The ability to quantiy their impact on the network is undamental to a number o network operations, including traic engineering, capacity planning, quality o service, orecasting or long-term provisioning, etc. We present here a measurement study on the characteristics o the traic associated with two dierent PP applications. Our aim is to provide useul insight into the nature o PP traic rom the point o view o the network. To achieve this, we introduce a novel meauserement, Content Transer Index (), to distinguish two classes o behavior associated with PP traic: the download and the signaling traic proile. Next we apply the to our data sets and show that it eectively oers a general characterization o PP traic. Finally, we present a number o statistical measurements that are signiicantly unbiased due to having considered the distinction between the two classes. To the best o our knowledge, this is the irst study to ollow this approach. We believe such a study will help researchers better understand the impact o PP applications on the network and how to improve their perormance. I. INTRODUON Nowadays peer-to-peer (PP) ile sharing applications constitute a major share o the total traic in the Internet []. PP traic is believed to be hazardous or networks, not only because o its high traic volume, but also the transer o large iles. As the popularity o these applications has been increasing dramatically over the past ew years, it becomes important to analyze their behavior and understand their eects on the network. In particular, quantiying their impact on the network is important to a broad range o network operations, including traic engineering, capacity planning, quality o service, orecasting or long-term provisioning, etc. Recent works ([], [3] and []) have shown that accurate identiication o PP traic is challenging because PP applications, particularling the newer generations are incorporating various strategies to avoid detection. The ability to identiy PP traic is undamental to quantiy the impact o PP applications. However, it only represents a irst step towards ully understanding their behavior and eects on the network. We present here a measurement study on the characteristics o the traic associated with two dierent PP applications. Our aim is to oer useul insight into the nature o PP traic as it is seen rom the point o view o the network. To achieve this, we introduce a novel measurement, Content Transer Index (), that distinguishes two classes o behavior or the PP traic: the download and the signaling traic proile. We applied the to our data sets and we show that it eectively oers a general characterization o PP traic by presenting a number o statistical measurements. Our results show that the download traic is, as expected, the majority o the total traic volume. However, because o the large number o signaling communications, simple statistical measurements applied to the entire traic aggregate are biased as they ail to capture the real behavior o PP traic. Because o the large dierences between these two types o traic, we argue that a comprehensive PP traic characterization should include this distinction. As a preliminary validation, we compared the s outcome, speciically the edonkey downloads, against the ground truth built using the methodology presented in [5], resulting in an accuracy o above 95%. The remainder o this paper is organized as ollows. Section II describes how we identiied PP traic in our data sets. Section III gives a brie overview o the edonkey and BitTorrent PP networks. Section IV presents our characterization o PP traic, and the results o its application to a number o measurements are shown in Section V. Finally, Section VI concludes the paper. II. DATA COLLEON We analyzed traces that were collected using an optimized Linux-based open router [] turned into a monitoring box. The monitor was located at two dierent links o the University s campus network. For both traces, we captured every packet seen on each direction o the links along with its ull payload and we removed the link layer header (ethernet). To capture the irst trace (DEPT), the monitor was located on the link connecting our department to the campus network. The second trace (GENUA) was captured by monitoring the main connection to the Internet. Being a data set that spans over two weeks, the DEPT trace is our reerence trace, whereas GENUA is used to conirm our indings. We post-processed the trace in order to exclude the TCP connections or which we do not observe the canonical set up (triple handshake). Table I lists general workload dimensions o our data sets: counts o distinct source and destination IP addresses, and the number o lows, packets, and bytes observed. The optimizations include using the Linux NAPI s polling mode and tuning the network card s RX ring buer and the OS s socket buers.
