![[CAIDA - Center for Applied Internet Data Analysis logo]](/images/caida_globe_faded.png "Go to CAIDA home page")
Introduction
Continuing its growth in traffic, connectivity, and complexity, the current Internet is full of applications with rapidly changing characteristics. Although it is still an accepted assumption that most Internet traffic is transmitted via the TCP protocol [1][2], we expect the rise of new streaming applications [3] (e.g. IPTV such as PPStream, PPLive) and new P2P protocols (e.g. uTP [4]) to increase the usage of UDP as a transport protocol. We analyze a few snapshots of UDP traffic on Internet backbone links to establish trends in UDP traffic. Our analysis suggests: In these observations, we found that most UDP flows use random high ports and carry few packets with little content, consistent with its use as a signaling protocol for increasingly popular P2P applications [5].
Datasets
We analyzed real traffic traces collected from backbone links in the US and in Sweden over the period 2002-2009. The data from Sweden was collected on an OC192 link inside the GigaSUNET network in 2006, and on an OC192 connection link of the current (2009) OptoSUNET network. The data from the United States was collected on a peering link for a large ISP (OC48) and on one OC192 backbone link.
Analysis of UDP Traffic
We used CoralReef to extract TCP and UDP flows from our traces. Each flow record, defined by a five-tuple (source and destination IP addresses, port numbers and protocol), includes the counts of packets and bytes exchanged.
Table 1 reports the ratio between UDP and TCP traffic, in terms of packets, bytes and flows. According to these available traces, the use of UDP as transport protocol has rapidly increased from 2002 to 2009, although TCP sessions are still responsible for most packets and bytes. However, in terms of flows, UDP turns out to be the dominant transport protocol: on OptoSUNET (2009), we statistically observe one TCP flow for every three UDP flows. Note that the OptoSUNET data include a substantial portion of traffic on UDP port 53, due to the presence of a RIPE DNS server located inside SUNET, serving over 400 zones. Traffic from and to port 53 of this server is not really native SUNET traffic and we filtered it out of this analysis.
|
Trace
|
Sample
|
UDP/TCP Ratio
|
Total IP Traffic
(pkts/bytes/flows)
|
||
|
pkts
|
bytes
|
flows
|
|||
|
08-2002
|
0.11
|
0.03
|
0.11
|
(1371M/838GB/79M)
|
|
|
01-2003
| 0.12 |
0.05
|
0.27
|
(463M/267GB/26M)
|
|
|
GigaSUNET
|
04-2006
|
0.06
|
0.02
|
1.06
|
(422M/294GB/9M)
|
|
11-2006
|
0.08
|
0.03
|
1.45
|
||
|
06-2008
|
0.14
|
0.05
|
1.43
|
(4427M/2279GB/197M)
|
|
|
02-2009
|
0.19
|
0.07
|
2.34
|
(1922M/1410GB/110M)
|
|
|
OptoSUNET
|
01-2009
|
0.21
|
0.11
|
3.09
|
(1100M/657GB/41M)
|
|
02-2009
|
0.20
|
0.11
|
2.63
|
||
A port-distribution analysis helped us infer the nature of the UDP flows. Figure 1 plots CDFs of the port numbers used by UDP flows (x-axis in log-scale). For traces from 2002-2003, around 40% of UDP flows run on ports below 1024, including DNS (port 53), NTP (port 123) and NetBios traffic (port 137). Since 2003, usage of ephemeral ports (>1024) has increased considerably. Besides DNS, NTP and NetBios ports, the top-used ports in terms of UDP flows are those normally used by P2P applications (Table 2), such as 4672 and 4665 (eDonkey), 6881 (BitTorrent), 6346 (Gnutella) and 6257 (WinMX).
| Trace | Sample | Top 5 Port Numbers (% flows in UDP traffic) | ||||
| CAIDA-OC48 | 08-2002 | 53 (32.75%) | 6257 (21.88%) | 1214 (6.25%) | 4665 (2.39%) | 1024 (1.73%) |
| 01-2003 | 137 (26.80%) | 53 (16.28%) | 22321 (13.60%) | 6257 (7.53%) | 7674 (5.76%) | |
| GigaSUNET | 04-2006 | 6881 (6.01%) | 53 (5.22%) | 4672 (5.03%) | 32459 (3.64%) | 123 (1.43%) |
| 11-2006 | 53 (4.90%) | 6881 (2.71%) | 4672 (2.44%) | 21083 (0.99%) | 1026 (0.84%) | |
| CAIDA-OC192 | 06-2008 | 53 (8.91%) | 6346 (1.10%) | 4672 (0.65%) | 6881 (0.63%) | 20129 (0.47%) |
| 02-2009 | 53 (10.37%) | 6346 (3.02%) | 1434 (0.90%) | 6881 (0.42%) | 6257 (0.37%) | |
| OptoSUNET | 01-2009 | 6881 (4.89%) | 53 (4.68%) | 1434 (0.99%) | 49174 (0.57%) | 4443 (4.80%) |
| 02-2009 | 53 (3.74%) | 6881 (3.19%) | 5060 (0.84%) | 1434 (0.76%) | 7881 (0.50%) | |
 |
Due to the small size of their packets, we attribute the flows running on those ephemeral ports to P2P overlay signaling rather than bulk transfers. Further analysis revealed that flows on the top ten most popular ports generally carry fewer than 7 packets and about 10KB on average: larger UDP flows are mainly observed in early traces (2002-2003), indicating a drift of UDP traffic toward small (signaling) flows (see Figure 2 for details), at least so far this decade.
  |
Conclusion
We compared UDP and TCP traffic in several traffic traces collected from different networks and geographical locations, at different times. We found that TCP still dominates in terms of packets and bytes, but UDP is now often responsible for the largest fraction of flows on a given link. A port-based analysis suggests that the recent increase in UDP flows on the traces analyzed stems mainly from P2P applications using UDP for their overlay signaling traffic.
This trend may again change with the advent of IPTV and UDP based P2P applications, which not only signal, but also transport large data segments via UDP. We will continue to monitor available data to track trends in UDP usage, and specifically seek data from China where UDP-based IPTV traffic is already common. Finally, we note that precise traffic classification requires methods beyond simple port classification. Most current traffic classification techniques focus on TCP [6][7], with only preliminary examination of techniques for UDP traffic [8] (other than deep packet inspection). Given the growing evidence for the use of UDP transport for increasingly popular applications, including for bulk data transfer in China, we conclude that traffic analysis methods must evolve to classify UDP traffic.
References
- [1] M. Fomenkov, K. Keys, D. Moore, and k, claffy, "Longitudinal study of internet traffic in 1998-2003," in WISICT, 2004.
- [2] W. John and S. Tafvelin, "Analysis of internet backbone traffic and header anomalies observed," in ACM IMC, 2007.
- [3] P. Pan, Y. Cui, and B. Liu, "A measurement study on video acceleration service," in IEEE CCNC, 2009.
- [4] Wikipedia.org, "Micro transport protocol," Online: "http://en.wikipedia.org/wiki/Micro_Transport_Protocol", accessed April 29, 2009.
- [5] W. John, S. Tafvelin and T. Olovsson, "Trends and differences in connection-behavior within classes of internet backbone traffic," in PAM, 2008.
- [6] T. Nguyen and G. Armitage, "A survey of techniques for internet traffic classification using machine learning," IEEE Communications Surveys & Tutorials, vol. 10, no.4, 2008.
- [7] M. Zhang, W. John, k. claffy, and N. Brownlee, "State of the art in traffic classification: A research review," PAM Student Workshop, 2009.
- [8] T. Z. Fu, Y. Hu, D. M. Chiu, and J. C. Lui, "PBS, Periodic behavioral spectrum of P2P applications," in PAM, 2009.