Wed, 23 Apr 2008

Fragmented ideas

A lot of truly fascinating information can be extracted from network captures. I'm not going to do that, I'm just going to whine about fragmentation and packet sizes.

I took two captures of internet traffic (a cable provider, remind me to look into their "funny" ARP traffic at some point). One with some P2P traffic and one without. They both contain quite a bit of HTTP, SMTP, DNS, SSH, ... traffic as well.

First thing I looked at was the packet sizes (before fragmentation), which resulted in a few interesting graphs. Bottom axis is IP packet size, vertical is packet count.

Normal traffic.
P2P heavy traffic.

The differences are quite interesting. The P2P capture shows larger fragments (up to the maximum of 65535) but the normal capture tops out around 3000.

A second interesting feature is the huge peak at 1500 bytes on the normal graph. That's a clear indication the traffic is very TCP heavy. The TCP MSS (Maximum Segment Size) is often used to limit fragmentation by setting the maximum packet size to the largest size transportable over the connection. In this case it seems the last hop (Ethernet) has the lowest MSS.

Clearly this doesn't happen in the case of the P2P traffic. P2P protocols seem to prefer UDP. That may be related to the large number of host to communicate with. Further analysis will probably show heavy fragmentation in that capture.

There's a bunch of smaller peaks for the smaller packets too. I'm guessing TCP ACKs, DNS requests, ...
That's for another day though.

posted at: 22:34 | path: / | [ 0 comments ]