[1] Postgraduate student, Institute of Information Technology, Mehran University of Engineering and Technology, Jamshoro.

[2] Professor, Institute of Information Technology, Mehran University of Engineering and

Technology, Jamshoro.

Abstract:

The demand for the introduction of applications with real time constraints onto data networks has created a need for the development of accurate forecasting models for existing traffic on these networks. In order to forecast network traffic accurately there is a need to carry analysis on real time data networks. For this purpose, various traffic-monitoring utilities are in use. The utilities gather traffic based on IP (Internet Protocol) mechanism. The IP based utilities capture network traffic based on IP address assigned to host. In this paper we have presented a traffic monitoring utility. Which work on the MAC (Medium Access Control) mechanism. The traffic monitoring utility monitors network traffic by partitioning the traffic into a set of classes. The set of classes are defined as Network Traffic, Broadcast Traffic and Workstation Traffic. The intended utility measures traffic at a time scale ranging form a few seconds to several minutes. The results demonstrate the effective working of traffic monitoring utility with plotting of graph using the classes defined.

1. Introduction

The demand for Local Area Network connection services and applications with real time constraints is growing day by day. Network traffic is rapidly becoming one of the major potential traffic contributors for high-speed networks of the future and to predict accurate forecasting model for network traffic is becoming a need for real time application developers.

The main objective of this paper is to present a new type of network traffic monitoring utility developed under the platform of Windows NT/2000 by programming in Visual C++ environment.

The idea of developing a network traffic monitoring utility originated from the work of Leland et al [1]. They have used a monitoring system at Bellcore’s Labs, which accurately captures all packets seen on the Ethernet with accurate time stamps. Basu et al. [2] and Taqu [3] have developed pure Poisson, Poisson batch and Markov-modulated Poisson process models for packet traffic. Jain and Rauthier [4] have also developed packet train models. Some other authors [5-9] have also presented models for traffic monitoring. There are two main limitations of the models mentioned above:

(a) They are not very accurate in forecasting the network traffic because of the randomness of the network traffic.

(b) They do not partition the aggregate network traffic. Our proposed utility removes this limitation.

By analyzing the presently considered formal models for packet traffic and packet train models, our intend is to develop a model based on the aggregate traffic based on the approach of partitioning the traffic into a set of classes so that we can extract the behavior of specified traffic and can estimate the percentage that it has in the aggregate traffic and then be able to suggest long term traffic for future networks. The proposed approach will be beneficial to develop traffic model and predict the long-range dependence characteristics of network traffic.

The idea of dividing the traffic into a set of classes will allow us to monitor the Broadcast traffic on a network, which will give us the exact percentage or broadcast traffic generated by the workstation connected to a network. This will help us to predict the amount of broadcast packets, when the number of workstations increases. Similarly the identification of workstation traffic will allow us to calculate the traffic generated by a workstation and then we can predict the traffic, if number of workstations is increased. Finally the utility separately monitors the network traffic, which is the calculation of traffic flowing through a network pipe. By comparing the results of all the three classes, we believe the researchers will be able to predict the network traffic of future.

The paper is organized as follows. In section 2.0 we present the technique used to achieve traffic monitoring. We mainly discuss the existing architecture of windows operating system [10-11] and the incorporation of components to achieve the traffic monitoring. In section 3.0 we have discussed the execution of traffic monitoring utility. In this section we discuss the working of the utility. In section 4.0 we have presented the conclusions.

2. Techniques used to achieve traffic monitoring

To develop a traffic monitoring application, we need to explore the existing architecture of Windows NT/2000 [5] and need to understand how it captures frames from the network.

The Windows NT/2000 Network architecture [11-13] used for capturing frames from the network is defined in Fig. 1. It contains three levels, which are user, kernel and hardware. The network hardware contains a network interface card or a modem.

The application resides at the user level; the user level is used by the application to request services. The kernel level is responsible to serve the application by providing the services it has requested. It is implemented as protocol driver in the windows network architecture. The kernel uses the Intermediate driver to communicate with the Network Interface Driver (NIC) as shown in Fig. 1. The hardware level contains the Network Hardware.

