Home page logo
/

nanog logo nanog mailing list archives

Re: Questions about Internet Packet Losses
From: Tony Li <tli () jnx com>
Date: Mon, 13 Jan 1997 22:25:11 -0800 (PST)


   Are you saying the data shows significant spikes at other, non-standard MSS
   values?  

Yes.  See below.  This is a table of the top 10 packet sizes by percentage.

   If it does, then (modulo some thinking about the particular numbers) I
   agree that they're likely MSS candidates and support the notion that
   weird MSS's are being used.  But if the data has a few spikes at things
   like 512 but no strong spikes at non-standard values, then that doesn't
   help distinguish between (1) lots of weird TCP's using weird MSS's, vs
   (2) lots of packets that are less than full-size because the mainstream
   TCP didn't have enough bytes to fill them.

So you'll note that there are very clear spikes at 552 and 576 total packet
size.  Further, note that the curve falls off _extremely_ rapidly.  From
that, I argue that case (2) _cannot_ be the case because any type of random
distribution would be much smoother.  Thus, I argue that we're looking at
case (1).

   If your data is available, I'd love to take a gander at it.

I would need the permission of the data source to release the complete data
set, and we're none too certain of the collection process right yet, AND
the data are somewhat large, so I won't be posting it.  Please note that I
do NOT intend to imply that this data is representative of the net at
large, is statistically significant, or is suitable for lining bird cages.

Unanswered questions for further research:
1) What in hell is sending so many 40 byte packets?  Are we really seeing
   productive ACKs?  Or is it just HTTP bogosity?  This really sucks.
2) What OS is using a 512 MSS?  256?
3) What are the minimal revs of various BSD flavors to exceed the 576 MTU
   by default?
4) 41 bytes is pretty obviously interactive traffic.  Is the intuition
   correct?  What's so special about 44, 52, 48 and 56?  What do people do
   with 4, 8, 12 and 16 bytes of data?  And why not any of the odd values?

Tony

                Tony's Top 10
Packet Size     Percentage      
40              44.838          "ACKs, SYNs, FINs, RSTs "
552             9.19            512 MSS
1500            6.839           Happy boxes
576             5.779           BSD bogosity
44              4.719           ??
52              1.175           ??
48              0.884           ??
41              0.776           ??
56              0.73            ??
296             0.717           256 MSS


- - - - - - - - - - - - - - - - -


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault