NETWORK MONITORING

CONTENTS
QUESTION NUMBER 1.................................................................................................2

Simple Network management Protocol (SNMP).......................................................2

Scenario.................................................................................................................3
NetFlow...................................................................................................................5
Scenario..................................................................................................................6
QUESTION NUMBER 2..................................................................................................7

Intrusive Monitoring.................................................................................................8

Non Intrusive Monitoring..........................................................................................8

Work even for packets which are not sent back-to-back.....................................10

Include errors even when back-to-back packets are used..................................11

Be accurate only when using two back-to-back packets.......................................12

QUESTION NUMBER 3..................................................................................................13

Privacy protection..................................................................................................13

Personal Information.............................................................................................14

IP address..................................................................................... .......................14

MAC address.........................................................................................................15

URL........................................................................................................................16

Performance vs. Personal Information.....................................................................17

QUESTION NUMBER 4..................................................................................................17

The timeline the events of the connection............................................................. ..17

Evolution of Congestion Window............................................................................19

Calculation of Round Trip Time and Bottleneck bandwidth......................................21

Packet Loss...........................................................................................................24

REFERENCES...............................................................................................................25

APPENDIX.....................................................................................................................26

Page 1
NETWORK MONITORING

Question No: 1
Propose two network scenarios where SNMP and NetFlow monitoring should be used to
observe specific problems occurring (one scenario for SNMP and one for NetFlow). As part
of the answer, you should describe the scenario, the possible problem(s), and explain why
SNMP or NetFlow are the preferred alternative.

Computer networking is generally referred as the set up, which enables a group of
computers to communicate with each other and share data as well as resources. Nowadays
the telecommunications has augmented enormously and the Internet has been spread over
the globe. Moreover different crucial sectors like science, medicine and engineering are
making use of networks of computers for transferring huge volume of data from one location
to another. Consequently, the need for an efficient monitoring system is essential for
preserving the security of such networks. The network monitoring systems are either
software or a hardware which is capable for analysing the network performance for
preventing any security threats and providing more functional visibility.
Currently, there are a lot of network monitoring and managing protocols. In this
section, two important methods of network monitoring are being discussed. They are;

1. SNMP (Simple Network Management Protocol)

2. NetFlow (Cisco developed network protocol)
The SNMP is concerned about the management of the network interfaces while the
NetFlow is dealt with the management of network traffic as a whole. The discussion about
these protocols can be done in detail with the help of the scenarios as follows.

Simple Network management Protocol (SNMP)

SNMP is an application layer protocol which is capable of providing the conditions at
the network interfaces by exchanging the information between the network devices. This
protocol is a part of the TCP/IP suite which benefits the network administrators to sort out
the network issues and set up any further changes. SNMP makes use of the Internet
Engineering Task Force (IETF) based Management Information Bases for point-by-point
based performance management of the network Currently two versions of SNMP are
available namely SNMP v1 and SNMP v2.
The SNMP is comprised of three components basically. They are:
 Management System
 SNMP Agent
 Network Monitoring System (NMS)

Page 2
NETWORK MONITORING

(Fig 1: hp.com, 2006)

The management system carries out the network monitoring and regulates the
networked devices. The agents are those mechanisms which are present in every network
device which reports to the Network Management System (NMS) about the error and
performance information. NMS will get updated every often so that it will have the most
recent network logs given by the SNMP agent. The SNMP versions come with advanced
features for network management functions. The application of SNMP can be explained from
the following bank scenario.

Scenario

Consider the case of an International bank. The bank is having multiple branches all
over the country. These branches are all interconnected with their major server in London.
The bank has allotted each server with different LAN dealing with different operations such
as user accounts, online transactions etc. On one peak day the employees reported to the
network manager that the Bank network connection is too low to carry out the customer
services like account updating, access user details etc. On receiving this report, the
administrator analysed the network performance in detail. The architecture of the Bank’s
Network can be plotted as follows.

