1 / 16

RECONSTRUCTION OF APPLICATION LAYER MESSAGE SEQUENCES BY NETWORK MONITORING

RECONSTRUCTION OF APPLICATION LAYER MESSAGE SEQUENCES BY NETWORK MONITORING. Introduction. Reconstruct Application layer message sequences by analyzing Transport layer traffic. TCP segments exchanged. N1. N2. messages sent. messages recvd. N3. Purpose (why bother ?).

donald
Download Presentation

RECONSTRUCTION OF APPLICATION LAYER MESSAGE SEQUENCES BY NETWORK MONITORING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RECONSTRUCTION OF APPLICATION LAYER MESSAGE SEQUENCESBY NETWORK MONITORING

  2. Introduction • Reconstruct Application layer message sequences by analyzing Transport layer traffic. TCP segments exchanged N1 N2 messages sent messages recvd N3

  3. Purpose (why bother ?) • Application message exchange pattern is a fundamental program property • e.g., determines application performance in different conditions • Network traffic due to an application can be monitored non-intrusively, but.. discovering application message sequence is hard • need access to source code or a profiling library Hence this method to construct application messages from TCP monitoring

  4. Particular Motivation Model Data Sim 2 Vis Sim 1 Pre Stream ? Application Network size and pattern of message exchanges is a key component of an application profile used to select good network nodes to execute on

  5. Key Principle • An application message is typically fragmented into a consecutive sequence of TCP segments where all except the last segment is of size MSS (Maximum Segment Size). Application Layer 1 unit = MSS TCP layer Application message TCP segment Last TCP segment

  6. Message Reconstruction Procedure Phases • Separate TCP streams. • Sanitize a TCP stream. • Reconstruct application layer messages. • Error minimization by “best-of-three” technique.

  7. Separating TCP streams • A communication link transports multiple TCP streams • A TCP stream spans a unique series of sequence numbers MSS = 1448 bytes 431376 : 432823 432824 : 433610 1 : 1448 1449 : 2896 2897 : 4344 431376 : 432823 4345 : 5792 5793 : 7240 432824 : 433610 7241 : 8688 8689 : 10136 1 : 1448 1449 : 2896 2897 : 4344 4345 : 5792 5793 : 7240 7241 : 8688 8689 : 10136 Separate red and black streams of TCP Segments (not fool proof but adequate)

  8. Sanitizing TCP streams • Insert TCP segments not recorded (assume it is rare) • Filter out retransmissions Missing TCP segment is inserted 1448 bytes 1 : 1448 1449 : 2896 2897 : 4344 4345 : 5792 7241 : 8688 8689 : 10136 4345 : 5792 5793 : 7240 7241 : 8683 1448 bytes 1448 bytes 1448 bytes 1448 bytes 1448 bytes 1448 bytes 1448 bytes Missing TCP segment 1448 bytes 1448 bytes 10137 : 11584 10137 : 11584 11585 : 13032 1448 bytes Duplicate TCP segment is removed. 997 bytes

  9. Reconstruct application messages • A TCP segment of size smaller than MSS (=1448) indicates the end of an application message. Application messages 1 : 1448 1449 : 2896 2897 : 4344 4345 : 5792 5793 : 7240 7241 : 8688 8689 : 10136 10137 : 11584 11585 : 12574 + 1448 bytes 1448 bytes + 1448 bytes TCP segments + 1448 bytes 12,574 bytes + 1448 bytes + 1448 bytes + 1448 bytes + 1448 bytes + 997 bytes End of Message Start of Message 1448 bytes 12575 : 14022 14023 : 15022 + 2,248 bytes 800 bytes

  10. Best-of-three • Reconstruction heuristic is not perfect • A TCP segment smaller than MSS may be sent before the entire application message is finished. • Two short application messages may be packed into the same TCP segment. 1. 2. Application message TCP segment

  11. Best-of-three Basic idea:reconstruction heuristic is unlikely to fail in exactly the same way in multiple identical runs Solution: make 3 runs and select the majority view at every stage A A A A+B B B B C C C C+D D D D Run 1 Run 2 Run 3 Correct Message Sequence

  12. Experimental setup • NAS parallel benchmark suite programs run on a cluster of 4 workstations • tcpdump utility used to capture TCP segments • The reconstructed application layer message sequence compared with the true sequence obtained with profiling

  13. Results • APPROX MATCH: Includes reconstructed messagesoff by upto 100 bytes AND/OR combined with one other application message. • Perfect for large messages (IS), Approx for small (LU)

  14. Conclusions • Majority of messages reconstructed accurately, almost all detected approximately • Accuracy low for large number of small messages • Procedure based entirely on network measurements, hence can be applied to any code • Accuracy sufficient for resource selection in Network/Grid environments.

  15. Dominant communication pattern of the NAS benchmarks

  16. Experimental Setup 100 Mbps Ethernet switch 500 MHz dual processor Pentium Linux workstations. tcpdump – capturing outgoing TCP packets.

More Related