The 9th International Conference for Young Computer Scientists Design and Implementation of a Network Behavior Analysis-oriented IP Network Measurement System Bin Zeng 1, Dafang Zhang 2, Wenwei Li 2, Gaogang Xie 3,Guangxing Zhang 3 1 College of Computer and Communication, Hunan University, Changsha, 410080, China 2 Software School, Hunan University, Changsha, 410080, China 3 Institute of Computing Technology, Chinese Academy of Science, Beijing, 100080, China {zengbin604, dfzhang,liww}@hnu.cn, {xie, guangxing}@ict.ac.cn Abstract Analyzing the characteristic of network behavior provides scientific basis for designing, building, and managing the next generation Internet, and is especially important for monitoring network behavior. This paper establishes a system of metrics that evaluates the behavior of IP networks with respect to the need of analyzing network behavior, introduces the design and implementation of network monitoring system that focuses on the analysis of the characteristics of network behavior, analyzes crucial problems on system design, builds an experiment environment and runs tests on it. The results show that our system satisfies all requirements imposed by real time monitoring network behavior, therefore is able to help the decision making in operating and managing networks. Keywords: Network behavior, network measurement system, packet capture, behavior metrics. 1. Introduction With the development of processing capability of network device, link speed is continuously increasing and various new applications continue to emerge, which make network characteristic a great deal of changes. The emerging of information society and knowledge of globalization also has made new demands for the Internet. The quality of service is becoming an enormous challenge to the Internet. In order to solve the problem concerning the IP quality of service on the IP network management, from the beginning of the 1990s, people gradually carried out a research on the network behavior. Network behavior refers to the study of operation of network behavior characteristics. Through finding out various behavioral patterns from network, we can find the key factors which led to the change of behavior and explain the causes for the various phenomena of network. Network behavior plays a key role for the research of trend analysis, monitoring hotspots (the path of over loading), congestion avoiding and so on. At present network behavior research with the common methods of the following three categories: the first method is model analysis, which use a mathematical method to establish the network model, such as the self-similar traffic model [1] [2] [3] [4], Gilbert packet loss model [5] [6], TCP throughput model[7]. As the network becomes more complicated, more and more factors should be considered, and the establishment of the network model is more and more difficult, which means this method will face enormous challenges. The second method is simulation. Through establish the statistical model of network links and simulates network traffic transmission, simulation software acquires network behavior data which network designing or optimizing needs [8]. However, the complexity of the network environment restricts its application. The third method is measurement and analysis. Network measurement put performance testing on the actual operations of network, capturing the measurement data of the Internet and its activities quantitative to obtain network's history, status and trend forecast [9]. Network measurement is becoming the chief method for analysis of network behavior, resulting from the increasing complexity of the Internet and increasing difficult to establish mathematical model. At present, there are many methods and achievement about network measurement. The data reflecting the network state can be collected by network management system. However, the analysis of collected data is far behind the collection technique, and the characteristics of network can t be obtained from real and historical data. Meanwhile, a large number of theoretical models about network behavior are proposed, which are separated from real network environment and lacking conviction. In this paper, on 978-0-7695-3398-8/08 $25.00 2008 IEEE DOI 10.1109/ICYCS.2008.59 374
the basis of relevant work [10-13], we design and implement a network monitoring systems for the analysis of the behavior characteristics of network. Network behavior is partitioned into traffic behavior, end-to-end behavior, routing, and application behavior. The system can integrate network monitoring technology and network data analysis technique organically to provide a unified analysis platform for the various behavior of network. 