Network Measurement
Overview
Network measurement underpins operations, research, and security. Techniques fall into two broad categories: active (inject probe traffic) and passive (observe existing traffic).
| Approach | Method | Impact on Network |
|---|---|---|
| Active | Send probes, measure responses | Adds traffic; can trigger rate limiting |
| Passive | Capture/analyze existing traffic | No additional load; privacy concerns |
Active Measurement
Traceroute
Discovers the forward path from source to destination by exploiting TTL (Time-to-Live) behavior.
Classic traceroute:
Send packet with TTL=1 → first hop returns ICMP Time Exceeded
Send packet with TTL=2 → second hop returns ICMP Time Exceeded
...
Send packet with TTL=n → destination returns ICMP Port Unreachable (UDP)
or Echo Reply (ICMP)
Traceroute Variants
| Variant | Transport | Advantage |
|---|---|---|
| UDP traceroute | UDP to high port | Classic; widely supported |
| ICMP traceroute | ICMP Echo Request | Works where UDP is filtered |
| TCP traceroute (tcptraceroute) | TCP SYN to port 80/443 | Traverses firewalls that allow web traffic |
| Paris traceroute | Fixed flow ID fields | Avoids per-flow load balancing artifacts |
Paris Traceroute
Standard traceroute uses different source ports per probe, causing ECMP routers to hash probes to different paths. This produces false topology (diamonds, loops that do not exist).
Paris traceroute fixes the flow identifier (5-tuple hash) across all probes to a given destination, ensuring all probes follow the same path. MDA (Multipath Detection Algorithm) extension systematically discovers all load-balanced paths.
Bandwidth Estimation
Available Bandwidth
The unused capacity on a path at a given time.
| Tool | Technique |
|---|---|
| pathload | Self-loading periodic streams; detect increasing delay trend |
| pathchirp | Exponentially spaced packet chirps; inflection point = available BW |
| Spruce | Probe gap model with packet pairs at specific spacing |
Capacity (Bottleneck Bandwidth)
The maximum throughput a path can sustain.
| Tool | Technique |
|---|---|
| pathrate | Variable-length packet trains; analyze dispersion |
| Nettimer | Packet pair dispersion from existing TCP traffic |
| iperf3 | End-to-end throughput test (saturates the path) |
Packet Pair / Train Dispersion
Sender: Receiver:
|P1|P2| → link → |P1| |P2|
back-to-back spaced by bottleneck
Bottleneck capacity = packet_size / inter-arrival_gap
- Packet pairs estimate per-hop capacity.
- Packet trains (multiple packets) improve accuracy by averaging.
- Cross-traffic introduces noise; statistical methods filter it.
ping and RTT Measurement
- ICMP Echo Request/Reply measures round-trip time.
- Minimum RTT approximates propagation delay (no queuing).
- RTT variance indicates congestion or path changes.
- One-way delay requires clock synchronization (NTP/PTP) or GPS.
Passive Measurement
NetFlow / IPFIX
NetFlow (Cisco) and IPFIX (IETF standard, RFC 7011) export flow-level summaries from routers.
Flow definition: Unidirectional sequence of packets sharing:
- Source/destination IP
- Source/destination port
- IP protocol
- Ingress interface
- ToS/DSCP
Flow record fields:
Source IP, Dest IP, Src Port, Dst Port, Protocol
Packet count, Byte count
Start time, End time
TCP flags (OR of all packets)
Input/Output interface
Next-hop IP, Source/Dest AS
Sampling: At high link speeds, routers sample 1-in-N packets (e.g., 1:1000) and extrapolate flow statistics. Introduces estimation error but is necessary for performance.
sFlow
sFlow (RFC 3176) is an industry-standard sampling technology.
| Feature | NetFlow/IPFIX | sFlow |
|---|---|---|
| Sampling | Flow-based (aggregate then sample) | Packet-based (sample then aggregate) |
| Overhead | Maintains flow cache on router | Stateless; minimal router overhead |
| Granularity | Flow-level | Packet headers + interface counters |
| Timeliness | Export on flow expiry | Continuous stream of samples |
| Multi-layer | L3-L4 | L2-L7 (copies packet header) |
sFlow samples 1-in-N packets, copies the first 128 bytes (header), and exports immediately with interface counter snapshots. The collector reconstructs traffic statistics.
Packet Capture
Full packet capture for detailed analysis.
| Tool | Description |
|---|---|
| tcpdump/libpcap | Standard packet capture library and CLI |
| Wireshark/tshark | GUI/CLI protocol analyzer |
| PF_RING | High-speed capture framework (kernel module) |
| DPDK-based | Userspace capture at 10-100 Gbps |
| Network TAPs | Hardware devices that copy traffic non-intrusively |
eBPF for Network Observability
eBPF programs attached at various kernel hooks provide programmable, low-overhead monitoring.
