Questions about Internet Packet Losses

Mailman List Mirror (Read Only)
1

   indicate that 9% of the packets had a 512 byte *payload*.

I already subtracted off the 40 bytes for the headers. I meant MSS.

(By payload, I meant data, i.e., not including headers, same as you ...)

However,
the spikes in the packet percentages are clearly due to hosts using that
MSS. You would otherwise expect to see a "smooth" distribution across
packet sizes, which is not at ALL what's happening.

Right, spikes correspond to MSS's (and other effects like acks & SYN/FIN's).

Are you saying the data shows significant spikes at other, non-standard MSS
values? If it does, then (modulo some thinking about the particular numbers)
I agree that they're likely MSS candidates and support the notion that weird
MSS's are being used. But if the data has a few spikes at things like 512
but no strong spikes at non-standard values, then that doesn't help distinguish
between (1) lots of weird TCP's using weird MSS's, vs (2) lots of packets
that are less than full-size because the mainstream TCP didn't have enough
bytes to fill them.

If your data is available, I'd love to take a gander at it.

    Vern

2

Are you saying the data shows significant spikes at other, non-standard MSS
   values?

Yes. See below. This is a table of the top 10 packet sizes by percentage.

   If it does, then (modulo some thinking about the particular numbers) I
   agree that they're likely MSS candidates and support the notion that
   weird MSS's are being used. But if the data has a few spikes at things
   like 512 but no strong spikes at non-standard values, then that doesn't
   help distinguish between (1) lots of weird TCP's using weird MSS's, vs
   (2) lots of packets that are less than full-size because the mainstream
   TCP didn't have enough bytes to fill them.

So you'll note that there are very clear spikes at 552 and 576 total packet
size. Further, note that the curve falls off _extremely_ rapidly. From
that, I argue that case (2) _cannot_ be the case because any type of random
distribution would be much smoother. Thus, I argue that we're looking at
case (1).

   If your data is available, I'd love to take a gander at it.

I would need the permission of the data source to release the complete data
set, and we're none too certain of the collection process right yet, AND
the data are somewhat large, so I won't be posting it. Please note that I
do NOT intend to imply that this data is representative of the net at
large, is statistically significant, or is suitable for lining bird cages.

Unanswered questions for further research:
1) What in hell is sending so many 40 byte packets? Are we really seeing
   productive ACKs? Or is it just HTTP bogosity? This really sucks.
2) What OS is using a 512 MSS? 256?
3) What are the minimal revs of various BSD flavors to exceed the 576 MTU
   by default?
4) 41 bytes is pretty obviously interactive traffic. Is the intuition
   correct? What's so special about 44, 52, 48 and 56? What do people do
   with 4, 8, 12 and 16 bytes of data? And why not any of the odd values?

Tony

    Tony's Top 10
Packet Size Percentage
40 44.838 "ACKs, SYNs, FINs, RSTs "
552 9.19 512 MSS
1500 6.839 Happy boxes
576 5.779 BSD bogosity
44 4.719 ??
52 1.175 ??
48 0.884 ??
41 0.776 ??
56 0.73 ??
296 0.717 256 MSS

3

Tony,

Thanks for posting some useful raw data. A clarification -- in some
messages, you say you've stripped headers, but is unclear if you did so in
your top 10 table.

If so, 41 sounds reasonable for noncompressed-header Telnet, with the 44,
52, 48, 56, etc., sizes, as a guess, to a rounded-up transmission buffer.
44 in implementation where memory is allocated/managed in 4 byte quanta, 52
in 8 byte quanta, etc.

Silly question, at 5AM...MSS is one of those acronyms I use for its own
convenience and beauty, without really stopping to think what it stands
for...Mean Segment Size?

4

Thanks for posting some useful raw data. A clarification -- in some
   messages, you say you've stripped headers, but is unclear if you did so in
   your top 10 table.

No. Only when talking about MSSs.

   Silly question, at 5AM...MSS is one of those acronyms I use for its own
   convenience and beauty, without really stopping to think what it stands
   for...Mean Segment Size?

Close. Maximum segment size.

Tony