2. Monitoring and analyzing metrics To overall understand running status of the Internet, We determine the following five ways of network behavior measurement parameters: traffic behavior, end-to-end behavior, routing behavior, application behavior and network element behavior. Let s make detailed introduction in the following. Traffic behavior : Through disposing packet capture tools in key points of network, network traffic analysis metrics are available. The metrics can be divided into packet-level and flow-level. Packet-level metrics include the flow of link layer (rate), packet size distribution, traffic of 280 kinds of protocol, the port traffic information of top N flow; flow-level metrics include concurrent Flow number of a measurement cycle, the number of new flow, the number of aging flow, flow size distribution, the duration of flow distribution, the flow information of top N flow size and flow duration. End-to-end behavior:from the measuring source point to the end point, the routers and links between the two points compose an end-to-end path. Through sending specifically detecting data packages from the measuring end to the measured end and observing the respond of network, Speculate the service quality of end-to-end path. The metrics of evaluating end-to-end path include connectivity, one-way/round-trip, packet loss, one-way delay, round-trip delay, delay jitter, bottleneck bandwidth, available bandwidth, and TCP throughput. Routing behavior: The BGP/OSPF simulator constructed by Zebra is used to collect router information, and collect the end-to-end routing data with the aid of traceroute. The monitoring of routing behavior includes the inefficient routing analysis, routing stability analysis, routing convergence analysis, morbidity advertisement analysis, routing circulation analysis, routing policy analysis, routing oscillation analysis, whether running distributed, no routing circulation, running as needed, safety and time complexity, communication complexity, routing efficiency and so on. Application behavior: A methodology which can monitor the end-to-end user applications is used, termed active application probing mode. By sending requests from the client to the server and observing the response from server, the methodology can reflect the performance of the end-to-end applications without knowing the state of the network devices. The application performance metric can be divided in two sub categories: network/server accessibility and efficiency. Network element behavior: The SNMP protocol can be applied to collect network control information like routing update and MIB status on relevant devices and so on. It is specifically includes automatic discovery and maintenance of network topology, properties of major network devices, operating status, device traffic, SNMP capability information. 3. System design The key of network behavior monitor is the realtime acquirement and analysis of network behavior data. The IP network monitor system which is network behavior characteristic analysis oriented must satisfy this requirement that is the kernel of the design of system has to be the data of network behavior. Monitor system can test on real time or for long term based on configuration, collect behavior data, and show network behavior guide line in fact in intelligible means for user. The function of system is partitioned by data, and figure 1 shows the situation. Figure1.system function partition 3.1. System composing Based on the analysis forenamed, IP network monitor system which is network behavior oriented is showed as figure 2 in order to support needs of various network behaviors. The system can be divided into three layers: measurement plat, control plat and analysis plat. Measurement Platform: The main function is showed as following: collection tools which is used to save various network behavior data, including traffic capturer, p2p measurement tools, router simulator, operation emulator, SNMP agent; measuring or 375
importing various data; sending coded measurement results to control plat, and saving results. Control Platform: the major function of control platform is to dispatch the data collection tasks and send the measurement commands. The data collecting module, data analysis module and data visualization module work together to accomplish the measurement tasks; and the enormous data of network behavior monitoring will be stored into database after simplified. Analysis Platform: The processing of forming visualization data gotten from original data is a procedure of analyzing and abstracting data. The analysis platform is used to get rid of a large number of data unrelated to network behavior measurement, construct the metric data set of network behavior and take charge of analysis of all data. to system control and measurement program which will invoke the relevant measurement tools to implement the measurement after configured the parameters. And then the control and measurement program will take pipeline to transfer the result to data analysis engineer who will displays the analyzed result in graphic and prepares next measurement at the same time when the entire measurement finished. Figure3 sketch map of Measurement control Figure 2 system architecture The architecture adopts the manner of centralized management and distributed measurement, with good openness and scalability. The system can be used for flexible measurement and analysis of network behavior and is suitable for mass deployment by easily adding measurement tool. And the network performance can be easily evaluated by analyzing the data comprehensively through analysis engineering. 