Download
1 / 54
550 likes | 684 Views
pcapstitch : A Tool to Collect Singleton One-way Delay and Loss Measurements. Author – Daniel William DaCosta Adviser – Dr. Spiros Mancoridis Committee: Prof. Mike Kain , Dr. Jaudelice de Oliveira, and Dr. William Regli. What Questions will this Talk Answer?. What is pcapstitch ?
E N D
pcapstitch: A Tool to Collect Singleton One-way Delay and Loss Measurements Author – Daniel William DaCosta Adviser – Dr. SpirosMancoridis Committee: Prof. Mike Kain, Dr. Jaudelice de Oliveira, and Dr. William Regli
What Questions will this Talk Answer? What is pcapstitch? Why is pcapstitch important? How is pcapstitch used? What makes pcapstitch possible?
What is pcapstitch? • A UNIX tool • Written in Haskell • Stitches semantically equivalent packets from multiple observation points • For the time being • Read “semantically equivalent packets” as “same packets” • Read stitches as “associates” • Input -> libpcap formatted network trace files • Output -> space delimited text file
What is pcapstitch? (continued) • Each line of the output file contains timestamps for all observations of the same packet, the packets size and other packet information • Also referred to as a stitch • This information measures one-way delay and loss singletons • The output format is built to facilitate quick analysis of network characteristics on the UNIX command line
Why is pcapstitch Needed? That is me, I have the answer!
Network Characteristics Impact Application Utility. They affect performance of protocols applications rely on They affect application protocols themselves
What are Network Characteristics? Delay – Difference between packet send time at source and packet receive time at destination
What are Network Characteristics? • Loss – Packet never reaches its destination • Bit-error detected at layer 2 • Node queue overflow • Gremlins also take your packets.
What are Network Characteristics? Bandwidth – Amount of data sent or received per interval of time
What are Network Characteristics? … and a lot more that can be derived from these
As Presented, the Delay and Loss Characteristics are Singletons. • Singletons are atomic • For layer 2 and above this means per-packet measurements • Bandwidth singletons are measured by dividing packet size by delay. • A collection of singletons is a sample • A measurement derived from a sample or samples is a statistical measurement
SingletonOne-way Delay is the Seminal Network Metric. • Calculation only requires send and receive time • Bandwidth can be calculated with the addition of packet size • Packet size is always available
What about Loss? • Loss is infinite delay • This definition is not very helpful, practically speaking • Estimating a time where a delayed packet can be considered loss • Find the slowest link in the network • How long does it take the largest packet to traverse this link? • Find the longest queue in the network and multiple it by the previous time • Multiply that by longest path or 255 (maximum TTL) • Assume packet delay longer than that is infinite and has been lost.
One-way: Direction Matters.Network Paths are Not Symmetric. This may induce asymmetric network characteristics
One-way: Direction Matters.Symmetric Paths may Have Asymmetric Queuing Properties.
One-way: Direction Matters.An Example. SCP vs. FTP Transfer from Right to Left When loss is applied it occurs on packets from Left to Right. Left to Right packets has no payload
Shameless Plug. • Generated in 30 minutes, soup to nuts, with • emulab • awk • grep • sed • gnuplot • tcpdump • pcapstitch
Lets Measure One-way Delay and Loss Singletons Passively! … FAIL …
[YOUR FAVORITE TOOLS] Ping Iperf ITG/D-ITG OWAMP NTOP SICMD tcptrace netperf udpmon tstat traceroute IGI SNMP Netflow pathChirp badabing sting Did I get yours?