TABLE I GENERAL WORKLOAD DIMENSIONS OF OUR TRACES. Set Dur. Src. IP Dst. IP Flows Packets Bytes DEPT 9h.8M 5.9M M M 738GB GENUA h K 53K 97K M.5GB In this study we deine lows as unidirectional, while we use the term conversation to denote bidirectional traic, i.e., a conversation is composed by two lows: traic rom A to B, and traic rom B to A. Each low is always identiied by two end points consisting o {IP, port} pairs and the transport level protocol. For a protocol like UDP, which is not connection oriented, we use a timeout o s to determine the end o a conversation. We used two open source tools, namely l7-ilter [7] and ippp [8], to classiy the PP traic in our traces. Both these tools identiy PP lows via pattern matching, i.e., searching the payload content o the packets or known protocol signatures. These classiiers act every time a packet is received, and mark a conversation as classiied as soon as they ind a known pattern in one direction. For scalability reasons, only up to the irst N packets o each conversation are tested, where N is a user conigurable parameter. These tools dier in the way the pattern matching is realized: l7-ilter reassembles the packet payloads into a buer (there is one buer or each direction), stripping the null bytes, and uses regular expressions to search the buer or strings containing a match to a known protocol signature; ippp searches each individual packet or known patterns o the most common PP protocols. Many o the signatures used by l7-ilter and ippp are obtained rom protocol speciications. However, because this is not generally possible or proprietary protocols, they are in some cases derived rom reverse engineering the protocols, like what has been done by the authors o []. Because these tools are not available as o-line trace processing tools (they are originally meant to be deployed as ilters in the Linux s iptables irewall or traic shaping purposes), we ported their source code to the Click modular router [9], which turned out to be a viable analysis ramework. We validated our versions o the tools against the original tools by comparing the results obtained rom the classiication o the GENUA data set. The outputs were indeed the same. We exploited both these tools to accurately identiy PP traic in our data sets. As done in [3], we limited to the number o packets per low searched or signatures. By running the tools on our traces, we ound that the dierences in their classiication results were negligible, thereore we only used ippp. Finally, we compared the classiication results obtained with our ippp classiier with the output o the payload classiier used to validate BLINC [], obtaining very close results on our data sets. Table II presents the volumes o PP traic in our traces, divided by PP application. In the remainder o the paper we only ocus on the traic TABLE II BREAKDOWN BY PROTOCOL OF PP TRAFFIC VOLUME IN OUR TRACES. PP Protocol GENUA DEPT BitTorrent 9.7%.9% edonkey 7.33% 73.55% Gnutella.78%.% KaZaA.%.% DirectConnect 7.%.% WinMX.%.% generated by edonkey and BitTorrent, since the majority o PP traic in our campus network is associated with these two applications. III. EDONKEY AND BITTORRENT OVERVIEW In this section we briely present the main eatures o edonkey and BitTorrent. edonkey: The edonkey network belongs to the class o hybrid PP architecture: it is composed o peers and multiple servers. The servers provide a ile search service and maintain a list o addresses o other servers, to be distributed to peers. Each peer logs on to one o the servers (using a TCP connection) and registers its shared iles with it. To search a ile, a peer sends the query to its main server which replies with a list o matching iles and their location. Optionally, the peer can send urther queries directly to other servers via UDP. To download a ile, a peer establishes direct TCP connections to the peers that are sharing the requested ile. During download, iles are split into separate pieces. Pieces o the same ile can be obtained rom several dierent peers. Finally, a ile can be shared by a peer beore it is completely downloaded. BitTorrent: BitTorrent is a ile distribution system based on the PP paradigm. Unlike other popular PP networks, such as edonkey or Gnutella, which comes with a ile search service, the sole objective o BitTorrent is to quickly replicate a single large ile to a set o clients. There is a separate torrent or each ile that is distributed. A torrent consists o a central component, called a tracker and all the currently active peers. The role o the tracker is to act as a rendez-vous point or the peers o the torrent, however it is not involved in the actual distribution o the iles. Once a peer joins a torrent, it irst contacts the tracker to retrieve a list o active peers. It then cooperates with - peers chosen at random to replicate the ile among each other. Although there are unoicial extensions to support UDP communications, by deault, BitTorrent only uses TCP. IV. PP TRAFFIC CHARACTERIZATION PP traic can be roughly divided into download traic and signaling traic: the irst is caused by the transer o content, PP traic is believed to be hazardous or networks, and our campus network makes no exception. We are aware that a iltering system has been deployed, realizing traic shaping or the most common PP applications.
