Internet2 NetFlow: Weekly Reports: Week of 20080714

  1. Introduction
  2. Bulk TCP
  3. Full Data Set

Introduction

You are looking at the weekly Abilene network usage report for the week of 20080714 produced from NetFlow records. The view of the whole network as a single traffic-relaying unit is presented. More formally, data from all interior circuits (those connecting two Abilene routers) were discarded while all the rest of the data were merged to create this view.

During this week, there were no missing data days.

The data are split into two sections: bulk TCP data and the full data set. A "bulk TCP" flow is defined as a TCP flow that transferred more than 10MB of data. The first section only concerns these data. The second section studies the overall traffic composition.

All the numbers in this report are hyperlinked to plots that show their history (e.g., clicking on the percentage of octets of NNTP traffic will bring up a time-series plot that shows the history of this parameter).

Bulk TCP

During this week, bulk TCP traffic comprised 47.31% of octets and 26.20% of packets of the full data set traffic.

The distribution of bulk TCP throughputs is the most important piece of data in this report. Cumulative distribution function plots (1-CDF vs. throughput in bits/second) in semi-log and log-log scales are as follows:
[Bulk TCP throughputs (semi-log scale).] [Bulk TCP throughputs (log-log scale).]

Distribution of the amount of data transferred (in semi-log and log-log scale, 1-CDF vs. total trasfer size in octets) is presented below. It should be recognized that NetFlow collection mechanism is always configured so that flows (in the accounting sense) cannot last longer than a certain period of time. Therefore, the distribution of transfer sizes is to a certain extent skewed in the upper part.
[Bulk TCP transfer sizes (semi-log scale)] [Bulk TCP transfer sizes (log-log scale).]

The distribution of durations of bulk TCP flows (in seconds) is as follows (you may notice the cut-off phenomenon mentioned above):

[Bulk TCP durations distribution.]

The following table shows actual values from the above distribution plots that correspond to characteristic values (such as median, 90%, max, etc.).

Table 1. Selected Points from Distribution Graphs (Bulk TCPs)

Percentile Throughput (b/s) Durations (s) Size (octets)
1 1.393M 1 10.07M
5 1.501M 7 10.50M
10 1.639M 13 11.10M
50 3.651M 58 19.21M
90 18.61M 59 66.60M
95 28.06M 59 93.15M
99 90.27M 59 184.2M
99.9 158.7M 59 410.5M
99.99 859.3M 116 1.123G
99.999 1.024G 130 1.384G
100 86.40G 131 8.100G

We compute average packet size of each flow by dividing the number of octets in a flow by the number of packets. Distribution of average sizes of packets belonging to bulk TCP flows is as follows:

Table 2. Packet Sizes (Bulk TCP)

Packet Size Packets
Small (<100B)0.45% 919.3M
Medium (100-1400B)7.03% 14.49G
Large (1401-1500B)92.44% 190.6G
Jumbo (>1500B)0.08% 172.7M
Total100.00% 206.2G

We show what applications transfer large amounts of data in the following table. Note that this is bulk TCP traffic only; full data set usage is presented in the next section.

Table 3. Aggregated Application Types (Bulk TCP)

Traffic Type OctetsPacketsFlows
Data Transfers26.13% 78.72T 26.42% 54.48G 34.54% 3.271M
Encrypted Traffic7.74% 23.33T 8.08% 16.66G 6.64% 628.4k
Advanced Apps5.49% 16.52T 5.55% 11.44G 7.41% 701.9k
File Sharing3.27% 9.859T 3.26% 6.728G 2.37% 224.2k
Measurement0.50% 1.495T 0.50% 1.026G 0.21% 19.45k
Misc0.48% 1.453T 0.51% 1.056G 0.86% 81.52k
Games0.15% 459.3G 0.15% 318.8M 0.21% 19.69k
Audio/Video0.12% 369.2G 0.13% 259.6M 0.27% 25.35k
Unidentified56.12% 169.0T 55.40% 114.2G 47.50% 4.498M
Total100.00% 301.3T 100.00% 206.2G 100.00% 9.470M

The following are the fastest 10 measurement flows with unique source and destination AS numbers (i.e., for any given pair of source and destination AS numbers, no more than one fastest flow is shown).

Table 4. Fastest Bulk TCP Measurement Flows with Unique AS Source and Destination

Throughput (b/s)Packet size (bytes)Duration (s)Src ASDest ASApplication type
1.830G900035DFN-IP service G-WiN [680]INDIANAGIGAPOP [19782]Iperf
204.1M150012NASA-ESDIS-NET [22767]Israeli Academic and Research Network [378]Iperf
184.8M150020Unknown [32361]SWITCH [559]Iperf
180.3M139616NASA-HPCC-ESS [7847]APAN-JP [7660]Iperf
169.3M150010NASA GSFC [1701]Unknown [25689]Iperf
152.2M150022NASA GSFC [1701]UT-Austin [18]Iperf
109.9M140229NASA-GSFC [1749]UT-Austin [18]Iperf
100.2M149310Indiana [87]TRANSPAC [22388]Iperf
96.35M150043DFN-IP service G-WiN [680]CARIN-AS-BLOCK [7082]Iperf
92.06M150013NASA-ESDIS-NET [22767]APAN-JP [7660]Iperf

The following are the fastest 10 non-measurement flows with unique source and destination AS numbers (i.e., for any given pair of source and destination AS numbers, no more than one fastest flow is shown). When unable to determine the application type, we give the source and destination port numbers.

