Internet2 NetFlow: Weekly Reports: Week of 20100426

  1. Introduction
  2. Bulk TCP
  3. Full Data Set

Introduction

You are looking at the weekly Abilene network usage report for the week of 20100426 produced from NetFlow records. The view of the whole network as a single traffic-relaying unit is presented. More formally, data from all interior circuits (those connecting two Abilene routers) were discarded while all the rest of the data were merged to create this view.

During this week, there were no missing data days.

The data are split into two sections: bulk TCP data and the full data set. A "bulk TCP" flow is defined as a TCP flow that transferred more than 10MB of data. The first section only concerns these data. The second section studies the overall traffic composition.

All the numbers in this report are hyperlinked to plots that show their history (e.g., clicking on the percentage of octets of NNTP traffic will bring up a time-series plot that shows the history of this parameter).

Bulk TCP

During this week, bulk TCP traffic comprised 39.66% of octets and 21.19% of packets of the full data set traffic.

The distribution of bulk TCP throughputs is the most important piece of data in this report. Cumulative distribution function plots (1-CDF vs. throughput in bits/second) in semi-log and log-log scales are as follows:
[Bulk TCP throughputs (semi-log scale).] [Bulk TCP throughputs (log-log scale).]

Distribution of the amount of data transferred (in semi-log and log-log scale, 1-CDF vs. total trasfer size in octets) is presented below. It should be recognized that NetFlow collection mechanism is always configured so that flows (in the accounting sense) cannot last longer than a certain period of time. Therefore, the distribution of transfer sizes is to a certain extent skewed in the upper part.
[Bulk TCP transfer sizes (semi-log scale)] [Bulk TCP transfer sizes (log-log scale).]

The distribution of durations of bulk TCP flows (in seconds) is as follows (you may notice the cut-off phenomenon mentioned above):

[Bulk TCP durations distribution.]

The following table shows actual values from the above distribution plots that correspond to characteristic values (such as median, 90%, max, etc.).

Table 1. Selected Points from Distribution Graphs (Bulk TCPs)

Percentile Throughput (b/s) Durations (s) Size (octets)
1 1.394M 2 10.10M
5 1.476M 8 10.39M
10 1.570M 16 10.84M
50 2.954M 57 17.04M
90 14.64M 59 50.83M
95 26.20M 59 79.21M
99 85.51M 59 207.1M
99.9 436.5M 59 1.163G
99.99 674.0M 115 1.757G
99.999 961.8M 160 2.812G
100 14.55G 162 9.464G

We compute average packet size of each flow by dividing the number of octets in a flow by the number of packets. Distribution of average sizes of packets belonging to bulk TCP flows is as follows:

Table 2. Packet Sizes (Bulk TCP)

Packet Size Packets
Small (<100B)2.16% 11.09G
Medium (100-1400B)8.00% 41.05G
Large (1401-1500B)89.83% 461.0G
Jumbo (>1500B)0.01% 37.55M
Total100.00% 513.1G

We show what applications transfer large amounts of data in the following table. Note that this is bulk TCP traffic only; full data set usage is presented in the next section.

Table 3. Aggregated Application Types (Bulk TCP)

Traffic Type OctetsPacketsFlows
Data Transfers27.10% 196.2T 26.81% 137.5G 34.72% 8.353M
Measurement6.48% 46.93T 7.72% 39.60G 0.40% 96.46k
Encrypted Traffic6.08% 44.04T 6.24% 32.02G 4.82% 1.160M
Advanced Apps3.20% 23.16T 3.14% 16.09G 3.34% 804.4k
File Sharing3.16% 22.90T 3.09% 15.86G 2.57% 618.5k
Misc0.86% 6.260T 0.92% 4.706G 1.21% 290.7k
Audio/Video0.27% 1.960T 0.26% 1.332G 0.29% 70.63k
Games0.09% 648.4G 0.09% 477.5M 0.12% 29.80k
Unidentified52.75% 382.0T 51.74% 265.5G 52.51% 12.63M
Total100.00% 724.2T 100.00% 513.1G 100.00% 24.05M

The following are the fastest 10 measurement flows with unique source and destination AS numbers (i.e., for any given pair of source and destination AS numbers, no more than one fastest flow is shown).

Table 4. Fastest Bulk TCP Measurement Flows with Unique AS Source and Destination

Throughput (b/s)Packet size (bytes)Duration (s)Src ASDest ASApplication type
3.903G824419ESnet-West [292]Abilene [11537]Iperf
3.615G824412ESnet-East [291]Abilene [11537]Iperf
1.813G146417Abilene [11537]Utah Education Net [210]Iperf
1.410G146411Abilene [11537]ESnet-East [291]Iperf
979.9M150012U Minnesota GigaPOP [57]Abilene [11537]Iperf
973.8M146430NIST-BOULDER [2648]Abilene [11537]Iperf
973.1M150019UIUC [38]Abilene [11537]Iperf
972.0M146414UNL [7896]Fermi National Accelerator Lab [3152]Iperf
967.9M146413Brookhaven National Lab [43]Abilene [11537]Iperf
967.2M146418INDIANAGIGAPOP [19782]Boston U [111]Iperf

The following are the fastest 10 non-measurement flows with unique source and destination AS numbers (i.e., for any given pair of source and destination AS numbers, no more than one fastest flow is shown). When unable to determine the application type, we give the source and destination port numbers.

