Passive Measurement of One-way and Two-way Flow Lifetimes

DongJin Lee and Nevil Brownlee
Appears in: 
CCR July 2007

Flow based analysis has been considered a simple and effective approach in network analysis. 5-tuple (unidirectional) flows are used in many network traffic, however, often these analyses require bidirectional packet matching to observe the interactions. Separating the flows into two categories as one-way (packets in one direction only) and two-way (packets in both directions) flows can yield further insight. We have examined traces of Auckland traffic for 2000, 2003 and 2006, and analyzed their one-way and two-way flows. We observed several behaviors and the changes in flow sizes and their lifetimes over time. In our traces, we observe that one-way flows are mostly malicious, re-transmissions, and some are long-lived. Two-way flows are mostly normal end-toend transmissions with their lifetimes/RTTs decreasing, their sizes increasing, and many short-lived flows mostly depict errors in TCP. Also, we observe similarity between one-way and two-way flow sizes for their lifetimes.

Public Review By: 
Dina Papagiannaki

This paper presents a longitudinal study of Internet traffic characteristics based on three one day packet traces collected in 2000, 2003 and 2006 at the Internet link of the University of Auckland in New Zealand. The authors start off their analysis based on the premise that when it comes to flow analysis the separation of traffic into one-way and two-way flows may lead to interesting behavioral differences. To that effect the authors propose a way to process packet traces in order to efficiently capture one-way and twoway traffic flows. The proposed implementation is tested and shown to lead to significant performance benefits when it comes to deriving statistics on the collected flow information. Having separated traffic into one-way and two-way flows the authors devote the rest of the paper to understand the nature of these flows. Studying the lifetime and size of the two types of flows the authors are capable of showing that one-way flows can be primarily attributed to malicious activity while twoway flows correspond to services that have evolved throughout time. Specific interesting findings of this study are the fact that two-way round trip time values have decreased due to the high penetration of broadband technologies, while the number of one-way flows appears to be increasing with time. In addition, when one-way and two-way flows are studied based on their size, bytes and lifetime, they are surprisingly similar. Given the thoroughness of the analysis and its longitudinal nature this work is of unique archival value. Admittedly, similar measurements collected on a different location may not have led to the exact same conclusions. However, the insight gained is likely to be shared. I hope this study serves as an interesting baseline to those interested in studying the characteristics of Internet traffic.