|
||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
| Graphs are png files identify as follows: | ||||||||||||||||||||||||||
|
mm.dd.yyyy-@hh.uu.acronym.png |
||||||||||||||||||||||||||
| Where mm is the month, dd the day, yyyy the year, hh the hour, and uu the minute when the sample was taken, acronym the acronym indicated above and png the file extension. This way, the following file: | ||||||||||||||||||||||||||
|
10.16.2003-@07.30.ipx.conn.png |
||||||||||||||||||||||||||
| Corresponds to a sample took in octuber 16, 2003, at 7:30 a.m., and represents instant throughput per connection. | ||||||||||||||||||||||||||
|
10.21.2003-@014.50.proto.png |
||||||||||||||||||||||||||
| Corresponds to a sample took in octuber 21, 2003, at 2:50 p.m., and represents instant throughput per protocol. | ||||||||||||||||||||||||||
| Also, a daily printed system throughput report (a text file) was obtained identified as proto.txt. This file is very large because each sample is detailed in the report. You can have a copy in the link above. | ||||||||||||||||||||||||||
There is really a bundle of graph files; for each sample we have: one for
proto, three for each of the following: srcadr, srcport,
dstadr, dstport, conn, host, and port.
Total: 22 graph files per sample. Total number of files:
|
||||||||||||||||||||||||||
|
Okay. I packed these files in six zip files called: 10.16.2003.zip,
10.17.2003.zip, 10.18.2003.zip, 10.19.2003.zip,
10.20.2003.zip, and 10.21.2003.zip, using the sampling day. Each
file is 9 MB aproximately. I uploaded to my site the file
corresponding to the day octuber, 16, 2003. It is here:
10.16.2003.zip.
If you want to check the other files, please let me know to e-mail you a
temporal link. Files are very large and waste my scarce web space. Btw do you need software? Have a look to Adobe. You could find there what you want. |
||||||||||||||||||||||||||
| If you are curious and have enough time there is a lot to see in these graphs. They could serve as a mean to understand better the relationship between different kind of protocol traffic when they compete for network resources. People that have better size up that I have could get very interesting conclusions analizing the graphs. If you need them to advance an study or a work just let me know, the graphs are at the order of you as soon as my credit is respected indicating the address of this site. | ||||||||||||||||||||||||||
| Next, let's have a look to some of the files about traffic during the day 10.16. 2003. | ||||||||||||||||||||||||||
| The protocol distribution graph at 4:10 p.m. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|
This graph represents the more common behavior of the Company X's LAN.
Normally, during labor hours, LAN is almost engaged by the IPX/SPX
protocol. The IPX high and steep peaks show that this protocol is
very aggressive. Do not forget that this outputs are smoothed previously to
be plotted. TCP has a softly behavior. UDP contribution is
negligible. The very aggresive behavior of IPX protocol let's to
presume that burstiness could be a problem in this network. Btw if you need some of them Shoeline carries a wide variety of footwear brands including Born, Sofft, Double H Boots, and many more brands that serve many lifestyles. |
||||||||||||||||||||||||||
| Sometime the network is controlled by TCP, when stations using the administrative software with its database in the Netware Server are less busy, as here at 8:40 a.m. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| At 9:40 a.m. things go as this: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
Again, the IPX protocol dominates the scene. The system throughput
share at this time (see printed report) is:
Let's see the source address protocol distribution graph for the TCP protocol at 9:40 a.m. |
||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| These are the top 5 source addresses. Internet server dominates the scene. | ||||||||||||||||||||||||||
| Same graph for destination addresses is: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Again, the Internet Server seems to dominate the scene, at least, having the larger system throughput (see the printed report). Addresses on the top, at right, are showed from top to bottom based in the system throughput. It is easy to see that higher peak of throughput doesn't mean higher system throughput. | ||||||||||||||||||||||||||
| Checking by addresses is very difficult; we could have a lot of connections. | ||||||||||||||||||||||||||
| UDP has a minor contribution. Here we have the source address protocol distribution graph for the UDP protocol at 9:40 a.m. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Again, the main Interner Server controls the UDP scene. The destination address protocol distribution graph for the UDP protocol at 9:40 a.m. is as follows: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Hum.., very interesting. .255 is a broadcast address. Nevertheless, we checked broadcast and multicast traffic and didn't find any abnormal situation. This traffic is always no more than 1% of the total traffic in the LAN. It is very important to check this type of traffic. Some alien problems are caused by abnormal (excesive) broadcast and multicast traffic. | ||||||||||||||||||||||||||