Table 5. Fastest Bulk TCP Non-measurement Flows with Unique AS Source and Destination

Throughput (b/s)Packet size (bytes)Duration (s)Src ASDest ASApplication type
1.365G146420Abilene [11537]ESnet-East [291]5089 -> 5089
1.300G146420Abilene [11537]ESnet-West [292]5069 -> 5069
978.0M146416TACCNET [32093]Unknown [32361]5018 -> 5018
963.8M146410VANDERBILT [7212]Abilene [11537]44093 -> 3002
917.4M146420Stephen F. Austin State U [3634]SDSC [195]5016 -> 5016
872.6M146412Stephen F. Austin State U [3634]Unknown [32361]5019 -> 5019
708.2M146420VANDERBILT [7212]Stephen F. Austin State U [3634]5016 -> 5016
701.2M146414Unknown [32440]NCSA [1224]52971 -> 53638
696.5M146415Stephen F. Austin State U [3634]U Florida [6356]5010 -> 5010
687.8M146410Nat Lib Med [70]Yale [29]50273 -> 43887

We also compute the average concurrency of bulk TCP flows for the week (by adding durations of all captured flows and dividing the result by the by the duration of the week). This week's average number of concurrent bulk TCP flows: 1.939k.

Full Data Set

In addition to bulk TCP flows data, we provide statistics that characterize the overall composition of the complete data set (everything that transited the Abilene network this week).

The following table describes what kinds of traffic went through the network (multiple applications are aggregated into classes):

Table 6. Aggregated Application Types (Full Data Set)

Type OctetsPackets
Data Transfers39.08% 713.6T 41.40% 1.002T
Encrypted Traffic5.25% 95.81T 5.94% 143.7G
Measurement2.76% 50.30T 2.23% 53.90G
File Sharing1.96% 35.71T 1.56% 37.69G
Advanced Apps1.73% 31.54T 1.48% 35.73G
Misc1.65% 30.08T 3.46% 83.82G
Audio/Video0.52% 9.465T 0.43% 10.29G
Games0.23% 4.241T 0.38% 9.141G
Unidentified46.83% 855.1T 43.14% 1.045T
Total100.00% 1.825P 100.00% 2.422T

This table is available additionally in the following more verbose version (no applications are aggregated into classes, but class composition is shown):

Table 7. Detailed Application Types (Full Data Set)