XDP (ingress) → TC (traffic control) → Socket → Application
↓ ↓ ↓
eBPF programs collect metrics, trace events, filter traffic
↓
Maps (hash, array, ring buffer) → userspace tools
- Tools: bpftrace, Cilium Hubble, Pixie, Retina.
- Can observe TCP state, retransmissions, RTT, connection events without packet capture.
Traffic Classification
Identifying application types from network traffic.
Classification Approaches
| Approach | Method | Accuracy | Limitations |
|---|---|---|---|
| Port-based | Map well-known ports to apps | Low | Apps use non-standard ports |
| DPI (Deep Packet Inspection) | Pattern match on payload | High (unencrypted) | Fails with encryption (TLS) |
| Statistical/ML | Classify based on flow features | Moderate-High | Requires training data; drift |
| Behavioral | Application-level traffic patterns | Moderate | Complex models |
| Encrypted traffic analysis | Packet sizes, timing, TLS metadata | Moderate | Privacy-invasive; adversarial evasion |
Flow Features for ML Classification
| Feature Category | Examples |
|---|---|
| Size-based | Mean/std packet size, total bytes, payload ratio |
| Time-based | Flow duration, inter-arrival time stats |
| Protocol | TCP flags distribution, TLS version, cipher suite |
| Behavioral | Number of sub-flows, burst patterns |
| Statistical | Entropy of packet sizes, autocorrelation |
Encrypted Traffic Classification
With ubiquitous TLS, classifiers rely on:
- TLS handshake metadata: SNI (being encrypted via ECH), cipher suites, extensions.
- JA3/JA4 fingerprints: Hash of TLS ClientHello parameters identifies client software.
- Packet size sequences: Different applications produce characteristic size patterns.
- Timing patterns: Video streaming vs. web browsing vs. interactive apps.
Network Telescopes (Darknets)
A network telescope monitors traffic sent to routed but unused IP address space (dark space).
What Telescopes Observe
Internet → Traffic to unused IPs → /8 or /16 darknet → Capture and analyze
| Traffic Type | Cause |
|---|---|
| Backscatter | Replies to spoofed-source DDoS attacks (SYN-ACKs, RSTs) |
| Scanning | Worms, botnets, researchers scanning the Internet |
| Misconfiguration | Traffic to bogon or mistyped addresses |
Analysis Applications
- DDoS measurement: Backscatter analysis estimates global DDoS activity. A /8 telescope observes ~1/256 of all backscatter.
- Worm detection: Sudden increase in scanning traffic indicates new worm propagation.
- Vulnerability scanning: Track scanning campaigns by source, port, protocol.
Notable Telescopes
| Project | Size | Operator |
|---|---|---|
| UCSD Network Telescope | /8 | CAIDA |
| Merit Darknet | /15 | Merit Network |
| GreyNoise | Distributed sensors | GreyNoise Intelligence |
Internet Topology Mapping
IP-Level Topology
- Use traceroute from many vantage points to discover router-level connectivity.
- CAIDA Ark: Distributed traceroute infrastructure with ~200 global monitors.
- RIPE Atlas: 12,000+ probes worldwide for traceroute, ping, DNS measurements.
Challenges
| Challenge | Description |
|---|---|
| Alias resolution | Multiple IPs belonging to the same router must be merged |
| Hidden routers | Routers that do not decrement TTL or do not respond |
| Load balancing | Multiple paths between the same endpoints |
| Asymmetric routing | Forward and reverse paths differ |
| Rate limiting | Routers throttle ICMP responses |
Alias Resolution Techniques
| Technique | Method |
|---|---|
| Mercator | Source-address based: probe each IP, check source of response |
| Ally/RadarGun | IP-ID based: shared IP-ID counter indicates same router |
| MIDAR | Monotonic IP-ID correlation at scale |
| Prefix-based | Interfaces in same /30 or /31 likely on same link |
AS-Level Topology
Inferred from BGP data:
- BGP route collectors: RouteViews, RIPE RIS collect BGP updates from hundreds of peers.
- AS relationship inference: Classify links as customer-provider, peer-peer, or sibling using valley-free routing heuristics (Gao, 2001; CAIDA AS-rank).
- IXP detection: PeeringDB data combined with traceroute to identify exchange points.
Topology Metrics
| Metric | Description |
|---|---|
| Degree distribution | Number of neighbors per node (AS or router) |
| Clustering coefficient | How connected a node's neighbors are to each other |
| Betweenness centrality | Fraction of shortest paths passing through a node |
| k-core decomposition | Hierarchical structure of the graph |
| AS hegemony | Dependence of routes on specific transit ASes |