the latter is mainly due to the presence o an overlay network, and possibly a search service. Because o the large dierences between these two types o traic, we argue that a comprehensive PP traic characterization should include this distinction. In act, even though the download traic is generally the major share o the total PP traic volume, i such distinction is not taken into account, then, because o the large number o signaling conversations, simple statistical measurements are biased. A way to accurately dierentiate download vs. signaling traic would be to implement a protocol analyzer. Although one can leverage existing tools, e.g. binpac [], to build protocol analyzers, this solution has several drawbacks: (i) it requires speciic knowledge o PP protocols, (ii) it needs access to the payload o each packet, (iii) it has to maintain a state or each conversation. In particular, we are interested in characterizing the PP traic rom the point o view o the network, i.e., to gain more insight on the distinctive characteristics o the behavior o aggregates o download and signaling PP conversations, including the volumes o carried content, the conversations interarrival times and durations. We point out that it is not our intention to provide a method that deterministically divide PP conversations into the two categories. Thus, we ollow a novel approach that doesn t rely on the accuracy o the solution based on protocol analyzers, but provides a means or clearly distinguishing two dierent classes o behaviors and or treating PP traic with generality. We call such classes o behaviors the download and the signaling traic proiles. To some extents we re abusing this terminology, as it is possible, though not common, that a download conversation exhibits the typical characteristics o signaling traic and vice-versa. For example, early truncated downloads are not clearly distinguishable rom signaling conversations. However, we accept such misclassiications because misclassiied lows don t bias our measurements and we want to keep our method simple. Our approach consists o a way to oer a statistical characterization o PP traic through the ormalization o a measurement index. We now deine the Content Transer Index (CT I) o a conversation C as: F + F P MSS(C) + + F p [, ], MSS(C) where F, are the lengths o the two lows constituting C, such that F. One can use three dierent low eatures to represent its length: the packet count, the count o payload bytes and the count o headers and payload bytes. However, in this paper, we only present the results obtained by using the count o payload bytes as the low length. P and p represent the average number o payload bytes per packet calculated or the low with length F and respectively. The maximum segment size (MSS) o the conversation C is expressed with MSS(C). For the UDP, we assume that the MSS corresponds to the maximum transer unit (MTU) minus the IP and UDP headers lengths. Hence, given the pair o end points {A, B}, the gives us a measure o the way the content is transerred. At the opposite ends o the spectrum there are two distinct traic proiles: when the conversation is latter or balanced (i.e., A and B exchange an even quantity o content, mainly using packets whose payload size is ar rom the MSS), then the s value tends to zero; when the conversation is richer o content which is either transerred rom a single end point that dominates the conversation (unbalanced), or eiciently exchanged between the end points, then the s value tends to one. The intuition behind the proposed metric derives rom observing that the traic proiles o download and signaling conversations are quite dierent. The idea is that, during a ile download, a peer, on average, gets packets illed up to the MTU and sends back ewer packets to acknowledge the received data. Even when the peers are exchanging pieces o a single ile with one another (as realized in BitTorrent), causing balanced conversations, still, the average payload size tends to reach the MSS. On the contrary, the signaling conversations are characterized by a latter proile, consisting o a more even count o exchanged bytes and packets. Throughout the rest o the paper, we divide PP traic into signaling vs. download by using the value o the conversation s. In particular we use a threshold to distinguish the two traic types: a conversation with a s value above the threshold is marked as download, while a value below the threshold determines a signaling conversation. To validate our metric, we classiy edonkey conversations in our DEPT data set into download and non-download. A conversation is marked to belong to the download category i the conversation contains at least one o the edonkey protocol opcodes OP SENDINGPART or OP COMPRESSEDPART. We computed the accuracy as the number o correctly classiied download conversations over the total count o conversations. We ound that using. as the threshold, we correctly classiy 95% o the download conversations (i.e., 95% o the download conversations have greater than.). The value. appears to the common break point to the graphs in Figure and we choose to use it in the rest o the paper. The limit o this validation is that we are unable to accurately identiy signaling conversations rom the ones classiied as non-download, because some download conversations might end up being in the non-download category. However, we obtain that only the.5% o non-download conversations have s value above the threshold and that there is a dierence o one order o magnitude between the average packet size, volume and duration o the non-download conversations above the threshold and those below it.