Let us now define and trace the frame capturing done in Windows NT/2000. By looking at Fig. 2, at the user level there exists a Network Monitoring Application, at the kernel level the protocol driver is a TCP/IP Stack [13]. At the hardware level there is a Network Interface Card used to capture frames traveling on the Network.

The hardware layer such as Ethernet serves as a filter. This layer rejects the all incoming frames except those containing the specific address of the adapter, the all-1s broadcast address (FF-FF-FF-FF) and multicast address.

After a frame passes through the hardware filter it is forwarded by the NDIS (Network Driver Interface Specification) to appropriate protocol module in a TCP/IP stack. From there it is served to the application suggested by its request.

The existing architecture [11-13] does not serve our purpose as we are trying to

User Level Win32 Application Win32 Application

-----------------------------------------------------------------------------------------

Kernel Level Protocol Driver Protocol Driver

Intermediate Driver

NIC Driver

------------------------------------------------------------------------------------------------

Hardware Level

Fig 1: Windows NT/2000 Network Model

partition the traffic. In order to achieve the required goal we need to add components to the network model defined by the windows NT/2000 operating system [11-13]. Our focus is to capture all the raw traffic. To perform this we need to use the NDIS architecture which has the capability to bring the network interface card into PROMOSCIOUS mode, which means that it will capture every packet. Once this is done the other part will be division of aggregate traffic, for this purpose we have added a packet capture driver.

The packet capture driver exists parallel to the TCP/IP stack. The function of the packet capture driver is to interact with the Network Interface Card through NDIS and set the adapter in a mode which will allow it to capture all frames irrespective of its own, the next thing it does is that using hardware interrupts the frames are now sent through the packet capture driver channel as shown in Fig. 2.

The packet capture driver lies at the kernel level. Now we cannot directly access the kernel level part of the operating system. In order to get access to those packets placed at kernel. For that purpose the PACKET.DLL is used. The PACKET.DLL has two basic objectives. At the lower layer it acts like a interface to the packet capture driver. It reads the packets stored at kernel through operating system routines. At the higher layer it provides a set of methods to access those packets.

In our application, the methods of PACKET.DLL are used to perform packet capturing and other specific tasks. The utility then reads captured packets and partition into a set of classes.

The packet capture driver forwards the incoming frames to the application through the interface of PACKET.DLL which allows the application to read the frames in Hex decimal Format.

3.0 Discussion and Results

Even though various traffic-monitoring applications are in market and used to monitor network traffic and produce traffic behavior over a long-range time scale, the utility discussed in this paper relates closely to those developed earlier with an enhancement to monitor traffic using a set of classes. Our objective of this research was to create a Traffic Monitoring utility, on which we will be able to calculate the traffic in different proportions. The graphs taken from the traffic captured are shown in Fig. 3, 4 and 5. These figures demonstrate the effectiveness of the utility and as suggested by the previous formal models

[1-9] the network traffic is highly random. Our goal does not end here but to provide simple, accurate and realistic

descriptions of the traffic scenarios and to develop traffic models to predict the traffic of future networks.

4.0 Conclusions

This paper has presented a traffic monitoring application, which partitions the incoming traffic into a set of classes and print graphical representation of traffic over a time scale ranging from a few seconds to minutes. The traffic analysis is carried on one of the workstations primarily used as a server.

The results show that network traffic follows random patterns occurring over long cycles of time spectrum. The graphs contain the occurrence of packets with the time interval in three modes. In the future enhancement of the traffic monitoring utility we will work to provide packet graphs demonstrating the different packet sizes, the byte graphs and delay with respect to packet arrival.

Acknowledgements

We highly acknowledge Mehran University of Engineering, science and technology for providing us with the facilities to use their labs for performing traffic monitoring analysis.

References

[1] W.E. Leland, M.S. Taqqu, W. Willinger and D.V. Wilson, ’On the Self-Similar Nature of Ethernet Traffic (Extended Version),’ IEEE/ACM Trans. Networking, p1-15, 2 (1), 1994

[2] Basu, A. Mukherjee and S. Klivansky, "Time Series Models for Internet Traffic," p611-620, vol. 2, Proc. IEEE INFOCOM’96, San Francisco, CA., March 1996.

[3] M. S. Taqqu, "A Bibliographical Guide to Self-Similar Processes and Long-Range Dependence", in: Dependence in Probability and Statistics, E. Eberlein and M. S. Taqqu (Eds.), Birkhauser, Basel, 137-165, 1985.

[4] R. Jain, S. A. Routhier, "Packet Trains: Measurements

and a New Model for Computer Network Traffic", IEEE Journal on Selected Areas in Communications 4, 986-995,

1986.

[5] D. Anick, D. Mitra, M.M. Sondhi, "Stochastic Theory of a Data-Handling System with Multiple Sources", Bell System Technical Journal 61, 1871-1894, 1982.

[6] R. Dahlhaus, "Efficient Parameter Estimation for Self-Similar Processes", Ann. Statist. 17, 1749-1766, 1989.

[7] L. M. Berliner, "Statistics, Probability and Chaos", Statistical Science 7, 69-90, 1992.

[8] D. R. Cox, "Long-Range Dependence: A Review", in:

Statistics: An Appraisal, H. A. David and H. T. David, (Eds.), The Iowa State University Press, Ames, Iowa, 55-74, 1984.

[9] Tong, Threshold Models in Non-linear Time Series Analysis, Lecture Notes in Statistics, vol.21, Springer-Verlag, 1983

[10] Windows 2000 NDIS Driver Development and Debugging, Microsoft Press 2000.

[11] Dava Ma Donald and Waven Barkley,” Microsoft Windows 2000 TCP/IP implementation details”, by Microsoft Press 2001.

[12] Developing Device Driver for Windows NT/2000 (Auriga Inc) White Paper 2001.

[13] Naveed Ahmed, Assaduallh Shah, “Protocol Analysis over LAN” (SCONEST) IEEE Conference (August 31^st 2002, Karachi).

<<Home
		Naveed Ahmad Junejo[1] Mukhtiar Ali Unar[2] and Noman Ahmad[1] [1] Postgraduate student, Institute of Information Technology, Mehran University of Engineering and Technology, Jamshoro. [2] Professor, Institute of Information Technology, Mehran University of Engineering and Technology, Jamshoro.
Heart patients click here

		Abstract: The demand for the introduction of applications with real time constraints onto data networks has created a need for the development of accurate forecasting models for existing traffic on these networks. In order to forecast network traffic accurately there is a need to carry analysis on real time data networks. For this purpose, various traffic-monitoring utilities are in use. The utilities gather traffic based on IP (Internet Protocol) mechanism. The IP based utilities capture network traffic based on IP address assigned to host. In this paper we have presented a traffic monitoring utility. Which work on the MAC (Medium Access Control) mechanism. The traffic monitoring utility monitors network traffic by partitioning the traffic into a set of classes. The set of classes are defined as Network Traffic, Broadcast Traffic and Workstation Traffic. The intended utility measures traffic at a time scale ranging form a few seconds to several minutes. The results demonstrate the effective working of traffic monitoring utility with plotting of graph using the classes defined. 1. Introduction The demand for Local Area Network connection services and applications with real time constraints is growing day by day. Network traffic is rapidly becoming one of the major potential traffic contributors for high-speed networks of the future and to predict accurate forecasting model for network traffic is becoming a need for real time application developers. The main objective of this paper is to present a new type of network traffic monitoring utility developed under the platform of Windows NT/2000 by programming in Visual C++ environment. The idea of developing a network traffic monitoring utility originated from the work of Leland et al [1]. They have used a monitoring system at Bellcore’s Labs, which accurately captures all packets seen on the Ethernet with accurate time stamps. Basu et al. [2] and Taqu [3] have developed pure Poisson, Poisson batch and Markov-modulated Poisson process models for packet traffic. Jain and Rauthier [4] have also developed packet train models. Some other authors [5-9] have also presented models for traffic monitoring. There are two main limitations of the models mentioned above: (a) They are not very accurate in forecasting the network traffic because of the randomness of the network traffic. (b) They do not partition the aggregate network traffic. Our proposed utility removes this limitation. By analyzing the presently considered formal models for packet traffic and packet train models, our intend is to develop a model based on the aggregate traffic based on the approach of partitioning the traffic into a set of classes so that we can extract the behavior of specified traffic and can estimate the percentage that it has in the aggregate traffic and then be able to suggest long term traffic for future networks. The proposed approach will be beneficial to develop traffic model and predict the long-range dependence characteristics of network traffic. The idea of dividing the traffic into a set of classes will allow us to monitor the Broadcast traffic on a network, which will give us the exact percentage or broadcast traffic generated by the workstation connected to a network. This will help us to predict the amount of broadcast packets, when the number of workstations increases. Similarly the identification of workstation traffic will allow us to calculate the traffic generated by a workstation and then we can predict the traffic, if number of workstations is increased. Finally the utility separately monitors the network traffic, which is the calculation of traffic flowing through a network pipe. By comparing the results of all the three classes, we believe the researchers will be able to predict the network traffic of future. The paper is organized as follows. In section 2.0 we present the technique used to achieve traffic monitoring. We mainly discuss the existing architecture of windows operating system [10-11] and the incorporation of components to achieve the traffic monitoring. In section 3.0 we have discussed the execution of traffic monitoring utility. In this section we discuss the working of the utility. In section 4.0 we have presented the conclusions. 2. Techniques used to achieve traffic monitoring To develop a traffic monitoring application, we need to explore the existing architecture of Windows NT/2000 [5] and need to understand how it captures frames from the network. The Windows NT/2000 Network architecture [11-13] used for capturing frames from the network is defined in Fig. 1. It contains three levels, which are user, kernel and hardware. The network hardware contains a network interface card or a modem. The application resides at the user level; the user level is used by the application to request services. The kernel level is responsible to serve the application by providing the services it has requested. It is implemented as protocol driver in the windows network architecture. The kernel uses the Intermediate driver to communicate with the Network Interface Driver (NIC) as shown in Fig. 1. The hardware level contains the Network Hardware. Let us now define and trace the frame capturing done in Windows NT/2000. By looking at Fig. 2, at the user level there exists a Network Monitoring Application, at the kernel level the protocol driver is a TCP/IP Stack [13]. At the hardware level there is a Network Interface Card used to capture frames traveling on the Network. The hardware layer such as Ethernet serves as a filter. This layer rejects the all incoming frames except those containing the specific address of the adapter, the all-1s broadcast address (FF-FF-FF-FF) and multicast address. After a frame passes through the hardware filter it is forwarded by the NDIS (Network Driver Interface Specification) to appropriate protocol module in a TCP/IP stack. From there it is served to the application suggested by its request. The existing architecture [11-13] does not serve our purpose as we are trying to User Level Win32 Application Win32 