Page 3
NETWORK MONITORING

The bank’s network has been implemented with SNMP mechanism effectively. As a
result each and every device in the network is having separate SNMP agents which update
the corresponding device performance time-by-time. These agents reports the errors or
device failures to the Network Monitoring System (NMS) and stores this information with the
Management Information Base (MIB)
.

(Fig: Windowsnetworking, 2009)

Page 4
NETWORK MONITORING

On analysing the network characteristics in detail, the administrator accessed the

SNMP Management Information Base (MIB). From the MIB, he analysed logs being sent by
the major server which informed him that the server is down and is unable to process any
more traffic currently. The administrator could therefore quickly carry out actions to up the
server by reducing the traffic based on priority. Consequently he could stabilise the network
traffic without affecting the baking operation for a long time.

NetFlow (Cisco IOS standard)

The NetFlow is a network monitoring protocol developed by the Cisco systems. The
NetFlow provides more visibility to the network by providing complete information about the
traffic analysis of the entire network. This helps the network administrators to have
information about point-by-point network traffic and thereby efficiently monitor the network.
The figure shows the implementation of a NetFlow system in a network.

(Fig: NetFlow.co.uk, 2009)

The architecture of the NetFlow protocol comprises thee basic components. They can
be detailed as follows
 Sensors :- sniffs the network traffic for any loss, errors, congestion etc
 Collectors :- catches the records from sensor and stores on disk
 Analysis systems: - The data thus obtained is analysed and studied.

The latest version of NetFlow is NetFlow Version 9. The NetFlow is capable of

tackling the network topology issues such as slow network, trace rooting root cause of an
error, pointing out where to monitor in the network etc. The major applications of NetFlow in
a network scenario can be

Page 5
NETWORK MONITORING

 Network troubleshooting
 Real-time network monitoring
 Applying Quality of Service (QoS)
. The NetFlow is unidirectional and is most suitable for web-traffic and TCP
connection summaries. NetFlow provides more understanding to the network conditions than
SNMP protocol and NetFlow also accounts to large volume of data analysis when compared
to SNMP mechanism.

Scenario
Consider the case of an average business firm. The firm is having different subnets
called Section A and Section B, allotted one for the general staff and the other for official
administrators, respectively. The manager is having an independent system connected
directed to the server. The network architecture of the firm is shown as follows.

On a particular day, manager reported to the network administrator that the Internet
is too slow for him to update the company profile which is of high priority and need to be
updated on a daily basis. The manager also reported that the internet is basically weak in
the afternoon session that the employees working with the office administrations could not
finish up the day-to-day operational details successfully.

Page 6
NETWORK MONITORING

On receiving this report, the network manager analysed the traffic flow through out
the network with the help of NetFlow. Based on the NetFlow analysis he could figure out that
there is a heavy traffic flow between the employee systems and the server. He could also
work out that some of the employees are browsing through certain video sites as well as
online gamming sites which take hold of a major portion of the firm’s network bandwidth.
As a result of this observation, the network manager decided to stabilise the network
bandwidth through the following steps.
1. Update the firewall policy to prevent the employees from accessing the video as well
as gamming sites which require high bandwidth.
2. Restrict internet access for particular employee systems (who actually do not need it)
in the afternoon session and thereby providing more bandwidth to the managerial
systems as well as those in the office administration.

Question No: 2

Using the discussed methods for intrusive and non-intrusive measurement, describe network
and traffic scenarios (one for each of the points below) where measurement of bottleneck
bandwidth would:
a. Work even for packets which are not sent back-to-back
b. Include errors even when back-to-back packets are used
c. Be accurate only when using two back-to-back packets

The efficiency of monitoring the network depends on the methods and tools adopted.
Being more and more applications brought to the market, it has become more complex to
determine the most efficient method for a perfect analysis of network. In this part, two
important methods of network monitoring and the scenarios in which they can be
implemented are discussed. The methods are as follows;

