Address and traffic dynamics in a large enterprise network

MSR-TR-2008-98 |

Despite the centrally-managed nature of and critical infrastructure provided by enterprise networks, analyses of their characteristics have been limited. In this paper we examine the dynamics of enterprise networks from two distinct perspectives, namely traffic and addressing. Using a large packet trace spanning approximately 3.5 weeks coupled with diverse other data sources, we pose and answer a series of questions pertinent to understanding the aforementioned aspects of today’s enterprise networks. Specifically, (i ) What is the network and geographical spread of traffic observed at a site in the enterprise network? (ii) Is it possible to infer application usage based on port numbers alone? (iii ) Is the client-server model valid within the enterprise, namely can we accurately distinguish clients and servers looking at traffic volumes alone? (iv ) How reliable is host identification by IP address or name alone? (v) What are the mobility patterns for hosts within an enterprise network? Finally, we discuss the implications of our findings for tasks such as modelling and monitoring. Although no single enterprise network could be considered typical, we believe that even a single datum is better than none at all, and that insight into these characteristics of our network is of interest to the networking research community, for whom such data is rarely accessible