Application ----------------------------------------------------------------------------------------- Kernel Level Protocol Driver Protocol Driver Intermediate Driver NIC Driver ------------------------------------------------------------------------------------------------ Hardware Level Fig 1: Windows NT/2000 Network Model partition the traffic. In order to achieve the required goal we need to add components to the network model defined by the windows NT/2000 operating system [11-13]. Our focus is to capture all the raw traffic. To perform this we need to use the NDIS architecture which has the capability to bring the network interface card into PROMOSCIOUS mode, which means that it will capture every packet. Once this is done the other part will be division of aggregate traffic, for this purpose we have added a packet capture driver. The packet capture driver exists parallel to the TCP/IP stack. The function of the packet capture driver is to interact with the Network Interface Card through NDIS and set the adapter in a mode which will allow it to capture all frames irrespective of its own, the next thing it does is that using hardware interrupts the frames are now sent through the packet capture driver channel as shown in Fig. 2. The packet capture driver lies at the kernel level. Now we cannot directly access the kernel level part of the operating system. In order to get access to those packets placed at kernel. For that purpose the PACKET.DLL is used. The PACKET.DLL has two basic objectives. At the lower layer it acts like a interface to the packet capture driver. It reads the packets stored at kernel through operating system routines. At the higher layer it provides a set of methods to access those packets. In our application, the methods of PACKET.DLL are used to perform packet capturing and other specific tasks. The utility then reads captured packets and partition into a set of classes. The packet capture driver forwards the incoming frames to the application through the interface of PACKET.DLL which allows the application to read the frames in Hex decimal Format. 3.0 Discussion and Results Even though various traffic-monitoring applications are in market and used to monitor network traffic and produce traffic behavior over a long-range time scale, the utility discussed in this paper relates closely to those developed earlier with an enhancement to monitor traffic using a set of classes. Our objective of this research was to create a Traffic Monitoring utility, on which we will be able to calculate the traffic in different proportions. The graphs taken from the traffic captured are shown in Fig. 3, 4 and 5. These figures demonstrate the effectiveness of the utility and as suggested by the previous formal models User Level Application Traffic Monitoring Utility Packet.dll Kernel Level TCP/IP Packet Capture Driver Hardware Level NIC Card Fig. 2 Frame Capturing Architecture [1-9] the network traffic is highly random. Our goal does not end here but to provide simple, accurate and realistic descriptions of the traffic scenarios and to develop traffic models to predict the traffic of future networks. 4.0 Conclusions This paper has presented a traffic monitoring application, which partitions the incoming traffic into a set of classes and print graphical representation of traffic over a time scale ranging from a few seconds to minutes. The traffic analysis is carried on one of the workstations primarily used as a server. The results show that network traffic follows random patterns occurring over long cycles of time spectrum. The graphs contain the occurrence of packets with the time interval in three modes. In the future enhancement of the traffic monitoring utility we will work to provide packet graphs demonstrating the different packet sizes, the byte graphs and delay with respect to packet arrival. Acknowledgements We highly acknowledge Mehran University of Engineering, science and technology for providing us with the facilities to use their labs for performing traffic monitoring analysis. References [1] W.E. Leland, M.S. Taqqu, W. Willinger and D.V. Wilson, ’On the Self-Similar Nature of Ethernet Traffic (Extended Version),’ IEEE/ACM Trans. Networking, p1-15, 2 (1), 1994 [2] Basu, A. Mukherjee and S. Klivansky, "Time Series Models for Internet Traffic," p611-620, vol. 2, Proc. IEEE INFOCOM’96, San Francisco, CA., March 1996. [3] M. S. Taqqu, "A Bibliographical Guide to Self-Similar Processes and Long-Range Dependence", in: Dependence in Probability and Statistics, E. Eberlein and M. S. Taqqu (Eds.), Birkhauser, Basel, 137-165, 1985. [4] R. Jain, S. A. Routhier, "Packet Trains: Measurements and a New Model for Computer Network Traffic", IEEE Journal on Selected Areas in Communications 4, 986-995, 1986. [5] D. Anick, D. Mitra, M.M. Sondhi, "Stochastic Theory of a Data-Handling System with Multiple Sources", Bell System Technical Journal 61, 1871-1894, 1982. [6] R. Dahlhaus, "Efficient Parameter Estimation for Self-Similar Processes", Ann. Statist. 17, 1749-1766, 1989. [7] L. M. Berliner, "Statistics, Probability and Chaos", Statistical Science 7, 69-90, 1992. [8] D. R. Cox, "Long-Range Dependence: A Review", in: Statistics: An Appraisal, H. A. David and H. T. David, (Eds.), The Iowa State University Press, Ames, Iowa, 55-74, 1984. [9] Tong, Threshold Models in Non-linear Time Series Analysis, Lecture Notes in Statistics, vol.21, Springer-Verlag, 1983 [10] Windows 2000 NDIS Driver Development and Debugging, Microsoft Press 2000. [11] Dava Ma Donald and Waven Barkley,” Microsoft Windows 2000 TCP/IP implementation details”, by Microsoft Press 2001. [12] Developing Device Driver for Windows NT/2000 (Auriga Inc) White Paper 2001. [13] Naveed Ahmed, Assaduallh Shah, “Protocol Analysis over LAN” (SCONEST) IEEE Conference (August 31^st 2002, Karachi). Fig 3: Workstation Traffic Monitoring Graph Fig 4: Network Traffic Monitoring Graph Fig 5: Broadcast Traffic Monitoring Graph






		<<Home


	A NEW APPROACH TO INTERNET TRAFFIC MONITORING

Fig. 2 Frame Capturing Architecture

References