1. Intrusive Monitoring
2. Non-Intrusive Monitoring

Page 7
NETWORK MONITORING

Intrusive Monitoring

The intrusive monitoring is a traditional method of network monitoring mainly

depended upon the data packets for analysing the network performances. It examines the
network by sending packets to host or group of hosts, receiving a response from them and
then interpreting the received traffic. The Internet Control Messages Protocol (ICMP), ping
and trace route are the major tools used for intrusive monitoring. The ICMP is capable of
offering an understand ability towards protocol problems, TTL expirations etc and the trace
route provides routing information when the routers offer a response to the probes send.
The intrusive methods are proficient to provide sufficient information about packet
loss, bandwidth, as well as latency from the response obtained from the remote end-points.
The bandwidth evaluation is done through analysing the back-to-back packets or
acknowledgements and the impact of the bottleneck bandwidth on the same.

Non-Intrusive Monitoring

The non-intrusive monitoring is otherwise termed as passive traffic monitoring. This

method passively collects information from the packets passed by and does not injects any
packets in the network. The non-intrusive traffic monitoring is carried out by different tools
like analyzer, ethereal, tcptrace etc. Cisco developed NetFlow is an advanced example for,
non-intrusive network monitoring tool. These tools capture the data packets, perform real-
time analysis of those packets and the outputs are plotted out for further study.
The non-intrusive monitoring is used to ensure the Quality of Service (QoS) of
different Internet based applications such as VoIP, Internet T.V, IPTV etc. The congestion
window analysis and the bottleneck bandwidth analysis can be efficiently sorted out using
non-intrusive tools like tcpdump. The concern over the back-to-back packets and the
bottleneck bandwidth issues are discussed with the help of following scenarios.

Bottleneck Bandwidth
The bottleneck bandwidth can be defined as the maximum throughput the path can offer
from the source to destination provided there is no other traffic present in that path. The
bandwidth is being restricted by the bottleneck link’s fundamental capacity. The figure below
shows the representation of packet spacing occurred in the case of bottleneck bandwidth. The
bottleneck bandwidth gives the spacing between the packets which can be represented from the
following

Page 8
NETWORK MONITORING

(From: http://web2.uwindsor.ca/courses/cs/aggarwal/HPGCGroup/Docs/bbest.ppt )
The measurement of bottleneck bandwidth accounts to the congestion control, QoS
mechanisms. It also facilitates dynamic server selection within the networks. The bandwidth
measurement can be divided into

1. Single packet algorithm

The single packet algorithm is based on TTL packets for bandwidth evaluation. Once the
TTL packet came down to 0, the packet will be vomited and at the same time, the router will
send back and ICMP time exceeded packet as well to the real sender. In this way a series of
packets with different TTL values are send out. From the analysis of these probes, the
bandwidth of each link is calculated. The features of this algorithm are
 There is no cross traffic
 The space intervals are large enough and they can be kept as it is.

2. Packet-pair algorithm

The packet-pair algorithm is based on the principle that when two packets are
queued next to each other at the bottleneck link, then the packets will exit the bottleneck
link at `t` seconds apart. In order to pass through the bottleneck link, the packets need to be
of dissimilar velocities. If the velocity of one is smaller, then that can pass over the other
packet eliminating the bottleneck link.
The packet-pair algorithm based bandwidth calculation formula is as follows.
b= s/ (tn1-tn0)
Where,

Page 9
NETWORK MONITORING

B  bottleneck bandwidth to be measured

S size of the packet 1
tn1 time stamp of packet 1
tn0 time stamp of packet 0

Back-to-back packet scenarios

a. Work even for packets which are not sent back-to-back

For an intrusive method we need to find the bottleneck bandwidth of a non back to back
packet, we need to try first ping the system, for example ping www.google.com

Here we can see that the ping process is a non back to back process of sending packets,
because the packet transfer occurs when single packet is send by the server at a time. Here
we can find TTL, RTT. So if we need to find the bottleneck bandwidth for certain packets it
not possible to use wireshark, windump because these tools are used for back to back
packet capture. So we need to use some other tools like sting for calculating the bottleneck
bandwidth.

