points. As opposed to active measurements, this
approach is non-intrusive and ideally the mea-
surement process does not disturb the operation
of the network. Measurement data of highly
variable granularity is gathered: ranging from
detailed packet traces5)and flow records6)to
routing tables and counters from network nodes
(e.g. SNMP counters on router interfaces).
Packet traces and flow records require the vari-
ous fields of the packet headers to be monitored
while interface counters typically accumulate
the number of packets and bytes transferred/
dropped. The major drawback of collecting raw
packet traces or flow records from high capacity
networks is that huge data volumes are created.
Thus, it may not be feasible to store raw data for
long periods of time without performing some
data reduction. Note that packet traces and flow
records contain sensitive information that must
be handled with care.
Examples of functionality to process, store and
export passive measurement data integrated in
the hardware and software of network nodes are
interface counters and Cisco’s NetFlow [Net-
Flow99] data export. The design of router archi-
tectures capable of collecting passive measure-
ments is beyond the scope of this discussion.
However, the routers should be built to collect
the necessary measurement data without any dis-
turbance to the packet forwarding capability of
the router.
Specialized stand-alone PCs that collect passive
measurements from high capacity links without
impacting network operation are available.
These passive stand-alone measurement units
usually run specialized software on a hardware
platform that taps information from packets
traversing the link being monitored. Examples
of such dedicated measurement units are Netra-
met [Brownlee], the OCXmon/Coral monitor
[Coral] [MOAT] and the DAG monitor [Gra-
ham]. Packet traces can also be collected on reg-
ular workstations by using the tcpdump applica-
tion [Tcpdump].
Each packet record carries a number of attributes
that characterize the packet and the correspond-
ing events. The attributes of a packet can be
classified as endogen and exogen attributes.
Endogen attributes are carried in the packet
headers and user data. Exogen attributes are not
carried inside the packet but are implicitly
derived. Examples of exogen attributes are
incoming and outgoing interface for the packet
at a certain router and the time of arrival of the
packet to a given node. Packet traces can contain
a copy of the entire packet including headers as
well as user data. However, to reduce the sensi-
tivity and data volume usually only the IP header
and transport protocol header is kept, as illus-
trated in Figure 3.2.
3.4.1 Passive Measurements of Unidirec-
tional Performance Parameters
Using Packet Traces
Passive measurements of unidirectional delay
and loss require raw packet traces to be captured
at several measurement points, as illustrated in
Figure 3.3. One example of measurements col-
lected using this method is [Graham].
Note that timestamps could be added to real
packets inside the network for the purpose of
passive measurements of unidirectional delay.
Hence, this would allow unidirectional delay to
be estimated from a single packet trace. This
concept needs further study and requires special-
ized equipment to be developed and installed in
the network. Further, for packets that contain
sequence numbers it could be possible to esti-
mate loss from a single packet trace. However,
in the following it is assumed that delay and loss
must be estimated by correlating the information
from several packet traces.
3.4.2 Single Packet Trace
From a single trace captured at a given measure-
ment point it is possible to compute e.g. the
number of bytes sent and received to/from vari-
ous remote machines, interarrival times, packet
Figure 3.2 Example of packet
trace data format (Ethernet)
5)A packet trace contains detailed information (timestamp and packet attributes) about packets
observed at a certain measurement point.
6)Flow records have detailed information about network flows as observed at a given measurement
point. A network flow is a sequence of packets satisfying certain conditions, e.g. a unidirectional
stream of packets from a specified source to a certain destination satisfying a given time-out value.
8 byte
timestamp
14 byte
Ethernet header
20 byte
header
20 byte
Transport
protocol
6 byte header
SRC
6 byte
DST
2
byte
Prot