Table 5. Fastest Bulk TCP Non-measurement Flows with Unique AS Source and Destination

Throughput (b/s)Packet size (bytes)Duration (s)Src ASDest ASApplication type
1.041G900010NASA-HPCC-ESS [7847]Abilene [11537]32898 -> 5101
1.028G900010High Performance Computing Modernization Program [668]Abilene [11537]48351 -> 5101
985.3M150012CARIN-AS-BLOCK [7082]Science, Technology, and Research Transit Access Point [10764]Hotline
970.1M900010Abilene [11537]High Performance Computing Modernization Program [668]33720 -> 5101
958.7M150010UCLA [52]Abilene [11537]38932 -> 3002
876.7M150025Unknown [0]APAN-JP [7660]Shoutcast
803.1M149910Unknown [32361]Unknown [36375]38276 -> 5099
706.8M150030Science, Technology, and Research Transit Access Point [10764]CARIN-AS-BLOCK [7082]Hotline
508.6M149911SWITCH [559]PSC [1207]22250 -> 34085
253.6M150015Network for Education and Research in Oregon [3701]Indiana [87]Rsync

We also compute the average concurrency of bulk TCP flows for the week (by adding durations of all captured flows and dividing the result by the by the duration of the week). This week's average number of concurrent bulk TCP flows: 740.0.

Full Data Set

In addition to bulk TCP flows data, we provide statistics that characterize the overall composition of the complete data set (everything that transited the Abilene network this week).

The following table describes what kinds of traffic went through the network (multiple applications are aggregated into classes):

Table 6. Aggregated Application Types (Full Data Set)

Type OctetsPackets
Data Transfers39.46% 251.3T 40.89% 321.8G
Encrypted Traffic6.41% 40.81T 7.16% 56.33G
Advanced Apps3.61% 23.01T 3.29% 25.89G
File Sharing3.37% 21.44T 3.93% 30.90G
Misc2.51% 15.99T 5.57% 43.83G
Audio/Video1.60% 10.18T 1.43% 11.24G
Measurement0.49% 3.104T 0.73% 5.746G
Games0.27% 1.702T 0.40% 3.131G
Unidentified42.28% 269.2T 36.61% 288.2G
Total100.00% 636.8T 100.00% 787.1G

This table is available additionally in the following more verbose version (no applications are aggregated into classes, but class composition is shown):

Table 7. Detailed Application Types (Full Data Set)

