Next: Related work
Up: The Power of Slicing
Previous: The Power of Slicing
The role of traffic measurement in operating large scale IP networks requires
little or no introduction. Traffic measurement
allows network operators to make informed decisions about provisioning and
extending their networks, and it helps solve many operational problems.
Specialized devices operating on relatively low traffic links can perform
complex security analyses that reveal malicious
activities [18,20], monitor complex performance
metrics [6], or simply capture packet (header) traces with
accurate timestamps [7] to be analyzed offline. Much simpler solutions
such as SNMP counters [16] are deployed on even the highest speed
links, but they only give measurements of the total volume of the traffic. Flow
level measurement at routers [2,3] offers a good compromise
between scalability and the complexity of the traffic analyses supported since
it can offer details about the composition of the traffic mix.
In this paper, we propose a new flow measurement solution: Flow Slices. The
contributions of this paper are both practical and theoretical and we summarize
the most important ones here.
-
- Flow Slices has separate parameters controlling the three possible
bottlenecks at the router: processing load, memory, and reporting bandwidth.
This separation allows the solution to be applicable in a wide variety of
scenarios with different resource constraints.
-
- The flow slicing algorithm at the core of this solution provides more
accurate results than packet sampling using the same amount of memory. Moreover,
it enables new measures of traffic such as estimates for the number of active
flows. Note: we use Flow Slices to refer to the the complete flow measurement
solution proposed in this paper and flow slicing to refer to the algorithm at
the core of the solution.
-
- Flow Slices separates sampling rate adaptation from binning. Adaptive
NetFlow uses more router memory and measurement bandwidth because its flow
records are active for fixed time intervals (bins). Adaptive sampling rates
give Flow Slices the robustness of Adaptive NetFlow without the overheads of
binning. See for a comparison of various flow
measurement solutions.
-
- We propose multi-factor smart sampling that takes into account multiple
factors such as byte counts, packet counts, and the existence of SYN flags in
the flow records to determine the sampling probability for individual flow
records. For comparable configurations, this decreases significantly the
variance in estimates of the number of flow arrivals while increasing only
slightly the variance for byte counts when compared to Smart Sampling.
-
- Optional binned measurement allows us to eliminate binning error in the
analysis phase, while still maintaining the memory and reporting bandwidth
overheads below those of Adaptive NetFlow.
-
- We propose novel estimators
,
,
, and
for various measures of traffic.
See for a discussion of these and other estimators.
Before we explain Flow Slices, we briefly review some of the previous work in
Internet flow measurement.
Next: Related work
Up: The Power of Slicing
Previous: The Power of Slicing
Ramana Rao Kompella
2005-08-12