CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Assessing the Quality of Packet-Level Traces Collected on Internet Backbone Links

Behrooz Sangchoolie (Institutionen för data- och informationsteknik, Nätverk och system, Datakommunikation och distribuerade system (Chalmers)) ; Mazdak Rajabi Nasab (Institutionen för data- och informationsteknik, Nätverk och system, Datakommunikation och distribuerade system (Chalmers)) ; Tomas Olovsson (Institutionen för data- och informationsteknik, Nätverk och system (Chalmers) ) ; Wolfgang John
Secure IT Systems, Audun Jøsang & Bengt Carlsson, NordSec, Karlskrona, Sweden, October/November 2012 (0302-9743). Vol. 7617 (2012), p. 184-198.
[Konferensbidrag, refereegranskat]

The quality of captured traffic plays an important role for decisions made by systems like intrusion detection/prevention systems (IDS/IPS) and firewalls. As these systems monitor network traffic to find malicious activities, a missing packet might lead to an incorrect decision. In this paper, we analyze the quality of packet-level traces collected on Internet backbone links using different generations of DAG cards. This is accomplished by inferring dropped packets introduced by the data collection system with help of the intrinsic structural properties inherently provided by TCP traffic flows. We employ two metrics which we believe can detect all kinds of missing packets: i) packets with ACK numbers greater than the expected ACK, indicating that the communicating parties acknowledge a packet not present in the trace; and ii) packets with data beyond the receiver’s window size, which with a high probability, indicates that the packet advertising the correct window size was not recorded. These heuristics have been applied to three large datasets collected with different hardware and in different environments. We also introduce flowstat, a tool developed for this purpose which is capable of analyzing both captured traces and real-time traffic. After assessing more than 400 traces (75M bidirectional flows), we conclude that at least 0.08% of the flows have missing packets, a surprisingly large number that can affect the quality of analysis performed by firewalls and intrusion detection/prevention systems. The paper concludes with an investigation and discussion of the spatial and temporal aspects of the experienced packet losses and possible reasons behind missing data in traces.

Nyckelord: Traffic measurement, measurement errors, packet drop, intrusion detection/prevention system, firewall

Denna post skapades 2012-11-03. Senast ändrad 2015-12-17.
CPL Pubid: 165423