Hi,
I was wondering what the best sources for up to date info on current
packet size distribution on the Internet might be?
i.e. X% of Internet packets are of size Y bytes to Z bytes.
I remember seeing this 2+ years ago but that was many disk
failures/backup fiascos ago...
Thanks!
-Rob
Rob Healey wrote:
I was wondering what the best sources for up to date info on current
packet size distribution on the Internet might be?
Here's a view from our edge:
IP packet size distribution (6491M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.007 .675 .034 .008 .005 .004 .006 .004 .003 .005 .004 .004 .005 .003 .002
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .003 .010 .030 .177 .000 .000 .000 .000 .000 .000
Of course a Tier 1 view might be more appropriate ![:slight_smile: :slight_smile:](https://community.nanog.org/images/emoji/apple/slight_smile.png?v=12)
Jeff
Rob Healey wrote:
> I was wondering what the best sources for up to date info on current
> packet size distribution on the Internet might be?
Here's a view from our edge:
>IP packet size distribution (6491M total packets):
> 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
> 480
> .007 .675 .034 .008 .005 .004 .006 .004 .003 .005 .004 .004 .005 .003
> .002
>
> 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
> .002 .003 .010 .030 .177 .000 .000 .000 .000 .000 .000
Of course a Tier 1 view might be more appropriate ![:slight_smile: :slight_smile:](https://community.nanog.org/images/emoji/apple/slight_smile.png?v=12)
Close to what we see at one location:
Router#sh ip ca flow
IP packet size distribution (17137M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.004 .621 .068 .029 .013 .007 .005 .006 .003 .005 .006 .006 .006 .004 .004
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.004 .003 .016 .018 .159 .000 .000 .000 .000 .000 .000
- jared
Here is what we see:
core1-jcnj>sh ip ca fl
IP packet size distribution (20372M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .411 .251 .018 .015 .006 .027 .004 .003 .003 .003 .004 .003 .002 .003
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .002 .139 .012 .082 .000 .000 .000 .000 .000 .000
and
core1-nwtnj>sh ip ca fl
IP packet size distribution (22181M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .429 .158 .023 .021 .010 .011 .006 .005 .004 .004 .006 .004 .003 .003
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .002 .054 .025 .219 .000 .000 .000 .000 .000 .000
I see an interesting variation in 1536 byte packets on our network anyway. core1-nwtnj is primarily a colo router and core1-jcnj is a backbone router connected to edge routers with lots of dialup, dsl, t1 and t3 customers. Of course traffic can pass through both routers en route, but it appears that most 1536 byte traffic does not.
-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey
IP packet size distribution (17137M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.004 .621 .068 .029 .013 .007 .005 .006 .003 .005 .006 .006 .006 .004 .004
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.004 .003 .016 .018 .159 .000 .000 .000 .000 .000 .000
IP packet size distribution (20372M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .411 .251 .018 .015 .006 .027 .004 .003 .003 .003 .004 .003 .002 .003
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .002 .139 .012 .082 .000 .000 .000 .000 .000 .000
IP packet size distribution (22181M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .429 .158 .023 .021 .010 .011 .006 .005 .004 .004 .006 .004 .003 .003
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .002 .054 .025 .219 .000 .000 .000 .000 .000 .000
for a little change of pace
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .326 .355 .055 .136 .041 .015 .014 .009 .025 .007 .001 .010 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .002 .001 .002 .000 .000 .000 .000 .000 .000
Rob Healey wrote:
> I was wondering what the best sources for up to date info on current
> packet size distribution on the Internet might be?
Here's a view from our edge:
> IP packet size distribution (6491M total packets):
> 1-32 64 96128 160 192 224 256 288 320 352 384 416 448 480
> .007 .675 .034 .008 .005 .004 .006 .004 .003 .005 .004 .004 .005 .003 .002
>
> 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
> .002 .003 .010 .030 .177 .000 .000 .000 .000 .000 .000
Of course a Tier 1 view might be more appropriate ![:slight_smile: :slight_smile:](https://community.nanog.org/images/emoji/apple/slight_smile.png?v=12)
Larger pkt count:
IP packet size distribution (231171M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.004 .498 .126 .036 .022 .008 .008 .005 .004 .004 .004 .004 .004 .003
.003
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .003 .029 .029 .192 .000 .000 .000 .000 .000 .000
IP packet size distribution (46782M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.001 .395 .156 .032 .036 .010 .006 .004 .010 .004 .003 .003 .007 .008
.004
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.004 .003 .030 .025 .249 .000 .000 .000 .000 .000 .000
Interesting to see such a wide spread on 64 octet pkts.
Jeff
-Hank
This is for the Internet2, but it has a wealth of information
http://netflow.internet2.edu/weekly/
Look at Table 2, which shows that
Large (1401-1500B) packets send the most data.
Hank Nussbacher wrote:
IP packet size distribution (46782M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.001 .395 .156 .032 .036 .010 .006 .004 .010 .004 .003 .003 .007 .008
.004
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.004 .003 .030 .025 .249 .000 .000 .000 .000 .000 .000
Interesting to see such a wide spread on 64 octet pkts.
Infected machines send up to 300pps per machine of ICMP packets which fall into
the 96 slot above. So in this example you probably have many of them.
Pete
Infected machines send up to 300pps per machine of ICMP packets which fall into
the 96 slot above. So in this example you probably have many of them.
Couldn't this also mean he is being probed/attacked by many as well?
DJ
Deepak Jain wrote:
Infected machines send up to 300pps per machine of ICMP packets which fall into
the 96 slot above. So in this example you probably have many of them.
Couldn't this also mean he is being probed/attacked by many as well?
Certainly but this high ratios are usually only attainable if you�re close to
the source of the traffic. Try to match the 96 packet size fraction to
the ICMP fraction you have. Obviously the next thing to check is
where the traffic is coming (if you�re interested enough to get rid of it)
Pete