| IPX/SPX uses MAC addresses to identify the flows. Here we have the source address protocol distribution graph for the IPX protocol at 9:40 a.m. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| This protocol does play hard, doesn't it? It's like an american football player. I have a great respect for Novell and its premium product Netware, but their protocol doesn't help anything in a congested LAN; it is very aggressive and does not collaborate with trying to maintain congestion under control. | ||||||||||||||||||||||||||
| 00...00.01 is the Netware Server. In this sample (10.16.2003 at 9:40 hours), Netware dominates the LAN. Its contribution is 84.84%, against 15.07% of TCP and 0.09% of UDP. Have a look below to the printer report at this hour. The system throughput is just 933.22 kbps (10% of the IPX peaks), but IPX contribution to the system throughput is only 791 kbps. | ||||||||||||||||||||||||||
| The destination address protocol distribution graph for the IPX protocol at 9:40 a.m. is here: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Very short and fast transmissions. And retransmission I've got to suppose. It would be very nice to have some way to check losses, but, using tcpdump in a promiscuous interface, this is not an easy task. | ||||||||||||||||||||||||||
| When analyzing traffic is very interesting to know whether some pair of addresses cover the LAN bandwidth. To check this we happen to use a connection protocol distribution graph where instant throughput per connection (peer of addresses) by protocol is plotted vs time. Here we have this graph for the TCP protocol at 9:40 a.m. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|
Again checking by addresses is not easy. Pairs include the Internet
Server address most of the time but the other address vary frequently.
There is another problem: with the use of P2P protocols every PC
can be connected to every PC and the number of addresses to manage
grow geometrically. Anyway, it is necessary to check all the graphs (having
the time, of course) to see if
something abnormal can be detected. |
||||||||||||||||||||||||||
| The same graph for the UDP protocol is here: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| This graph confuses me more than a little. First the broadcast addresses, and second the high level throughput flow from address 192.168.0.2 to address 192.168.0.255. This should be DNS traffic but we have to check first the ports being used to be sure of this asseveration. I really don't know too much about DNS protocol and its behavior. Also, P2P protocols like FastTrack protocol uses UDP to discover peers. People from Company X are using E-mule (and probably Kaaza, see below), and perhaps these lightning flows could be provoked by this protocol. However, the UDP contribution to the total system throughput is really negligible as can be seen in the printed report; this consideration doesn't push us to much to investigate a little more. Well, I'm going to check again the source file generated by tcpdump to be sure that everything is going right; this output is very suspicious, then, if someone can have some explanation for this behavior, his/her explanation will be well received. I really made a mistake because in the printed report I mixed TCP and UDP traffic in the same output, then I can't check which ports are using each protocol. This mistake has to be fixed for the next time. | ||||||||||||||||||||||||||
| Being IPX the dominating protocol this type of graph (by connection) is more useful to check IPX behavior. Number of IPX machines is low and the check is more consistent. Here we have the graph: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
| The same pattern for the station 00:30:4f:1a:3c:00, and inclusive, for the second station 00:20:af:dc:d6:f3. Let's check the next day; here we have the sample in octuber, 18, 2003: | ||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
| Okay, what's going on here. Nothing to be worried. Octuber, 18, 2003 is saturday, not a labor day. IPX protocol contribution is just Netware broadcast. Then, let's jump sunday, and check monday, octuber, 20, 2003: | ||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
| Same patter in the first station. Finally tuesday, octuber, 21, 2003: | ||||||||||||||||||||||||||
|  |
|||||||||||||||||||||||||
|
Eureka!! Pattern is repeated again. This check we have done is very
important because now we know that the Netware stations:
00:30:4f:1a:3c:00, 00:20:af:dc:d6:f3, 00:30:4f:16:aa:63,
00:e0:7d:84:b8:f9, and 00:01:02:be:56:a4, cover most of the
IPX traffic with the Netware server in the LAN. Ok, forget a little all these complicated things to know that British Airways is one of the world's largest international flight and tour operating airlines,with flights to over 300 destinations. If you want to travel go with them. |
||||||||||||||||||||||||||
| Observe that checking by addresses does help us a lot to frame the situation when trying with the IPX protocol; instead this was not the case for TCP or UDP protocols where multiple addresses makes difficult to have a clear understanding of what is going on. With TCP and UDP is better to check by ports. Next is the source port protocol distribution graph at 9:40 a.m., where instant throughput by source port was plotted vs time for the TCP protocol: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Incredible!! Port 80 traffic (www) is in the fourth position by system throughput. The TCP traffic is being used mainly to transport some other kind of services. Port assignments is regulated by IANA but some people simply ignore the rules and use port numbers following their own interests. Checking IANA port assignments at http://www.iana.org/assignments/port-numbers let's see what they say about ports 4662, 3861 and 4374. | ||||||||||||||||||||||||||