3.2. System design and realization Figure 3 shows a sketch map of Measurement control. The main functions of analysis platform are the configuration of task parameters, and analyzing of measurement result. The measurement task is assigned The main function of control platform is controlling and managing measurement tasks. The control module will firstly collect and analyze the user configured parameters, then create a thread and send the parameters to measurement tool, and at last, it will store the measurement results into the database, analyze the result and send the results back to analysis platform after the measurement finished. The measurement platform carries on the specific measurement work. After receiving measurement task, the system control module will create a corresponding measurement thread according to measurement type and measurement parameters. The thread will start one measurement tool among five measurement tool modules. The figure 4 describes the information and data process inside the system in detail. The system program mainly includes three threads: management and control thread, measurement thread, analysis and visual display thread. Management and control thread takes charge of creating two threads: one is used to manage measurement task by users, another is used to control measurement tool and task. Such as assign task to measurement thread, store and analyze measurement data and so on; Measurement thread takes charge of receiving measurement task from management and control thread and creating 376
measurement thread and starting measurement tool to measure. Measurement thread will send results to analysis and visualization thread which will show the result to user by graphic. Pipeline is used for the communication between threads. packets buffer after completing packet processing and analysis. Figure5.shared memory method architecture Figure 4 information and data process inside the system 3.3. Crucial technology Probe used in the system is achieved based on common hardware platform. Therefore, high efficient packet capture and less system resources for the flow characteristics of acquisition method is the key to guarantee the accuracy of the systems. We implement a new traffic capture method based on shared memory to improve the efficiency. The key of this method is using shared memory which is between kernel space and user space as packet buffer to reduce the number of system calls and implement packet zero-copy. Take the advantage of share memory, packet receive path from NIC driver buffer to user level application has been shorten. Figure 5 show that, packet capture method based on shared memory for high-speed network consists of three parts: the packet capture driver module, the shared memory management module and the upperclass application API interface. The process of packet capture are as follows: 1 access to the packet capture drive module, through the revision of Driver Program; 2 through shared memory management module inspect packet buffer memory space, if still available will write data packets through DMA (Directly Memory Access) channel to the shared memory and return, otherwise discarded packets directly; 3 flow monitoring and analysis application procedures call upper API interface to access package in the shared memory buffer, and then release of The establishment of shared memory space is the key to implement packet capture for high-speed network. The packet capture driver module is responsible for writing packets to the shared memory. Flow monitoring and analysis procedure call API interface reading of the packet for statistics and analysis. Through access to the packet capture driver module for writing packet into shared memory directly and circularly, the applications in the user space call API interface to access shared memory, implement packet zero-copy and eliminate the system calls. 4. Application of the system We did measurement and analysis on a campus network in order to verify the effect of the system. The probe was deployed on the joint of connect link which was paid attention to. And then according to advanced enactment, the control and analysis plat which was deployed on network manage center collected the monitor and analysis results periodically which was gained by probes. Figure 6 shows the topological graph of testing network, from which we can locate brokendown instrument and broken-down link quickly. We selected the kernel router (210.43.96.18) from figure 6, deployed probe on it and monitored the traffic by port image. Figure 7 shows the traffic continuously changing instance of the kernel router in one month (2007-03-27 to 2007-04-27). From the figure, the change of link traffic has definite character on day, and daily change assumes parabola shape which inosculates active rule of human beings. To analyzing the data of one day, the total traffic of network link is low, because its average traffic is 300Mbps (the physical bandwidth is 1000Mbps), and its average 377
