Most up to date packet size distribution info

Rob_Healey · December 17, 2003, 8:52pm

Hi,

I was wondering what the best sources for up to date info on current
packet size distribution on the Internet might be?

i.e. X% of Internet packets are of size Y bytes to Z bytes.

I remember seeing this 2+ years ago but that was many disk
failures/backup fiascos ago...

Thanks!

-Rob

Jeff_Kell · December 17, 2003, 8:59pm

Rob Healey wrote:

I was wondering what the best sources for up to date info on current
packet size distribution on the Internet might be?

Here's a view from our edge:

IP packet size distribution (6491M total packets):
   1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
   .007 .675 .034 .008 .005 .004 .006 .004 .003 .005 .004 .004 .005 .003 .002

    512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
   .002 .003 .010 .030 .177 .000 .000 .000 .000 .000 .000

Of course a Tier 1 view might be more appropriate

Jeff

Jared_Mauch · December 17, 2003, 9:08pm

Rob Healey wrote:

> I was wondering what the best sources for up to date info on current
> packet size distribution on the Internet might be?

Here's a view from our edge:

>IP packet size distribution (6491M total packets):
> 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
> 480
> .007 .675 .034 .008 .005 .004 .006 .004 .003 .005 .004 .004 .005 .003
> .002
>
> 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
> .002 .003 .010 .030 .177 .000 .000 .000 .000 .000 .000

Of course a Tier 1 view might be more appropriate

Close to what we see at one location:

Router#sh ip ca flow
IP packet size distribution (17137M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.004 .621 .068 .029 .013 .007 .005 .006 .003 .005 .006 .006 .006 .004 .004

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.004 .003 .016 .018 .159 .000 .000 .000 .000 .000 .000

- jared

Robert_Boyle1 · December 18, 2003, 2:38am

Here is what we see:

core1-jcnj>sh ip ca fl
IP packet size distribution (20372M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .411 .251 .018 .015 .006 .027 .004 .003 .003 .003 .004 .003 .002 .003

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .002 .139 .012 .082 .000 .000 .000 .000 .000 .000

and

core1-nwtnj>sh ip ca fl
IP packet size distribution (22181M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .429 .158 .023 .021 .010 .011 .006 .005 .004 .004 .006 .004 .003 .003

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .002 .054 .025 .219 .000 .000 .000 .000 .000 .000

I see an interesting variation in 1536 byte packets on our network anyway. core1-nwtnj is primarily a colo router and core1-jcnj is a backbone router connected to edge routers with lots of dialup, dsl, t1 and t3 customers. Of course traffic can pass through both routers en route, but it appears that most 1536 byte traffic does not.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey

Bandy_Rush1 · December 18, 2003, 5:05am

IP packet size distribution (17137M total packets):
   1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
   .004 .621 .068 .029 .013 .007 .005 .006 .003 .005 .006 .006 .006 .004 .004

    512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
   .004 .003 .016 .018 .159 .000 .000 .000 .000 .000 .000

IP packet size distribution (20372M total packets):
    1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
    .001 .411 .251 .018 .015 .006 .027 .004 .003 .003 .003 .004 .003 .002 .003

     512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
    .003 .002 .139 .012 .082 .000 .000 .000 .000 .000 .000

IP packet size distribution (22181M total packets):
    1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
    .001 .429 .158 .023 .021 .010 .011 .006 .005 .004 .004 .006 .004 .003 .003

     512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
    .003 .002 .054 .025 .219 .000 .000 .000 .000 .000 .000

for a little change of pace

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .326 .355 .055 .136 .041 .015 .014 .009 .025 .007 .001 .010 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .002 .001 .002 .000 .000 .000 .000 .000 .000

Hank_Nussbacher · December 18, 2003, 5:16am

Rob Healey wrote:

> I was wondering what the best sources for up to date info on current
> packet size distribution on the Internet might be?

Here's a view from our edge:

> IP packet size distribution (6491M total packets):
> 1-32 64 96128 160 192 224 256 288 320 352 384 416 448 480
> .007 .675 .034 .008 .005 .004 .006 .004 .003 .005 .004 .004 .005 .003 .002
>
> 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
> .002 .003 .010 .030 .177 .000 .000 .000 .000 .000 .000

Of course a Tier 1 view might be more appropriate

Larger pkt count:
IP packet size distribution (231171M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.004 .498 .126 .036 .022 .008 .008 .005 .004 .004 .004 .004 .004 .003
.003

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .003 .029 .029 .192 .000 .000 .000 .000 .000 .000

IP packet size distribution (46782M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
.001 .395 .156 .032 .036 .010 .006 .004 .010 .004 .003 .003 .007 .008
.004

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.004 .003 .030 .025 .249 .000 .000 .000 .000 .000 .000

Interesting to see such a wide spread on 64 octet pkts.

Jeff

-Hank

Marshall_Eubanks3 · December 18, 2003, 5:20am

This is for the Internet2, but it has a wealth of information

http://netflow.internet2.edu/weekly/

Look at Table 2, which shows that

Large (1401-1500B) packets send the most data.

Petri_Helenius · December 18, 2003, 7:23am

Hank Nussbacher wrote:

IP packet size distribution (46782M total packets):
  1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
480
  .001 .395 .156 .032 .036 .010 .006 .004 .010 .004 .003 .003 .007 .008
.004

   512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
  .004 .003 .030 .025 .249 .000 .000 .000 .000 .000 .000

Interesting to see such a wide spread on 64 octet pkts.

Infected machines send up to 300pps per machine of ICMP packets which fall into
the 96 slot above. So in this example you probably have many of them.

Pete

Deepak_Jain · December 18, 2003, 7:56am

Infected machines send up to 300pps per machine of ICMP packets which fall into
the 96 slot above. So in this example you probably have many of them.

Couldn't this also mean he is being probed/attacked by many as well?

DJ

Petri_Helenius · December 18, 2003, 8:19am

Deepak Jain wrote:

Infected machines send up to 300pps per machine of ICMP packets which fall into
the 96 slot above. So in this example you probably have many of them.

Couldn't this also mean he is being probed/attacked by many as well?

Certainly but this high ratios are usually only attainable if you�re close to
the source of the traffic. Try to match the 96 packet size fraction to
the ICMP fraction you have. Obviously the next thing to check is
where the traffic is coming (if you�re interested enough to get rid of it)

Pete

Christopher_L_Morrow · December 18, 2003, 3:58pm

or backscatter?