next up previous
Next: Traffic Archive Up: Related Work Previous: Related Work

Packet Monitoring

Packet capturing was brought with the advent of Ethernet. The first personal computer, Xerox Alto, already had programs to monitor Ethernet. As Ethernet came into wide use, dedicated network monitors became indispensable to developers and operators. The CMU/Stanford enet packet filter is the first UNIX based packet filter developed in 1980 [MRA87]. It eventually evolved into the Ultrix Packet Filter at DEC, NIT under SunOS, and BPF.

Userland programs that prints the headers of packets appeared with UNIX workstation. Sun implemented NIT (Network Interface Tap) to capture packets and etherfind to print packet headers. The advantage of UNIX-based monitoring tools is that users can use other software tools available on UNIX for manipulating and analyzing packet traces.

tcpdump [JLM89] is probably the most popular packet capturing tool in the UNIX community. tcpdump first appeared in 1989 and merged into BSD Net Release2 in 1991. tcpdump is based on a powerful filtering mechanism, the BSD packet filter (BPF) [MJ93]. The packet capturing and filtering facilities of tcpdump are implemented in a separate library, pcap [JLM94]. The pcap library became independent from tcpdump in 1994, and there are a wide range of network monitoring or analysis tools which integrate the pcap library. In 1999, tcpdump.org [tcp99] was organized by volunteers to maintain the tcpdump code.

High-performance monitoring systems are explored by OC3MON [ACTW96] and its successors that are based on a PC hardware but exclusively for ATM . CoralReef [CAI99] is a package developed at CAIDA to analyze the output of OCxMON.

Packet monitoring techniques have been used to gather long-term statistics. A pioneering work is statspy [Bra88] in the NNStat package developed at ISI. As SNMP becomes widely available, network statistics tools are geared toward SNMP. MRTG [Oet96] and its successor RRDtool [Oet99] are popular tools to collect traffic counters from routers through SNMP. More recently, cflowd [McR99] is developed at CAIDA to make use of Cisco's NetFlow [Cis98] that exports statistics of flow cache entries.


next up previous
Next: Traffic Archive Up: Related Work Previous: Related Work
Kenjiro Cho
2000-04-23