Sting is a tool worked on the basis of tcp, while using sting we can find both upstream and
downstream files, sting uses raw sockets for altering response (lecture notes, Ghita, B)

Below figure shows examples for calculating the bottleneck bandwidth for packet that not
send in a back to back way.

Page 10
NETWORK MONITORING

(Fig: university of Washington, 2003)

From the above graph we can able to calculate the bottleneck bandwidth of data that is
transferring in a non back to back method.

b. Include errors even when back-to-back packets are used

When considering the different packets that are captured using a wireshark (same as
question number 4), from those packets we can calculate the bottleneck bandwidth for
different back to back packets. Below shows two cases which for calculating the bottleneck
bandwidth of back to back packet.

CASE1:

In above figure the packet number 2156 and 2157 are two back to back packets in that
trace. For the purpose of calculating the bottleneck bandwidth of those back to back packets
we can use the below equation
Bottleneck bandwidth = (header + length) of packet 2/ (time stamp of packet2- time stamp of
packet1)
In this case
Header = 20 +20 =40
Length =1514
Time stamp packet 2= 10.331403
Time stamp packet 1=10.330842

Page 11
NETWORK MONITORING

So, Bottleneck Bandwidth= (40 + 1514)/ (10.331403 – 10.330842)

=2770053.48
=2.77Mbps
CASE 2:

Consider the packets 2195 and 2196

Bottleneck bandwidth = (40 + 1514)/ (10.392158 – 10.391419)
=2102841.68
=2.10Mbps

The above two vales for bottleneck bandwidth are different and it shows that there is
an error occurs in bottleneck bandwidth even when packets are send back to back. These
errors in bottleneck bandwidth are because of the improper or inaccurate clock time, these
inaccurate clock times are due to delay in transfer.
c. Be accurate only when using two back-to-back packets
The situation in which two back-to-back packets is an ideal one. Such packets will

ha
ve the most accuracy and the highest bottleneck bandwidth

Page 12
NETWORK MONITORING

(Fig: From http://optimizedstack.0catch.com/)

the graph above depicts the accuracy of two back to back packets .

Question No: 3

In the context of trace anonymisation, comment on the amount of network performance

versus the amount of personal information that can be determined from a trace when
saving/anonymising a certain amount of the packet (e.g. saving only the MAC or/and IP
headers, anonymising URLs, etc)

The release of packet traces to the public provides wide benefits as far as the
network researches are concerned. The traces act as the major source or identity for
network parameters, and therefore they are capable of offering sufficient information to study
about characteristic features of any network. But as far as the privacy of these networks is
taken into consideration, these traces publishing brings a lot of concern. This also attracts
concerns towards balancing the security of the organisation as the packets contains vital
information like IP address, URL, MAC address etc. Hence it is important to represent these
offending components in a different form and then making the rest public. This mechanism is
termed as packet trace anonymisation.

Privacy protection
The privacy protection has been the core of trace anonymisation. Mostly the privacy
techniques are carried out once the alert is sent to the repository. The major modes of alert
based privacy protection can be shown as follows

 Scrubbing sensitive fields

Before an alert is sent to repository, the producer removes all sensitive information
such as captured data, IP address, outcome fields. In addition, the Sensor-ID is re-mapped
and the time stamp is rounded up. These scrubbing actions reduce the efficiency of fine-
grained analysis but improve the security towards probe-based attacks.
 Hiding IP address
When the hacker is having control over the repository, then the producer hides both
Source IP and Destination IP addresses. The IP address hiding are made basically made in

Page 13
NETWORK MONITORING

two ways: They are encryption of IP addresses under a known name and hashing the IP
addresses. The hashing is a secure way of anonymisation of trace anonymisation.
 Prefix-preserving Mapping
This method of privacy protection is capable of preserving the structural relationship
between the identifiers as IP addresses. The IP addresses can be effectively prefix-
preserved as the original IP address and the anonymous ones will share the same prefixes.
Personal Information
The major issue related with the publishing of packet trace is that it reveals sufficient
information about the system’s personal information such as IP addresses. This information
could help the attackers to gain knowledge about the characteristics features of the network.
The major attributes obtained/ disclosed from the traces can be shown as follows.
 IP addresses
The major threat on personal information from the trace route is that it offers the
producer’s IP address (Source IP). The IP address reveals vital information about the
network’s internal topology, which helps the attackers to track propagation of attack through
the network which is undetectable to him in the normal case. The attackers can have
detailed view of the user activities as well as services running on user’s system once he can
tie traffic to a known IP address. The trace providing information about IP address can be
shown as follows

 MAC address

Page 14
NETWORK MONITORING

The traces also retain the MAC address of the trace producer. The MAC addresses
are part of Ethernet addresses which are distinct to the individual Network Interface Cards
(NIC). On obtaining this MAC address of the user’s NIC, the attackers can unearth the
actions of the user. Even more the attackers can work on sorting out the IP address
anonymisation from the MAC instances obtained from the traces. The Ethernet address is
anonymised through scrambling the upper as well as lower bits of the address
The captured trace with information regarding the Ethernet of the user is shown as
follows. It provides information about the Ethernet hardware details as well.

 URL
The traces also incorporate extensive information through listing the URL/ pathnames.
The URL provides detailed information of the file content, whether it is is static or dynamic,
the language used etc. The anonymisation of the URL often results in the information
lossage therefore the URL anonymisation is carried out by encoding it with some other
information. The trace showing URL details can be listed as follows.

Page 15
NETWORK MONITORING

Performance vs. Personal Information

On the context of packet trace anonymisation, we can conclude that there should be
a balance between the network performance and the personal information. Sharing of
network measurement characteristics has always been critical for network researches. So it
is not a good practice to just hide the data in the traces and thereby making it unavailable to
the public. But simultaneously, the need for securing the traces is more important as well.
Currently there are a number of packet anonymizing tools like TCPdpriv, Tcpmkpub etc
which are capable of balancing the security of the traces as well as its research needs. The
requirements for such a balance can be pointed out as follows:
 Careful guidance should be given on designing the anonymisation policy for packet
trace publication.
 Effective tool, adapting to the particular policy should be implemented.
 Policy decisions should be developed by keeping the purpose of transformation as
well as the concerns over the traffic in mind.
 The anonymisation should present performance analysis that can evaluate the tool’s
effectiveness and protect research values.

Question No: 4
Capture the packets from a TCP connection using a pcap-compatible program (e.g.
windump, tcpdump, analyzer, etc.). For the captured packet trace:
a. Describe through the timeline the events of the connection (initiation, closing,
transfer)
b. Analyse and explain the evolution of the congestion window
c. Calculate the RTT and bottleneck bandwidth; explain the procedure used

Page 16
NETWORK MONITORING

d. Identify packet loss, if any explain the behaviour of the sender (using the
sequence of received packets)

a. The timeline the events of the connection

Packet capturing is a part of analysing the network and its behaviour in deep manner. Here
we used Wireshark for capturing the packets. Also there are different tools like tcpdump,
analyser are available for analysing it. For demonstration of a packet capture here we try to
analyse the packets from IP address 192.168.1.104 to an IP 128.183.102.55 for an image of
3400 x 4600 - 2606k – jpg from the address:
http://veimages.gsfc.nasa.gov/6148/Korea.A2004004.0445.250m.jpg

1) Initiation
Initiation is a process in which establish the connection between client and server, and this is
done in a ‘three way handshake process’.

The above figure shows the three handshake process between client and server.
In the first step
 The client (IP 192.168.1.104) sending a SYN packet to the server (128.183.102.55).
In the second step
 Server receives the SYN packets from the client and replies the client by sending SYN
ACK packet. And hence the server establishes a connection with the client.
In the third step
 Client sends back an ACK packet for receiving the packet that sent early and hence
continue the further transmission.
These three steps initiate the process and ready for further transmission and reception of
files.
Closing
It is process of ending or terminating the connection between the server and client. This
process can be initiated by either client or server.

