Common abstractions Packets are grouped together into streams based on header fields Traffic matrix- by source and destination as >DoS attacks- by destination IP address Measuring large streams(this paper Estimating the number of active streams(poster SIGCOMM 2002
SIGCOMM 2002 Common abstractions • Packets are grouped together into streams based on header fields ➢Traffic matrix – by source and destination AS ➢DoS attacks – by destination IP address • Measuring large streams (this paper) • Estimating the number of active streams (poster) • …
Why is measuring streams hard? Cheap memories (dram)are too slow to count all packets Fast memories(SRAM)are too small to keep counters for all streams Opportunity: elephants matter, mice dont Problem: usually we dont know in advance which streams are large SIGCOMM 2002
SIGCOMM 2002 Why is measuring streams hard? • Cheap memories (DRAM) are too slow to count all packets • Fast memories (SRAM) are too small to keep counters for all streams • Opportunity: elephants matter, mice don’t • Problem: usually we don’t know in advance which streams are large
Problem definition Given a fixed definition for streams measure large streams accurately >Large=above 1% of link capacity over a 1 minute interval assumptions Mice don t matter Accuracy of results important SIGCOMM 2002
SIGCOMM 2002 Problem definition • Given a fixed definition for streams, measure large streams accurately ➢Large = above 1% of link capacity over a 1 minute interval • Assumptions ➢Mice don’t matter ➢Accuracy of results important
Talk outline Problem definition Sample and hold Multistage filters Validation. measurements Conclusions SIGCOMM 2002
SIGCOMM 2002 Talk outline • Problem definition • Sample and hold • Multistage filters • Validation, measurements • Conclusions
How does sample and hold work? stream memor Sample Insert stream1 1 SIGCOMM 2002
SIGCOMM 2002 How does sample and hold work? stream memory stream1 1 Sample Insert