Monitoring Protocol Traffic with a MAGNeT Mark K. Gardner , Wu-chun Feng , Jeffrey R. Hay mkg, feng, jrhay @lanl.gov Computer & Computational Sciences Division Los Alamos National Laboratory Los Alamos, NM 87545 Department of Computer & Information Science Ohio State University Columbus, OH 43210 Abstract— Network researchers have traditionally fo- cused on monitoring, measuring, and characterizing traffic in the network to gain insight into building critical network components (e.g., protocol stacks, routers, switches, and network interface cards). Recent research suggests that ad- ditional insight can be obtained by monitoring traffic at the application level (i.e., before traffic is modulated by the pro- tocol stack) rather than in the network (i.e., after traffic is modulated by the protocol stack). Thus, we present MAG- NeT: Monitor for Application-Generated Network Traffic, a toolkit that captures traffic generated by the application (as it traverses the protocol stack) rather than traffic in the network. MAGNeT provides the capability to monitor protocol- stack behavior, construct a library of traces of application- generated traffic, verify the correct operation of protocol enhancements, troubleshoot and tune protocol implemen- tations, and perhaps even replace tcpdump. In addition, we have extended MAGNeT to instrument CPU context switches as an example of how the general kernel monitoring mechanisms of MAGNeT can be used to monitor any kernel event in the operating system. Index Terms— monitor, measurement, network proto- col, traffi c characterization, TCP, tcpdump, MAGNeT, traces, application-generated traffi c, CPU scheduler. I. I NTRODUCTION Network researchers often use traffic libraries such as tcplib [1], network traffic traces such as those at [2,3], or network models such as those found in [4] to obtain insight into network-protocol operation and This work was supported by the U.S. Dept. of Energy’s Laboratory- Directed Research & Development Program and the Los Alamos Com- puter Science Institute through Los Alamos National Laboratory con- tract W-7405-ENG-36. Any opinions, fi ndings, and conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of DOE, Los Alamos National Laboratory, or the Los Alamos Computer Science Institute. to focus their network experiments. However, such libraries, traces, and models are based on measure- ments made by tcpdump [5] (or similar tools like PingER [6], NLANR Network Analysis Infrastruc- ture [7], NIMI [8] or CoralReef [9]), meaning that the traffic an application sends on the network is captured only after having passed through TCP (or more generally, any protocol stack) and into the net- work. That is, the tools capture traffic on the wire (or in the network) rather than at the application level. Thus, the above tools cannot provide any protocol- independent insight into the actual traffic patterns of an application. Researchers have traditionally designed and tested network protocols using either (1) “infinite” file transfers or (2) traffic traces which have already been modulated by a protocol stack. The first is appro- priate if bulk data transfers constitute the major- ity of the traffic. But networks are no longer pri- marily filled with file transfer protocol (FTP) traf- fic. They include substantial amounts of hypertext transfer protocol (HTTP) and streaming multimedia traffic. The second is acceptable if the differences between application-generated traces and network- captured traces are negligible. However, as we will show in this paper, the differences in the traces can be substantial, indicating that the protocol stack adversely modulates the application-generated traf- fic patterns. Hence tools for obtaining application- generated traffic traces are needed. To determine the application-generated traffic pat- terns before being modulated by a protocol stack, Passive and Active Measurement Workshop (PAM2002), Fort Collins, Colorado, March 2002. LA-UR 02-0808