Packet, bit volume, and hosts analysis

When considering a non-flow based analysis of packet traces, some important things stand out. Those include:

analysis of "events," specifically packets
analysis of "data volume," specifically the packet payload
analysis of "traffic contributors," specifically source or destination hosts

In the third category differentiations can include:

how many source hosts contributed to the traffic
how many destination hosts contributed to the traffic
at specific fractions, how much traffic was contibuted by how many hosts, for both packet and bit volume
In this analysis we chose for the packet and byte seven different fractions, specifically: 0.05, 0.10, 0.25, 0.50, 0.75, 0.90, and 0.95

An example output formet of the conversion programs oc32bysh.pl for by source host or oc32bydh.pl for by destination host, which include delta-time for the measurement periods as an input parameter, looks like:

time kpackets Mbits hosts packet host fractions payload host fractions
0.05 0.10 0.25 0.50 0.75 0.90 0.95 0.05 0.10 0.25 0.50 0.75 0.90 0.95
0.001 14.000 60.248 14000 : 1 2 4 7 11 13 14 : 1 2 3 4 6 8 9 :
0.002 10.000 45.688 9000 : 1 2 3 4 7 8 9 : 1 2 3 4 5 6 7 :
0.003 16.000 68.936 15000 : 1 2 3 7 11 14 15 : 1 2 3 4 5 8 9 :
0.004 9.000 34.400 9000 : 1 2 3 5 7 8 9 : 1 2 3 4 5 6 7 :

with the meaning of the individual fields:

time -- time step in the packet trace
kpackets -- kilopackets (normalized towards 1 second)
Mbits -- Megabits (normalized towards 1 second)
hosts -- hosts (normalized towards 1 second)
packet host fractions -- real number of hosts contributing to fractions of packet traffic:
0.05, 0.10, 0.25, 0.50, 0.75, 0.90, 0.95
payload host fractions -- real number of hosts contributing to fractions of bit volume:
0.05, 0.10, 0.25, 0.50, 0.75, 0.90, 0.95

The set of programs is structured for a series of runs which generates ready-to-use output directies with individual index.html files to display the results. An example is available, generated with a run script that iterated through a daltatime loop for both interfaces in the OC3mon dump:

  #!/bin/zsh
  for i in 0.001 0.01 0.1 1.0 10.0
  do
   Bin/run-byhosts /O2/Traces/Oc3trace FIXW-9711.dmp 152 $i
   Bin/run-byhosts /O2/Traces/Oc3trace FIXW-9711.dmp 144 $i
  done

The parameters for the run-byhosts script are the directory of the OC3mon output file, the file name within the directory, the interface number to be used, and the deltatime for the measurement intervals.

some specific analysis and graphs not automatically generated

kilopackets per second, interface 144

same kilopackets per second, interface 144, but superimposed

Megabits per second, interface 144

same Megabits per second, interface 144, but superimposed

hosts (real numbers), interface 144, by source hosts only

hosts, interface 144, by source hosts only, normalized towards 1 seconds delta time

accumulative source host count, interface 144

host percentiles contributing to traffic percentiles

other host percentiles contributing to traffic percentiles graphs from trace

FIX-West, ~November 1997
fraction=0.90 fraction=0.95
interface 144 interface 152 interface 144 interface 152
by src by dst by src by dst by src by dst by src by dst
pkt bit pkt bit pkt bit pkt bit pkt bit pkt bit pkt bit pkt bit

time	kpackets	Mbits	hosts		packet host fractions								payload host fractions
					0.05	0.10	0.25	0.50	0.75	0.90	0.95		0.05	0.10	0.25	0.50	0.75	0.90	0.95
0.001	14.000	60.248	14000	:	1	2	4	7	11	13	14	:	1	2	3	4	6	8	9	:
0.002	10.000	45.688	9000	:	1	2	3	4	7	8	9	:	1	2	3	4	5	6	7	:
0.003	16.000	68.936	15000	:	1	2	3	7	11	14	15	:	1	2	3	4	5	8	9	:
0.004	9.000	34.400	9000	:	1	2	3	5	7	8	9	:	1	2	3	4	5	6	7	: