Shark Fest 19 Europe How long is a
- Slides: 38
Shark. Fest ’ 19 Europe How long is a packet? Stephen Donnelly Endace #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
How long is a packet? #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
100 Byte packet at 1 Gbps • #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
100 Byte packet at 1 Gbps • #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
100 Byte packet at 1 Gbps • #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Great Circle Paths #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Bandwidth Delay Product • #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
UDP • • • Not a reliable transport No feedback Sender chooses the rate: “Fire and forget” Excess packets are dropped Can build feedback on top, E. g. QUIC #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
TCP • Send data, wait for acknowledgement • TCP receiver advertises a Receive Window • The maximum amount of unacknowledged data • Sender must retain all data in the Window • If the Window is too small, transfer is inefficient • Sender cannot influence the Receive Window #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
TCP Window • #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
TCP Autotuning • Modern OS support Autotuning • Don’t pre-allocate large buffers to save memory • Dynamically increase Window if needed (to a limit) • Not all devices on Internet run modern OS • Is Autotuning enough? • TCP over very high BDP? • Really long path and/or really high bandwidth #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Really long paths #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
�� to �� • LADEE satellite orbited the moon in 2013 • Lunar Laser Communications Demonstration (LLCD) • 622 Mb/s over 384400 km (1. 28 light seconds) • Bandwidth-delay product = 99. 6 MB #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Back to Earth • How long is an Ethernet frame? Type/Length DST MAC SRC MAC 6 6 Ethernet Payload 2 46 -1500 FCS 4 64 -1518 #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Wire Length • How long is an Ethernet frame on the wire? Start of Frame Delimiter Type/Length Preamble 7 1 DST MAC SRC MAC 6 6 Ethernet Payload 2 46 -1500 FCS Inter-Frame Gap 4 64 -1518 84 -1538 #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8 12
VLAN Tag • How long is an Ethernet frame with VLAN? Start of Frame Delimiter Type/Length Preamble 7 1 DST MAC SRC MAC 6 6 VLAN 2 4 64 -1522 Ethernet Payload 42 -1500 FCS 4 84 -1542 #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8 Inter-Frame Gap 12
Envelopes • How long is an Ethernet Envelope frame? Start of Frame Delimiter Type/Length Preamble 7 1 DST MAC SRC MAC 6 6 Envelope 2 0 -482 64 -2000 Ethernet Payload 0 -1500 FCS 4 84 -2020 #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8 Inter-Frame Gap 12
Jumbo Packets • Packets >2000 B are not standards compliant • Non-standard extensions • Interoperability problems • • No way to signal ‘too long’ No Fragmentation • FCS weakness • Increasing probability of ‘false positive’ FCS #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Wireshark • How does Wireshark report packet length? • Inevitable Wireshark live demo #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Captured Length • • • Wireshark reports len and caplen from libpcap Libpcap gets length from the OS The OS gets length from the NIC driver The NIC driver gets length from the hardware The hardware/driver/OS often truncate FCS and padding, and drop errored/short/long frames #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
NIC Accelerations • NIC acceleration features such as RSO/TSO/GRO happen below libpcap • Reduce effective packet rate for the OS • Reported RX/TX packet lengths can be much larger than MTU • TX Checksums not filled in • Not seeing what is really on the wire #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Pseudo-headers • • Metadata not on the wire can be counted in len RSPAN and ERSPAN add/remove headers Some link types get pseudo-headers (USB, PPP) Packet Brokers tap multiple links and direct traffic to capture systems • Pseudo-header or pseudo-trailer (with/without FCS) • VLAN tagging #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Speed #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Speed? • Instantaneously a point in a network link is either carrying packet or not • Throughput: amount of data transferred over a time period • Often normalised to bits per second • Bandwidth: the maximum link throughput • Goodput: achieved transfer rate #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Minimum size packets • L 1: 84 B @ 1 Gbps, 100% load = 1, 488, 095. 2 pps • L 2: Ethernet 64 B = 761, 904, 761. 9 bps • L 3: IPv 4 46 B = 547, 619, 047. 6 bps • L 4: TCP 26 B = 309, 523, 809. 5 bps • L 5 -7: App 6 B = 71, 428, 571. 4 bps #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
1500 B packets • • • L 1: 1538 B @ 1 Gbps, 100% load = 81, 274. 4 pps L 2: Ethernet 1518 B = 986, 996, 098. 8 bps L 3: IPv 4 1500 B = 975, 292, 587. 8 bps L 4: TCP 1480 B = 962, 288, 686. 6 bps L 5 -7: App 1460 B = 949, 284, 785. 4 bps Jumbo frames only slightly more efficient, but lower the effective packet rate #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Capture effects • Always use len (not caplen) to avoid underestimating throughput and utilisation • Not capturing FCS and padding underestimates throughput and utilisation • Including pseudo-headers and trailers overestimates throughput and utilisation • NIC offloads can underestimate packet rate/count and throughput/utilisation #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Provisioning • • Consider link utilisation as well as throughput Real networks have a mix of packet sizes Bulk file transfer uses the MTU for efficiency Streaming media/VOIP/Financial/Gaming may not #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
MTU Mismatch #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
MTU Mismatch • Different links may have different MTUs • Not everything is Ethernet! • Jumbo packets • Encapsulation: Tunnels, VPNs, Virtualisation • Ethernet switch drops oversize frames • Routers can be smarter #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
IPv 4 Fragmentation • IPv 4 packets can be fragmented mid-path • Receiver reassembles fragments • Transparent to sender • Inefficient: CPU load, Fragment loss/re-ordering • IPv 4 has a Don’t Fragment (DF) bit • ICMP “Destination Unreachable: Fragmentation needed & DF set” message sent back to Sender • Used in PMTU discovery #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
IPv 6 Fragmentation? • IPv 6 does not support mid-path fragmentation • If a packet is too large for the outgoing link, router must return ICMPv 6 Packet too Big • Endpoints are expected to perform PMTUd • If higher level protocol can’t reduce message size, the IPv 6 Fragment extension header can be used for end-to-end fragmentation #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Connectivity Problem ISP Home Ethernet ADSL ISP Ethernet Bank Ethernet #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8 Ethernet
Connectivity Problem ISP Home ISP Bank Ethernet ADSL Ethernet 1500 1492 1500 #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Connectivity Problem ISP Home ISP Bank Ethernet ADSL Ethernet 1500 1492 1500 Block ICMP #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Connectivity Problem ISP Home ISP Bank Ethernet ADSL Ethernet 1500 1492 1500 Block ICMP Don’t block ICMP Destination Unreachable! #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Recap • • • Physical packet lengths Bandwidth Delay Product – Long Fat Networks Ethernet frame length Wireshark and libpcap – Packet capture Throughput calculation Fragmentation/PMTU #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Thank You! Please fill in your Survey on the App! Any questions? You can contact me by email at stephen. donnelly@endace. com #sf 19 eu • Palacio Estoril Hotel, Estoril, Portugal • Nov 4 - 8
Great white shark versus hammerhead shark
Short short short long long long short short short
Once upon a time there lived an old man
Gunnar fest
Staff fest
Teilchenmodell aggregatzustände animation
Southeast linux fest
Olivia siger ja til en fest
Roland fest
Geo fest
A fest
Ostern fest in deutschland
Once upon a time long ago
Tinikling is a bird with long legs and a long neck
Once upon a time a long long time ago begins the story
Long long int c
Mình tròn thân trắng dáng hình thon thon
Not so long ago, people
Long long ago when the gods and goddesses
Once upon a time there lived a family of bears
Sóc nhí câu đố
Splunk vs wire shark
Basking shark annotated
Powder coating twin screw extruder
Shark dissection
Basking shark poem annotated
I'd rather take baths with a man-eating shark
How far can a shark smell blood in the water
Basking shark annotated
Pisces in animal kingdom
Barco shark 500
Megaolodon
Bull shark anatomy
A 600 kg great white shark is lurking
Hagfish excretory system
Shark slides alibaba
What are the 7 classifications of living things
Static postural assessment
Great white shark