utility of bandwidth is about 30%. The busy periods of link are period 9:00~17:00 and period 20:00~22 :00; other periods are spare time. The in and out traffic is smoothness on the whole. In it, there are just 2 outbursts, one on 8:00~9:00 pm and one on 9: 00~10:00 am. The changing rule of daily traffic is the same, except that the traffic grows a little on Friday and Saturday evenings. Figure 8 application types distribution Figure 6 the topological graph of testing network To see from TOPN of service flow, most traffic of network is produced by some correlative IP, either by byte traffic or by data packets traffic. This basically accords with 20/80 rule. For example in figure 9, the frequency of appearance of flows reference with IP 202.43.19.22 is very high in TOPN and the ratio of its byte traffic and data packets traffic is also high. Figure9 traffic TOP N Figure 7 traffic changing instance To examine the history data during this period, as figure 8 shows, bursting out operations are based on P2P operation and flow media operation, and there is also little the traditional operation which is based on HTTP. To analysis on byte traffic of link, from high to low by ratio of traffic, those are P2P (44.73%) flow media(23.09%) basic applications(18.22%) private protocols(9.49%) VoIP online telephone(3.85%) online games(0.3%) instant communications(0.32%). P2P application will become more and more popular. Either illegal application or legal application, manager should know the traffic characters of P2P application, and to conduct and control it through proper strategy. The analysis of system experiment above shows the characters of network, and points out the basic character of these actions and the positions where frequently appear congestions. The analysis is important to the maintenance and natural performance of network. Those characters are hard to be showed by common network monitor system. This point has instructional meanings for enhancing the network performance. 5. Conclusions To reflect Internet running behavior characteristic roundly, we design a network monitoring systems for the analysis of the behavior characteristics, and realize performance monitoring of network. This system mainly monitors and analyzes traffic behavior, end-to- 378
end behavior, routing, and application behavior characteristic. In the course of realization, we present measurement and analysis metrics, which roundly reflect network characteristics; then we discuss the material measurement and analysis method and introduce the crucial technologies which is used in the system; In the end, we validate the system in Campus LAN and gain good effect. In the following work, we need to make further study on the predictability of network performance. Acknowledgment This research is funded by National Natural Science Foundation of China with grant no. 90718008, 60673155 and 60703097. Thanks to our team in ICT for their efforts to develop the monitoring and measurement system, especially thanks to Jian Yang, Dunxing Zhang etc. References [1]W. Leland, M. Taqqu, W. Willinger, and D. Wilson, On the self-similar nature of Ethernet Traffic, IEEE/ACM Transactions on Networking, 1994, pp. 1-15. [2]Matthew Roughan and Darryl Veitch, Measuring Long- Range Dependence under Changing Traffic Conditions, INFOCOM '99, New York, NY, 1999, pp. 1513-1521. [3]Thomas Karagiannis, Mart Molle, Michalis Faloutsos, Long-Range Dependence: Ten Years of Internet Traffic Modeling, IEEE Internet Computing, 8(5),2004, pp. 57-64. [4] Gaogang Xie, Guangxing Zhang, etc, The Survey on Traffic of Metro Area Network with Measurement On-line, Proceedings of the 20th International Teletraffic Congress, Ottawa, Canada, 2007, pp.17-21. [5]Y.Zhang, N.Duffield, V.Paxson and S.Shenker, On the Constancy of Internet Path Properties, In ACM SIGCOMM Internet Measurement Workshop, 2001, pp.197-211. [6]Xunqi Yu, James W. Modestino, Xusheng Tian, The accuracy of Gilbert models in predicting packet-loss statistics for a single-multiplexer network model, INFOCOM 2005, pp. 2602-2612. [7]M.Goyal, R.Guerin and R.Rajan, Predicting TCP Throughput From Non-invasive Network Sampling, INFOCOM2002, pp. 180-189. [8]MA Wei-min, LI Zhong-cheng,Wang Jun-feng, XIE Gao- Gang, An Analysis of the Characteristics of High-speed Network Traffic Based on Simulation, Journal of system simulation, 2004, 16(4), pp. 681-68. [9]Zhang Hong-Li, Fang Bin-Xing, Hu Ming-Zeng, etc, A Survey on Internet Measurement and Analysis, Journal of Software, 2003, 14(1), pp.110-116. [10]Li Wenwei, Zhang Dafang, Yang Jinmin, Xie Gaogang. On Evaluating the Differences of TCP and ICMP in Network Measurement, Computer Communications, 2007, 30(2), pp.428-43. [11]Guangxing Zhang, Gaogang Xie, etc, Self-Similar Characteristic of Traffic in Current Metro Area Network, 15th IEEE Workshop on Local and Metropolitan Area Networks, June 10-13, 2007, Princeton NJ, USA. [12]LI Wen-Wei, ZHANG Da-Fang, XIE Gao-Gang, YANG Jin-Min. A High Precision Approach of Network Delay Measurement Based on General PC, Journal of Software, 2006, 17(2), pp. 275-284. [13]Fan Chao,Xie Gaogang,Zhang Dafang,Li Zhongcheng, Performance Analysis of HTTP Service Based on Network Active Measuremnet, Journal of Computer Research and Development,2005,42(3), pp. 493-500. 379