winshadow-hd 3861/tcp winShadow Host Discovery |
||||||||||||||||||||||||||
| Well... Looking at Internet for winShadow you can find this: http://download.com.com/3000-7240-10173793.html ; winShadow is a P2P protocol for PC discovering. Port 4662 is not assigned to any protocol by IANA but if you make a search in Google using the words "Port 4662", you will receive a bundle of links and sooner than later you will discover that this port is used for e-mule to make P2P connections. Port 4374 is neither IANA assigned to any protocol but I can't find any interesting information when searching using the word "Port 4374" or even "TCP:4374". | ||||||||||||||||||||||||||
| The same graph but for destination port is as follows: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Again the port 4662 dominates the TCP scene. | ||||||||||||||||||||||||||
| Let's see what's going on with UDP protocol when checking by ports; first the source port protocol distribution graph for UDP at 9:40 a.m.: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Nothing extraordinary; ports 137 and 138 are for Netbios. This could explain the UDP broadcast traffic that we saw above when searching for addresses. Netbios uses broascast to discover and propagate netbios station names. Port 4672 is rfa (remote file access server); checking in Internet this port is used for e-mule traffic too. Port 53 is just DNS. | ||||||||||||||||||||||||||
| Looking to the same graph for destination port, we have: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Something very similar to the first graph. In general we didn't put too much stress verifying UDP protocol because as I told you before its contribution to the total system throughput is really negligible. | ||||||||||||||||||||||||||
| Having the throughput distribution by source, destination, or even by connection don't give us the total throughput supported for each station (host) or port. Checking by host (source or destination) gives us the load supported for each station. | ||||||||||||||||||||||||||
| Let's see the host protocol distribution graph where instant throughput per host (source and destination addresses) by protocol was plotted vs time for the TCP protocol: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Okay; the Internet Server appears to dominate the scene. The rest of addresses are for stations not belonging to the Company X. Let's see what about the same graph for the UDP protocol: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
|
Here the broadcast traffic, probably from the Netbios protocol,
is the dominating protocol for the internal network 192.168.0/24. The
Internet Server follows. I think that if Company X re-check
their Window settings they could use only the TCP protocol
eliminating Netbios and saving some kbps of broadcast
traffic. Some friend of mine that know about Window (I know about
WindOw the O because is round) told me that using WINS they could
eliminate most of the Netbios broadcast traffic. Again I'm not an
expert and it's just a matter to make some tests and measures. Well, like to travel on train? thetrainline.com is the leading independent retailer of train tickets online. Book in advance and save on average 43%. I always use their services. |
||||||||||||||||||||||||||
| Finally, for host distribution, let's see the graph for the IPX/SPX protocol; here we have: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| This graph just confirm what we was talking about (see above) that five machines cover most of the IPX network traffic. | ||||||||||||||||||||||||||
| Now let's have a look to the same graphs but this time using ports. Here we have the port protocol distribution graph where instant throughput per port (source and destination ports) by protocol was plotted vs time for the TCP protocol: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| For TCP, e-mule is the indisputable winner. Let's see what about UDP: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| For UDP, Netbios is the stronger protocol. Port 4672 is also for e-mule traffic. | ||||||||||||||||||||||||||
| What about the system throughput distribution for these ports?; having a look to the printed report we have: | ||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
| To reduce the system throughput report length, I combined TCP and UDP protocols in the same measure and, probably, that was an error. But having into account that UDP protocol contribution is negligible, we can observe that e-mule traffic covers 82.41% of the TCP traffic. Being the TCP traffic in the order of 15% of the total traffic in the network during labor hours, then e-mule traffic is using 12.36% of the network resources. Also, traffic through port 3861 is related, probably, with e-mule, because it is winShadow Host Discovery traffic, used to discover P2P PC peers; then, practically all the network resources used by the TCP protocol are commited with e-mule. | ||||||||||||||||||||||||||
| Recommendations | ||||||||||||||||||||||||||
| Recommendations to the customer Company X are very simple because their problems are very focalized: | ||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
