Network Measurement

Peeking Behind the NAT:
An Empirical Study of Home Networks

Presented by Ben Zhang
From IMC'13 by Grover et al

### Outline - Quick Review of the work - **Discussion!**

Review

What is a NAT?

In Peeking Behind the NAT NAT

HTTP

Request


GET / HTTP/1.1
Host: eecs.berkeley.edu
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
                        

Response


HTTP/1.1 200 OK
Date: Mon, 09 Mar 2015 04:18:55 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 7113
Content-Type: text/html
                        

DNS

What's the address of eecs.berkeley.edu?


$ dig eecs.berkeley.edu

;; QUESTION SECTION:
;eecs.berkeley.edu.		IN	A

;; ANSWER SECTION:
eecs.berkeley.edu.	86400	IN	A	128.32.189.62

;; AUTHORITY SECTION:
eecs.berkeley.edu.	86400	IN	NS	ns.eecs.berkeley.edu.
eecs.berkeley.edu.	86400	IN	NS	ns.CS.berkeley.edu.
eecs.berkeley.edu.	86400	IN	NS	adns2.berkeley.edu.
eecs.berkeley.edu.	86400	IN	NS	cgl.UCSF.edu.
eecs.berkeley.edu.	86400	IN	NS	adns1.berkeley.edu.

;; ADDITIONAL SECTION:
ns.CS.berkeley.edu.	86400	IN	A	169.229.60.61
ns.eecs.berkeley.edu.	86400	IN	A	169.229.60.153
cgl.UCSF.edu.		86400	IN	A	169.230.27.20
adns1.berkeley.edu.	172800	IN	A	128.32.136.3
adns1.berkeley.edu.	3600	IN	AAAA	2607:f140:ffff:fffe::3
adns2.berkeley.edu.	172800	IN	A	128.32.136.14
adns2.berkeley.edu.	3600	IN	AAAA	2607:f140:ffff:fffe::e

;; Query time: 199 msec
;; SERVER: 128.32.206.9#53(128.32.206.9)
;; WHEN: Sun Mar  8 21:31:48 2015
;; MSG SIZE  rcvd: 287
                        

MAC Address

  • media access control address
  • unique identifier assigned to network interfaces
  • like b8:f6:b1:19:69:6f

Active vs Passive

Ping


$ ping google.com
PING google.com (74.125.239.135): 56 data bytes
64 bytes from 74.125.239.135: icmp_seq=0 ttl=56 time=3.845 ms
64 bytes from 74.125.239.135: icmp_seq=1 ttl=56 time=3.765 ms
64 bytes from 74.125.239.135: icmp_seq=2 ttl=56 time=3.610 ms
64 bytes from 74.125.239.135: icmp_seq=3 ttl=56 time=3.652 ms
64 bytes from 74.125.239.135: icmp_seq=4 ttl=56 time=12.082 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.610/5.391/12.082/3.347 ms
                        

Traceroute


$ traceroute google.com
traceroute: Warning: google.com has multiple addresses; using 74.125.239.134
traceroute to google.com (74.125.239.134), 64 hops max, 52 byte packets
 1  xe-1-2-0-511.inr-306-sut.1918.berkeley.edu (10.142.24.1)  1.434 ms  1.205 ms  1.840 ms
 2  t5-4.inr-201-sut.berkeley.edu (128.32.0.56)  1.698 ms  1.204 ms  1.240 ms
 3  xe-0-2-0.inr-001-sut.berkeley.edu (128.32.0.64)  1.129 ms  1.092 ms  1.225 ms
 4  dc-sfo-agg-1--ucb-10ge.cenic.net (137.164.50.16)  1.648 ms  1.890 ms  1.727 ms
 5  dc-svl-agg4--sfo-agg1-10ge-1.cenic.net (137.164.22.27)  220.199 ms  3.837 ms  4.169 ms
 6  72.14.242.90 (72.14.242.90)  3.735 ms
    72.14.205.134 (72.14.205.134)  3.902 ms
    72.14.242.90 (72.14.242.90)  3.799 ms
 7  209.85.240.114 (209.85.240.114)  3.878 ms  3.858 ms  3.840 ms
 8  66.249.95.31 (66.249.95.31)  4.482 ms  4.111 ms  14.147 ms
 9  nuq05s02-in-f6.1e100.net (74.125.239.134)  3.944 ms  3.900 ms  4.123 ms
                        

iperf


$ iperf3 -c benzhang.name
Connecting to host benzhang.name, port 5201
[  5] local 10.142.26.30 port 59502 connected to 192.3.89.138 port 5201
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-1.00   sec  1.57 MBytes  13.2 Mbits/sec
[  5]   1.00-2.01   sec  1.78 MBytes  14.9 Mbits/sec
[  5]   2.01-3.00   sec  1.76 MBytes  14.8 Mbits/sec
[  5]   3.00-4.00   sec  1.75 MBytes  14.6 Mbits/sec
[  5]   4.00-5.00   sec  1.56 MBytes  13.2 Mbits/sec
[  5]   5.00-6.00   sec  1.32 MBytes  11.1 Mbits/sec
[  5]   6.00-7.00   sec  1.31 MBytes  11.0 Mbits/sec
[  5]   7.00-8.00   sec  1.41 MBytes  11.8 Mbits/sec
[  5]   8.00-9.00   sec  1.45 MBytes  12.1 Mbits/sec
[  5]   9.00-10.00  sec  1015 KBytes  8.32 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  5]   0.00-10.00  sec  14.9 MBytes  12.5 Mbits/sec                  sender
[  5]   0.00-10.00  sec  14.8 MBytes  12.4 Mbits/sec                  receiver

                        

tcpdump


$ sudo tcpdump -i en0 -p 'port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:54:24.429541 IP airbears2-10-142-26-30.airbears2.1918.berkeley.edu.50843 > ns1.berkeley.edu.domain: 24958+ A? cloud.pinyin.sogou.com. (40)
21:54:24.429542 IP airbears2-10-142-26-30.airbears2.1918.berkeley.edu.51866 > ns1.berkeley.edu.domain: 24077+ AAAA? cloud.pinyin.sogou.com. (40)
21:54:24.430965 IP ns1.berkeley.edu.domain > airbears2-10-142-26-30.airbears2.1918.berkeley.edu.50843: 24958 16/2/2 A 106.120.173.29, A 106.120.173.30, A 106.120.173.31, A 106.120.173.32, A 106.120.173.33, A 106.120.173.34, A 106.120.173.35, A 106.120.173.20, A 106.120.173.21, A 106.120.173.22, A 106.120.173.23, A 106.120.173.24, A 106.120.173.25, A 106.120.173.26, A 106.120.173.27, A 106.120.173.28 (364)
21:54:24.431686 IP ns1.berkeley.edu.domain > airbears2-10-142-26-30.airbears2.1918.berkeley.edu.51866: 24077 0/1/0 (99)
21:54:24.511789 IP airbears2-10-142-26-30.airbears2.1918.berkeley.edu.52231 > ns1.berkeley.edu.domain: 44980+ PTR? 9.206.32.128.in-addr.arpa. (43)
21:54:24.513319 IP ns1.berkeley.edu.domain > airbears2-10-142-26-30.airbears2.1918.berkeley.edu.52231: 44980* 1/4/7 PTR ns1.Berkeley.EDU. (303)
21:54:27.574751 IP airbears2-10-142-26-30.airbears2.1918.berkeley.edu.57728 > ns1.berkeley.edu.domain: 44545+ A? googlecom.berkeley.edu. (40)
21:54:27.576039 IP ns1.berkeley.edu.domain > airbears2-10-142-26-30.airbears2.1918.berkeley.edu.57728: 44545 NXDomain* 0/1/0 (98)
21:54:27.577204 IP airbears2-10-142-26-30.airbears2.1918.berkeley.edu.63677 > ns1.berkeley.edu.domain: 40190+ A? googlecom. (27)
21:54:27.581576 IP ns1.berkeley.edu.domain > airbears2-10-142-26-30.airbears2.1918.berkeley.edu.63677: 40190 NXDomain 0/1/0 (102)
21:54:28.623633 IP airbears2-10-142-26-30.airbears2.1918.berkeley.edu.57275 > ns1.berkeley.edu.domain: 45501+ A? google.com. (28)
21:54:28.624907 IP ns1.berkeley.edu.domain > airbears2-10-142-26-30.airbears2.1918.berkeley.edu.57275: 45501 11/4/4 A 74.125.239.142, A 74.125.239.128, A 74.125.239.129, A 74.125.239.130, A 74.125.239.131, A 74.125.239.132, A 74.125.239.133, A 74.125.239.134, A 74.125.239.135, A 74.125.239.136, A 74.125.239.137 (340)
^C
12 packets captured
117 packets received by filter
0 packets dropped by kernel
                        

Motivation of this work?

To Understand aspects of broadband home network:

  • Availability
  • Infrastructure
  • Usage

How do they measure?

Measurement Architecture
### What do they measure? - Heartbeats - Uptime - Capacity (Bandwidth) - Devices - WiFi - Traffic - Packet statistics (size and ts) - Flow statistics (applications) - DNS responses (which websites) - MAC addresses (unique device ID)

Deployment

Map Map data
### Key Results 1. Availability - only 10% in the developed world interruption once every 10 days - about 50% in developing countries once every 3 days. - some users switch off their routers 2. Infrastructure - diurnal pattern across a week, consistent in weekends - \#devices peaks during evening hours 3. Usage - users don't saturate their links - most traffic is due to a single usage hungry device - 38% of traffic is from a single most popular domain, among 200 whitelisted domains.
### Availability - Measured by Heartbeats
Availability     Availability
### Infrastructure 1. Number of devices? 2. Wired vs wireless? 3. Which frequency, 2.4 GHz or 5 GHz?
### How many endhosts? ![Num Hosts](./files/num_endhost.png)
### Wired vs wireless? ![Num on wired and wireless](./files/num_endhost_breakdown.png)
### 2.4 GHz vs 5 GHz? ![Num on each frequency](./files/num_frequency.png)

Usage

  • usage pattern
  • access links capacity
  • breakdown by device
  • breakdown by domains (websites)

Pattern

Diurnal Patter     Consistent Traffic Weekend

weekdays vs weekends

Access Link

Access Link

Devices

Breakdown by Devices

Websites

Sites they visited     Sites by Device

Discussion

Sampling Bias?

We have recruited most of our users by word-of-mouth, or through targeted advertisements for specific experiments and projects that we have run as part of our research.

They confess:

Our deployment is biased toward close friends, family, colleagues, and technically-inclined volunteers.

Privacy

Many routers only collect performance measurements . . . record no personally identifying information (PII).

And

In twenty-five homes where we have explicit consent . . ..

We talked about collecting logs

  • What are people using the Internet for?
  • Does what they report differ from what the logs show?

Bro?

Thanks!

Questions?

More Resources

World Latency Map

Network Dashboard

Network Dashboard
Network Dashboard