Traffic type OctetsPackets
Data Transfers
HTTP
Rsync
NNTP
FTP
---
35.02%
1.61%
1.47%
1.36%
---
223.0T
10.26T
9.368T
8.635T
---
36.97%
1.28%
1.29%
1.34%
---
291.0G
10.07G
10.16G
10.57G
Encrypted Traffic
SSH
HTTPS
IPsec ESP
IPsec AH
IPsec IKE
---
3.94%
2.11%
0.35%
0.01%
0.00%
---
25.06T
13.41T
2.242T
82.98G
5.561G
---
3.63%
3.02%
0.49%
0.02%
0.00%
---
28.57G
23.73G
3.834G
157.6M
30.52M
Advanced Apps
UNIDATA LDM
McIDAS
BBCP
GsiFTP
BBFTP
IBP
---
2.75%
0.78%
0.07%
0.01%
0.00%
0.00%
---
17.53T
4.962T
466.0G
38.12G
10.77G
1.900G
---
2.56%
0.64%
0.06%
0.01%
0.02%
0.00%
---
20.16G
5.050G
454.5M
89.68M
134.8M
2.995M
File Sharing
Shoutcast
Audiogalaxy
Hotline
BitTorrent
eDonkey2000
Gnutella
FastTrack
WinMX
Carracho
Blubster
Freenet
Neo-Modus
Direct Connect++
---
1.28%
1.13%
0.62%
0.23%
0.08%
0.01%
0.01%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
---
8.157T
7.174T
3.973T
1.481T
487.2G
82.50G
61.78G
16.39G
4.644G
3.954G
1.255G
497.6M
6.740M
---
2.28%
0.84%
0.47%
0.24%
0.07%
0.02%
0.01%
0.00%
0.00%
0.01%
0.00%
0.00%
0.00%
---
17.90G
6.587G
3.685G
1.874G
537.4M
161.7M
81.51M
19.13M
7.247M
43.58M
1.884M
603.1k
17.10k
Misc
Mail
Port 0
DNS
Squid
NFS
X11
AFS
NTP
IRC
Telnet
MS Windows
RTIP
SOCKS
SNMP
IDENT
AOL AIM
RPC Portmapper
---
1.28%
0.53%
0.27%
0.21%
0.07%
0.06%
0.03%
0.01%
0.01%
0.01%
0.01%
0.01%
0.00%
0.00%
0.00%
0.00%
0.00%
---
8.144T
3.394T
1.688T
1.363T
474.8G
386.1G
211.7G
87.97G
59.32G
54.42G
44.28G
35.66G
16.43G
13.46G
11.76G
4.195G
751.8M
---
2.68%
0.35%
1.65%
0.31%
0.07%
0.09%
0.07%
0.15%
0.04%
0.06%
0.04%
0.04%
0.01%
0.01%
0.01%
0.00%
0.00%
---
21.11G
2.742G
12.97G
2.410G
515.8M
705.9M
584.0M
1.153G
315.4M
505.0M
283.9M
283.7M
64.86M
111.6M
52.11M
5.926M
2.393M
Audio/Video
Any-Source Multicast
Real Player
Windows Media
Backbone Radio
H.323 Signaling
StreamWorks
Subset of VoIP
Camarades webcams
Single-Source Multicast
---
1.16%
0.40%
0.02%
0.01%
0.01%
0.00%
0.00%
0.00%
0.00%
---
7.375T
2.535T
152.8G
48.99G
47.25G
12.44G
9.496G
1.602G
25.49M
---
0.79%
0.59%
0.03%
0.01%
0.01%
0.00%
0.00%
0.00%
0.00%
---
6.181G
4.669G
231.0M
62.41M
56.90M
17.65M
24.29M
4.071M
18.80k
Measurement
Iperf
ICMP
IPMP
---
0.43%
0.06%
0.00%
---
2.720T
383.8G
750.0k
---
0.37%
0.36%
0.00%
---
2.923G
2.822G
500.0
Games
DirectX
Battlenet
Spy Arcade
Half-Life
Quake
Starsiege Tribes
Asheron
---
0.18%
0.03%
0.02%
0.02%
0.01%
0.00%
0.00%
---
1.160T
201.6G
137.6G
104.6G
79.58G
12.76G
5.569G
---
0.22%
0.06%
0.02%
0.09%
0.02%
0.00%
0.00%
---
1.706G
444.1M
144.2M
679.4M
125.3M
19.91M
11.65M
Unidentified
Unidentified
---
42.28%
---
269.2T
---
36.61%
---
288.2G
Total
Total
---
100.00%
---
636.8T
---
100.00%
---
787.1G

The following table summarizes use of most popular IPv4 protocols:

Table 8. IP Protocols Distribution (Full Data set)

Protocols OctetsPackets
ICMP[1]0.06% 383.8G 0.36% 2.822G
IGMP[2]0.00% 41.83M 0.00% 1.170M
IP-ENCAP[4]0.02% 141.2G 0.03% 203.7M
TCP[6]92.40% 588.4T 87.98% 692.5G
UDP[17]6.22% 39.58T 10.35% 81.45G
IPv6[41]0.00% 8.808G 0.00% 35.22M
GRE[47]0.94% 5.979T 0.77% 6.094G
ESP[50]0.35% 2.242T 0.49% 3.834G
AX.25[93]0.00% 306.6k 0.00% 300.0
PIM[103]0.00% 3.119G 0.00% 28.95M
IPMP[169]0.00% 750.0k 0.00% 500.0
Other0.01% 83.86G 0.02% 158.7M
Total100.00% 636.8T 100.00% 787.1G

We compute average packet size of each flow by dividing the number of octets in a flow by the number of packets. Distribution of (average) packet sizes is as follows:

Table 9. Packet Sizes (Full Data Set)

Packet Size Packets
Small (<100B)37.57% 295.6G
Medium (100-1400B)19.23% 151.4G
Large (1401-1500B)43.09% 339.2G
Jumbo (>1500B)0.11% 845.4M
Total100.00% 787.1G

We only track DSCP values for which special treatment was defined by Internet2 QoS working group (and the default of DSCP=0):

Table 10. Important DSCP Values (Full Data Set)

Type OctetsPackets
Best effort [DSCP=0]96.49% 614.5T 97.13% 764.5G
Scavenger [DSCP=8]0.03% 174.3G 0.04% 280.2M
EF [DSCP=46]0.00% 22.46G 0.01% 93.20M
Other3.48% 22.13T 2.82% 22.21G
Total100.00% 636.8T 100.00% 787.1G

We collect statistics about ECN-capable traffic:

Table 11. ECN-Capable Traffic

Type OctetsPackets
ECN-Capable0.45% 2.869T 0.27% 2.120G

To facilitate detection of emerging applications, we present statistics about frequently encountered unidentified port numbers (no distinction is made in this table between TCP and UDP):

Table 12. Frequent Unidentified Ports

Port OctetsPackets
21281.08% 6.888T 1.12% 8.848G
19351.02% 6.472T 1.25% 9.821G
200000.92% 5.888T 0.60% 4.750G
500010.40% 2.573T 0.23% 1.806G
45000.37% 2.386T 0.40% 3.149G