What about [YOUR FAVORITE TOOL]? • [YOUR FAVORITE TOOL] is active • No guarantees other applications will behave similarly • Interacts artificially with organic network traffic • [YOUR FAVORITE TOOL] makes symmetric assumptions • Previous example demonstrated why this is bad • We like to be as accurate as possible • Applications (even ones using TCP) are direction senstive • [YOUR FAVORITE TOOL] does not work on general traffic • Applications need to be instrumented
How about OpenIMP? The only other tool that I know of that can measure singleton one-way delay and loss passively It has a complex infrastructure setup It depends on a database and web services Overkill for quick network, protocol, and application experiments
pcapstitchDemonstration • Suppose scp’s behavior on this link must be measured • To do this: • Ensure accurate time synchronization • Run tcpdump on Left and Right without packet truncation • Perform an scp transfer • Store network traces
pcapstitch Demonstration (continued) • Run pcapstitch on these network trace files • With some parameters specified • What these parameters are and how they can be chosen is discussed in detail within my thesis. • Ouput looks like this: • 0 74 Ethernet 00:02:b3:65:c1:8f 00:02:b3:86:19:73 IPv4 10.1.1.2 10.1.1.3 TCP 22 32800 (1303582250.557797,left_5plr.pcap,2)|(1303582250.558155,right_5plr.pcap,2) • 0 66 Ethernet 00:02:b3:86:19:73 00:02:b3:65:c1:8f IPv4 10.1.1.3 10.1.1.2 TCP 32800 22 (1303582250.560424,right_5plr.pcap,5) • Each one of these is a stitch • Each one of these is one line in the output
pcapstitch Demonstration (continued) • Process this output with your tools of choice • I prefer bash, grep, sed, awk and gnuplot #!/bin/bash TFILE=`tempfile` I=`cat $1 | sed -e "s/|\|,/ /g" -e "s/(\|)//g" \ | awk 'BEGIN{i=0;}{if(i==0){i=$12}}END{print i;}'` cat $1 | grep '10.1.1.2 10.1.1.3' |\ sed -e "s/|\|,/ /g" -e "s/(\|)//g" |\ awk -v i=${I} ' BEGIN{init=i; print "set xlabel \"Experiment Time(s)\""; print "set ylabel \"One-way delay(s)\""; print "plot \"-\" using 1:2 title \"Left->Right\" \ with lines,\"-\" using 1:2 title \"Right->Left\" with lines";} { if(NF>14){printf("\t%f %f\n",$12-init,$15-$12);} }END{print "end";}' > ${TFILE} cat $1 | grep '10.1.1.3 10.1.1.2' |\ sed -e "s/|\|,/ /g" -e "s/(\|)//g" |\ awk -v i=${I} ' BEGIN{init=i;} { if(NF>14){printf("\t%f %f\n",$12-init,$15-$12);} }END{print "end";}' >> ${TFILE} cat ${TFILE} | gnuplot -persist rm \${TFILE}
How does pcapstitch do this? Packet Semantic Equivalence Stitch Horizon
Packet Semantic Equivalency • P1,P2, and P3 are the same packet conceptually • How do we tell? • Look for identical packets elsewhere? • Parts of the packet change in transit. • P1,P2, and P3may be different but they mean the same thing! • Payload? • Packet may be empty • Protocol fields • Sure - which ones?
Identify Protocol Field Invariants • What fields you use depends on the network configuration • pcapstitch parameterizes these fields
Stitch HorizonWhat is it for? MEASUREMENT: Delay needs to be converted to loss FIDELITY: Field invariants are not invariant indefinitely RESOURCES: Practically speaking, every packet cannot be stored in memory PERFORMANCE: Testing semantic equivalence should only be done on packets not converted to loss
Stitch Horizon:Synthetic pcapstitch Clock Packets are read from trace files chronologically All packets have a time stamp indicating when they were observed The current time is always the time stamp of the last packet retrieved from a trace file.
Conclusion • Why is pcapstitch needed? Because the alternatives are: • Instrumented Applications - Not general, changes could be time consuming, modifications can impact fidelity with original application, adds network overhead. • Estimation - Typically relies on protocol semantics and network symmetry assumptions. • Complex Infrastructure - The only other tool to do this is OpenIMP which requires multiple machines, sophisticated coordination, database setup, and web services. • Active Measurement - Adds network overhead, no guarantee other applications will observe the same network characteristics. • What are the fundamentals of packet stitching? • Merge semantically equivalent packets to create stitches. • Keep a time ordered set of live stitches in a list; this is the stitch horizon. • Remove stitches from this list as they fall off the stitch horizon. • The stitch horizon converts delay to loss, manages memory utilization, and ensure efficient stitch creation. • What is technically interesting about pcapstitch construction? • Written in Haskell. • Consistent with UNIX philosophy. • Embedded Domain-Specific Language to parse network headers that checks byte-alignment at compile-time. • Constructed to be sensitive to stitch efficiency.
… devices. NOTE: Hosts and devices are not necessary mutually exclusive.
Nodes communicate through packets. Links they traverse form a path. NOTE: Packets are any data unit sent from layer 2 or higher unless otherwise specified.
… destination. NOTE: Just because a packet arrives at a node does not mean that is its destination.
Packets are seen at observation pointsby trace utilities and stored in trace files1 1pcapstitch currently only supports libpcap formatted trace files
Network Header Parser Embedded domain-specific language Allows the construction of network header parsers Verifies at compile time that headers are byte aligned
Network Header Parser • Simulated dependent types • Associate values with types • Are a mechanism to implement the Curry-Howard Isomorphism • This is related to what I plan to research at UMN • Dependent types • Append :: List a len -> a -> List a (Succlen) • Head :: List a (Succlen) -> a • This will allow a theoretical type system to identify calls to Head with potentially empty lists!
Network Header Parser $(makeName "Source") sourcef = Field Source getword16 RFSWord16 $(makeName "Destination") destf = Field Destination getword16 RFSWord16 $(makeName "Len") lenf = Field Len getword16 RFSWord16 $(makeName "CheckSum") chksumf = Field CheckSum getword16 RFSWord16 udpheader = sourcef .++. destf .++. lenf .++. chksumf .++. headerTail getUDPDatagram :: B.ByteString -> (UDPDatagram,B.ByteString) getUDPDatagram = (\ (a,b) -> (UDPDatagram $ a,b)) . handleHeaderError "Error Parsing UDPDatagram" . getHeaderudpheader