[%] 5 3 F+ 7 5 3 [%] 5 3 F+ 8 8...3..5..7.8.9 (a) edonkey - DEPT...3..5..7.8.9 (b) edonkey - GENUA 35 3 F+ 35 3 F+ [%] 5 5 8 [%] 5 5 8 5 5...3..5..7.8.9...3..5..7.8.9 (c) BitTorrent - DEPT (d) BitTorrent - GENUA Fig.. Relationships between the conversations, payload bytes and the o (a) edonkey conversations in DEPT, (b) edonkey conversations in GENUA, (c) BitTorrent conversations in DEPT and (d) BitTorrent conversations in GENUA. The histograms are plotted with bin size.. A. graphs V. PP TRAFFIC ANALYZES Figure a, b, c and d show the relationships between the conversations, payload bytes and the o DEPT s edonkey, GENUA s edonkey, DEPT s BitTorrent and GENUA s BitTorrent TCP conversations respectively. Each igure shows three overlapping histograms, symbolizing the ollowing igures corresponding to the same range: the number o conversations, the summation o the minimum and maximum length lows o the conversations (denoted with F + ) and the summation o just the minimum length lows (denoted with ). All the graphs clearly show two distinctive proiles: the signaling proile containing most o the conversations is having values below., whereas the download proile dominated by the payload bytes above.. Also note in the signaling proiles that the conversations are quite balanced ( is almost F). B. Interarrival times Table III lists the average, standard deviation and maximum conversation interarrival times. TABLE III AVERAGE, STANDARD DEVIATION AND MAXIMUM CONVERSATION INTERARRIVAL TIMES [S] IN DEPT. Conversation Avg. Std. dev. Max edonkey sign..33.3.5 edonkey down.. 7. 53.58 BitTorrent sign..5 57.7 58. BitTorrent down.. 573.93 73359. The CDFs o both the edonkey and BitTorrent conversation interarrival times reveal an exponential decay, as shown in Figure. There is again a signiicant dierence or signaling and download conversations since downloads happen rarely. Note that the graphs or DEPT and GENUA are comparable even though they are two dierent points o aggregation. C. Durations Table IV lists the average, standard deviation and maximum conversation durations. The CDFs o both the edonkey and BitTorrent conversation durations, shown in Figure 3, reveal some interesting inorma-
CDF.9.8.7..5..3.. 3 5 Arrival time [s] Fig.. (a) DEPT CDF.9.8.7..5..3.. 8 Arrival time [s] (b) GENUA CDF o the observed edonkey and BitTorrent conversation interarrival times. CDF.9.8.7..5..3.... Duration [s] (a) DEPT Fig. 3. CDF.9.8.7..5..3.... Duration [s] (b) GENUA CDF o the observed edonkey and BitTorrent conversation durations. TABLE IV AVERAGE, STANDARD DEVIATION AND MAXIMUM CONVERSATION DURATIONS [S] IN DEPT. Conversation Avg. Std. dev. Max edonkey sign. 59. 55.5 3.7 edonkey down. 9.7 98. 887.89 BitTorrent sign. 3.8 983.8 87.8 BitTorrent down. 575.98. 87.5 tion. First o all, the curves o the download conversations are very similar or both the protocols and both the traces. This is primarily due to the s capability to distinguish the nature o a conversation, regardless o the speciic PP protocol. The edonkey signaling conversation durations appear to be concentrated in a small range o values, while the BitTorrent one is distributed in a larger range o small values. VI. CONCLUSION AND FUTURE WORK In this paper we have presented a characterization o PP traic. We have introduced a new measurement, the, that can be used to distinguish two classes o behavior or the PP traic: the download and the signaling traic proile. We applied the to the edonkey and BitTorrent conversations in our data sets and we showed that it eectively oers a general characterization o PP traic. Finally, we presented a number o statistical measurements that are signiicantly unbiased because o the distinction in those two proile classes. In the uture, we want to extend the ormula to depend on the count o packets in the conversation in order to deal with small unbalanced conversations that would be classiied as download but are most likely going to be signaling. We re also interested to extend this work to dierent types o PP applications and apply the to dierent content such as audio and video. In a next step, we will deine a model based on the presented measures that can be used to generate PP traic aggregates. We ll also consider the possibility to build a PP traic classiier based on the temporal evolution o the. ACKNOWLEDGMENT This work was supported by the project INTERMEDIA NoE, in the rame o the EU IST FP Program, by MIUR- PRIN project FAMOUS Fluid Analytical Models O autonomic Systems and by MIUR-PRIN project RECIPE Robust and Eicient traic Classiication in IP networks. We also would like to thank CSITA or helping us during the work. REFERENCES [] S. Sen and J. Wang, Analyzing peer-to-peer traic across large networks, in Second Annual ACM Internet Measurement Workshop, Nov.. [] T. Karagiannis, A. Broido, N. Brownlee, kc clay, and M. Faloutsos, Is PP dying or just hiding? in IEEE GLOBECOM,. [3] S. Sen, O. Spatscheck, and D. Wang, Accurate, scalable in-network identiication o PP traic using application signatures, in Proceedings o the 3th international conerence on World Wide Web, May.
[] T. Karagiannis, K. Papagiannaki, and M. Faloutsos, BLINC: Multilevel traic classiication in the dark, in Proceedings o ACM Sigcomm, Aug. 5. [5] K. Tutschku, A measurement-based traic proile o the edonkey ilesharing service, in Proceedings o PAM, Apr.. [] R. Bolla and R. Bruschi, RFC 5 perormance evaluation and internal measurements or a Linux based open router, in Proceedings o IEEE Workshop on High Perormance Switching and Routing, Jun.. [7] l7-ilter, http://l7-ilter.sourceorge.net. [8] IPPP, http://www.ippp.org. [9] E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek, The click modular router, ACM Transactions on Computer Systems, vol. 8, no. 3, pp. 3 97, Aug.. [] R. Pang, V. Paxson, R. Sommer, and L. Peterson, binpac: A yacc or writing application protocol parsers, in Proceedings o ACM Sigcomm Internet Measurement Conerence, Oct..