[e2e] Internet packet size distribution

Rishi Sinha rishisin at usc.edu
Sun Oct 23 18:48:58 PDT 2005


We were recently looking at packet size distributions in Internet traffic
and observed some shifts in packet sizes compared to common wisdom. We
want to ask end2end if other folks have seen similar things, and if anyone
has alternatives to the reasons we suggest for the causes of this shift.
Details are in the note below, and with graphs at the web page
<http://netweb.usc.edu/~rsinha/pkt-sizes>.

We observed two suprising things. First, current packet sizes seem mostly
bimodal at 40B and 1500B (at 40% and 20% of packets, respectively). This
observation represents a change from common wisdom such as the pre-2000
data that reports tri-modal packet sizes around 40, 576, and 1500B.

Second, in some cases we observe a strong mode around 1300B. This
represents a new phenomenon.

The first observation holds across all observations at five different
network points, including Los Nettos (our regional ISP, carrying a mix of
academic and commercial traffic), a USC Internet2 connection, and three
connections monitored by NLANR. The second observation does not hold
universally, but is very strong at Los Nettos and USC Internet2, and is
noticeable in all traces.

The shift away from 576B packets is not suprising, since it is consistent
with evolution of OSes and widespread use of Ethernet with a 1500B MTU.

The growth at 1300B packets (seen at Los Nettos and the USC Internet2
link) was suprising to us. We have tentatively identified 1300B packets as
stemming from widespread use of VPN software, and possibly from
recommendations from DSL providers.

We traced the recommendations for 1300B MTU to several sources. For
example VPN MTU recommendations, see our web page.

Our observations do not point to wide use of end-to-end VPN over WANs, but
to VPN use at the edge network, since the 1300B size noted is presumably
that of packets that have exited a VPN tunnel. This edge-network use is
certainly true at USC, where most wireless traffic traverses a VPN over
the wireless hop and then proceeds unencrypted over the rest of the
Internet. This behavior explains why Los Nettos and USC Internet2 traffic
shows the strongest 1300B modes of the sites we observe.

Regards,

Rishi Sinha
Christos Papadopoulos
John Heidemann



More information about the end2end-interest mailing list