Page 17
NETWORK MONITORING

Here in the above figure we can see that the server initiate the termination (packet number
3032nd) by sending FIN ACK to the client.
In packet number 3033rd shows that, the client send an ACK to the server. And it indicates
that there will not be any further transmission between the client and the server.
Hence the process of termination of transmission between the two is terminated and there
will not be any further transmission.
Transfer
The first three steps represent the initiation process and the fourth step the client IP
requesting a GET packet.

In the next step the server sends an acknowledgment to the client by sending an ACK
packet. And the packet for ACK will not contain anything so it shows a Len =0. And there
onwards the server and client transfer the packets and sending the acknowledgment for it.
And this process continues until a FIN packet send by either of client or the server.

Page 18
NETWORK MONITORING

Evolution of Congestion Window

Congestion window is in which determines the amount of data that flows through a network
without any congestion. For the purpose of increasing the throughput, the TCP congestion
control mechanisms help out the proper use of bandwidth and thereby improving the
throughput. In ideal cases the data flow is in such away that the server sends the data
continuous and incremental to the client unless until a packet is lost without any
acknowledgement. Once a packet is lost the server reduces the transaction of TCP
algorithm and increases it gradually afterwards.

From the captured trace

Figure 1

Figure 2

From the above figure 1 we can identify that the server sends a packet to the client (21 and
22 packets) the client acknowledges for those two packets in the next step. And step 23
shows an acknowledgment for the above two packets (21 and 22) by the client. In our trace,
packet trace continuous in that same format until a packet loss occurs.
In figure 1 the circulated part (23rd and 24th) shows the time difference between
acknowledgment and next packet. The time calculated for those packets comes around

Page 19
NETWORK MONITORING

102.9 milliseconds and the time gap between the 22nd and 23rd comes around 0.08
milliseconds, from the above two time period we can conclude that 102.9 shows a particular
packet is transferred and client give acknowledgement and the server try to send another
packet.
The second figure show whenever packet losses occur sever tries to reduce the number of
packet send to the client. In figure when a packet loss occur at 65th packet then server try to
send only packet after that that is packet number 69 the server sends one packet still the
client show it lost one packet, 74th step it try again to send one packet to the client still the
client is responding that it did not receive the packet. In 78 step client send an
acknowledgement that it received the packet, and the server then onwards increase the
sending packet number to two. And the process is continued for this particular trace.

The above graph shows the growth of congestion window in the initial stages of the trace.
But for ideal cases the congestion window is in different way, after the handshaking
procedure the server send two packet and the client send an acknowledgement, then server
increases the packet number into three and client ACK for it, then it goes on increasing like
five, seven, nine..etc still the final step.

Calculation of Round Trip Time and Bottleneck bandwidth

Round Trip Time (RTT)

It is the time calculated between the packets that send from a server to the client and the
acknowledgement send from the client to the sender. It is also called as round trip delay. It is
calculated on the basis of time stamped on each of the packet that is send from the client
and the server. RTT be also calculated by pinging the client and the server and it shows the

Page 20
NETWORK MONITORING

maximum, minimum and average time for round trip. And the figure below shows the round
trip time calculation using ping command. And it shows that the maximum time for RTT is 99
milliseconds, minimum time is 98 milliseconds and the average time for RTT is around 98
milliseconds.

Let’s consider few different packets from the trace to find RTT.
1) trace

Consider packet 10 an 11, time for 10 is 4.812226 and for 11 is 4.916153

There for RTT for 10 and 11 =4.916153-4.812226
=0.103927= 103.93 milliseconds
2) trace

Consider packet 30 and 31, time for 30 is 5.231332 and 31 is 5.330891

There for RTT for 31 and 30 = 5.330891 – 5.231332
= 099559 = 99.56 milliseconds
3) trace

Consider packet 61 and 62, time for 61 is 5.547974 and 62 is 5.642843

There for RTT for 62 and 61 = 5.642843 – 5.547974
= 0.094867 = 94.87 milliseconds
Considering the average of above three cases it comes around 99.45, and it is
approximately equal to the RTT value at the time of ping.

