Cristian Estan

Internet traffic measurement: What's going on in my network?
Ph. D. thesis at University of California San Diego, October 2003

One of the main reasons for the success of the Internet is its service model that emphasizes flexibility: any computer can send any type of data to any other computer at any time. While this freedom enabled the unhindered deployment of the applications popular today such as email and the world wide web, it also made the job of administering the network harder. In the phone network, exhaustive call logs are readily available, whereas the Internet lacks built-in traffic measurement features that would help the operators figure out how the network is used or misused. Existing solutions either lack the necessary detail, do not scale up to the speeds of today's networks, fail to extract the meaningful information from raw data or are not flexible enough to keep up with the ever changing traffic mix. This dissertation addresses these problems.

Traffic measurement is not driven by a single concrete goal. There is a large number of systems that perform traffic measurement to answer a wide variety of questions. The strategy adopted by this dissertation is to isolate tasks common to many traffic measurement systems and provide efficient algorithmic solutions to those tasks that can be used as building blocks. The four important building blocks addressed are: identifying and measuring large flows of traffic, counting flows, network traffic synopses and explicitly describing complex traffic mixes. The dissertation also discusses how to improve performance by adapting the parameters of these building blocks to the observed traffic. It concludes with the description of a complete traffic analysis system using many of these algorithmic solutions.