Traffic type OctetsPackets
Data Transfers
HTTP
Rsync
FTP
NNTP
---
37.24%
0.93%
0.73%
0.18%
---
679.9T
17.05T
13.30T
3.304T
---
39.92%
0.71%
0.53%
0.24%
---
966.9G
17.26G
12.78G
5.802G
Encrypted Traffic
HTTPS
SSH
IPsec ESP
IPsec AH
IPsec IKE
---
2.63%
2.33%
0.28%
0.00%
0.00%
---
48.02T
42.55T
5.131T
83.91G
16.98G
---
3.61%
1.98%
0.34%
0.01%
0.00%
---
87.32G
47.95G
8.255G
181.4M
61.63M
Measurement
Iperf
ICMP
IPMP
---
2.66%
0.10%
0.00%
---
48.56T
1.745T
0.000
---
1.80%
0.42%
0.00%
---
43.70G
10.20G
0.000
File Sharing
Audiogalaxy
Hotline
Shoutcast
BitTorrent
eDonkey2000
FastTrack
Gnutella
WinMX
Neo-Modus
Carracho
Freenet
Blubster
Direct Connect++
---
1.21%
0.35%
0.25%
0.10%
0.03%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
---
22.14T
6.374T
4.556T
1.815T
562.6G
89.30G
86.96G
52.95G
15.08G
7.996G
5.823G
3.726G
198.9M
---
0.88%
0.23%
0.30%
0.09%
0.03%
0.01%
0.01%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
---
21.39G
5.576G
7.292G
2.226G
725.2M
130.0M
207.1M
71.51M
14.94M
14.86M
6.398M
32.10M
289.5k
Advanced Apps
UNIDATA LDM
McIDAS
BBCP
GsiFTP
BBFTP
IBP
---
1.61%
0.06%
0.05%
0.00%
0.00%
0.00%
---
29.34T
1.154T
936.2G
54.78G
46.20G
1.664G
---
1.38%
0.04%
0.05%
0.01%
0.00%
0.00%
---
33.31G
940.1M
1.234G
136.0M
97.29M
5.189M
Misc
Mail
DNS
Port 0
Squid
X11
MS Windows
AFS
NTP
RTIP
IRC
Telnet
NFS
SOCKS
SNMP
AOL AIM
IDENT
RPC Portmapper
---
1.05%
0.18%
0.16%
0.12%
0.07%
0.02%
0.02%
0.01%
0.01%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
---
19.10T
3.371T
2.881T
2.160T
1.305T
339.6G
284.9G
245.3G
117.7G
80.04G
63.68G
53.97G
24.29G
24.02G
17.95G
10.15G
2.263G
---
1.51%
1.11%
0.14%
0.12%
0.07%
0.24%
0.03%
0.13%
0.05%
0.02%
0.02%
0.00%
0.00%
0.01%
0.00%
0.00%
0.00%
---
36.52G
26.82G
3.349G
2.908G
1.798G
5.819G
645.0M
3.191G
1.301G
498.7M
539.2M
100.5M
57.78M
180.0M
28.90M
47.15M
5.570M
Audio/Video
Real Player
Any-Source Multicast
Windows Media
Backbone Radio
H.323 Signaling
Subset of VoIP
Camarades webcams
StreamWorks
Single-Source Multicast
---
0.29%
0.20%
0.02%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
---
5.262T
3.647T
325.7G
78.74G
57.30G
42.33G
28.94G
22.03G
0.000
---
0.25%
0.14%
0.01%
0.00%
0.00%
0.00%
0.00%
0.00%
0.00%
---
6.136G
3.493G
326.6M
111.5M
79.58M
64.02M
48.33M
35.71M
0.000
Games
DirectX
Battlenet
Half-Life
Quake
Asheron
Starsiege Tribes
Spy Arcade
---
0.15%
0.03%
0.02%
0.02%
0.00%
0.00%
0.00%
---
2.716T
624.6G
395.9G
327.5G
83.28G
52.45G
40.89G
---
0.16%
0.07%
0.11%
0.03%
0.01%
0.00%
0.00%
---
3.934G
1.604G
2.578G
614.4M
229.2M
107.5M
72.63M
Unidentified
Unidentified
---
46.83%
---
855.1T
---
43.14%
---
1.045T
Total
Total
---
100.00%
---
1.825P
---
100.00%
---
2.422T

The following table summarizes use of most popular IPv4 protocols:

Table 8. IP Protocols Distribution (Full Data set)

Protocols OctetsPackets
ICMP[1]0.10% 1.745T 0.42% 10.20G
IGMP[2]0.00% 52.09M 0.00% 1.403M
IP-ENCAP[4]0.01% 242.2G 0.01% 208.3M
TCP[6]87.37% 1.595P 83.37% 2.019T
UDP[17]11.97% 218.4T 15.52% 375.8G
IPv6[41]0.07% 1.196T 0.11% 2.696G
GRE[47]0.20% 3.685T 0.21% 5.114G
ESP[50]0.28% 5.131T 0.34% 8.255G
AX.25[93]0.00% 19.80k 0.00% 300.0
PIM[103]0.00% 3.347G 0.00% 43.19M
IPMP[169]0.00% 0.000 0.00% 0.000
Other0.01% 207.1G 0.02% 452.9M
Total100.00% 1.825P 100.00% 2.422T

We compute average packet size of each flow by dividing the number of octets in a flow by the number of packets. Distribution of (average) packet sizes is as follows:

Table 9. Packet Sizes (Full Data Set)

Packet Size Packets
Small (<100B)40.20% 973.8G
Medium (100-1400B)19.25% 466.3G
Large (1401-1500B)40.54% 982.0G
Jumbo (>1500B)0.00% 40.86M
Total100.00% 2.422T

We only track DSCP values for which special treatment was defined by Internet2 QoS working group (and the default of DSCP=0):

Table 10. Important DSCP Values (Full Data Set)

Type OctetsPackets
Best effort [DSCP=0]97.23% 1.775P 97.42% 2.359T
Scavenger [DSCP=8]0.14% 2.618T 0.20% 4.737G
EF [DSCP=46]0.00% 85.92G 0.02% 403.8M
Other2.62% 47.79T 2.36% 57.23G
Total100.00% 1.825P 100.00% 2.422T

We collect statistics about ECN-capable traffic:

Table 11. ECN-Capable Traffic

Type OctetsPackets
ECN-Capable0.26% 4.717T 0.15% 3.549G

To facilitate detection of emerging applications, we present statistics about frequently encountered unidentified port numbers (no distinction is made in this table between TCP and UDP):

Table 12. Frequent Unidentified Ports

Port OctetsPackets
19354.12% 75.18T 4.22% 102.3G
330012.49% 45.41T 1.28% 31.09G
330020.86% 15.68T 0.44% 10.73G
200000.57% 10.39T 0.38% 9.239G
21800.45% 8.139T 0.32% 7.777G