Page 21
NETWORK MONITORING

Bottleneck Bandwidth
It is defined as the minimum bandwidth required for a communication channel. And it can
use for finding the rate of data that to be sent at a time. Bottleneck bandwidth is calculated
on the basis of the equation
Bottleneck bandwidth= size of the second packet / (time stamp2 – time stamp1), size of the
packets= (header + length) of packets, where Header is the sum of TCP header and IP
header
Here we are considering the different cases

CASE1:

Consider packets number 2156 and 2157

Bottleneck Bandwidth= ((20 + 20) + 1514)/ (10.331403 – 10.330842)
=2770053.48
=2.77 Mbps

CASE 2:

Consider 2195 and 2196

Bottleneck bandwidth = ((20 + 20) + 1514)/ (10.392158 – 10.391419)
=2102841.68
=2.10Mbps
CASE 3:

Page 22
NETWORK MONITORING

Consider 2573 and 2574

Bottleneck bandwidth = ((20+20)+ 1230)/ (10.971690-10.971354)
=3779761.9
=3.78Mbps
The average of three cases Bottleneck Bandwidth is = 2.88 Mbps

Packet Loss

Packet loss may occur due to different reasons; some of them are due to congestion,
network problems, TTL expiry. When packet loss occurs, the server sends the packet again
and again to the client. Still it receives an acknowledgement. Here below figure we show an
example for a packet loss occurs while downloading a figure.

The above graph shows (circled part) the packet loss occurred at the time of data
transmission.
The graph is representation of time sequence; it shows there was a packet loss occurred
between the time periods 2.3 to 2.5. The doted points that come below the normal
transmission curve represents the packet loss occurred while transmission.

Page 23
NETWORK MONITORING

In above figure
Step 1: the client send request to the server for sending the next packet but while sending
the next packet it is lost and client received any packet,
Step 2: client issuing a duplicate acknowledgement.
Step 3: the server again sends the packet but the client received any packet again issuing a
duplicate acknowledgement then the server sends again.
Step 4: the server retransmit the missing packet again
Step 5: client acknowledges for it and the process continues.

Page 24
NETWORK MONITORING

REFERENCES
WindowsNetworking (2009) ‘Introduction to the Simple Network Management
protocol’http://www.windowsnetworking.com/articles_tutorials/Introduction-
SNMP-Part1.html (Accessed on 12-03-09)

ASL (2009) ‘What is NetFlow’

http://www.netflow.org.uk/ (Accessed on 14-03-09)

Hp (2009) ‘Introduction to SNMP’

http://docs.hp.com/en/5991-5856/ar01s02.html (Accessed on 14-3-09)

Google (2009) www.google.com (Accessed on 15-03-09)

Saroiu, S et al (2003) ‘A Measurement study of peer- to –peer File Sharing System’,

University of Washington http://www.cs.washington.edu/homes/gribble/papers/mmcn.pdf
(Accessed on 17-03-09)

Ghita, B (2009), ‘Lecture Notes’, University of Plymouth

NASA (2009) ‘Visible Earth Korea’

http://veimages.gsfc.nasa.gov/6148/Korea.A2004004.0445.250m.jpg (Accessed on 18-03-
09)

Page 25
NETWORK MONITORING

Optimized stack (2009) ‘Optimized memory transfer and flow control for high speed
networks’
http://optimizedstack.0catch.com/ (Accessed on 20-03-09)

APPENDIX

Page 26
NETWORK MONITORING

Page 27
NETWORK MONITORING

Page 28
NETWORK MONITORING

Page 29
NETWORK MONITORING

Page 30
NETWORK MONITORING

Page 31
NETWORK MONITORING

Page 32