scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Characterising the use of a campus wireless network

07 Mar 2004-Vol. 2, pp 862-870
TL;DR: A week-long traffic trace was collected in January 2003, recording address and protocol information for every packet sent and received on the wireless network to answer questions about where, when, how much, and for what the network is being used.
Abstract: We present the results of an analysis of the usage of our new campus-wide wireless network. A week-long traffic trace was collected in January 2003, recording address and protocol information for every packet sent and received on the wireless network. A centralised authentication log was used to match packets with wireless access points. The trace was analysed to answer questions about where, when, how much, and for what our wireless network is being used. Such information is important in evaluating design principles and planning for future network expansion.

Summary (4 min read)

INTRODUCTION

  • The campus wireless network is one of several new projects the authors have recently introduced to enhance the computing environment for their 18,000 students.
  • This paper describes the methodology the authors employed to collect data on usage, and presents the results of their analysis.
  • A description of their approach to this analysis will be useful to others planning similar studies.
  • In Section IV the authors describe the methodology followed when gathering and analysing the data, including steps taken to ensure user confidentiality.

III. NETWORK ENVIRONMENT

  • This means that all the equipment connected to the University of Saskatchewan campus network was part of the same subnet.
  • All wireless traffic is then sent to the campus router, which routes it either to the internet or back onto the campus network in the normal subnet.
  • Fortunately, since the wireless traffic is routed to and from a distinct subnet, it was possible for us to distinguish wireless packets from normal traffic.
  • At the time of measurement the first 18 Cisco access points were up and running.
  • The selected locations spanned the campus covering a wide range of possibilities, from public spaces (lounges, libraries, even a coffee shop), to classrooms and laboratories, to office spaces, to allow ITS to gauge the nature of the user 1 demand.

A. Trace Collection

  • Its trace gathering capabilities were deemed sufficient to meet the needs of this project.
  • A short trace was recorded as a trial run for the trace gathering system.
  • Doing this allowed us to determine the traffic level on the wireless network, which would dictate the bandwidth and storage requirements of the trace gathering computer.
  • EtherPeek analysed each packet individually, and recorded information such as the date, time, origin, destination, and protocol.

B. Authentication Logging

  • For security their network administrators have deployed Cisco's proprietary LEAP authentication system [4] to control access to the wireless network.
  • The LEAP Radius server keeps track of every wireless user currently connected to the network.
  • The log includes a record of each authentication, including the date, time, username, client MAC address and the IP address of the access point the user is connected to.
  • To allow us to determine where users were connecting to the network, the authors were provided with a one week anonymised portion of the authentication log corresponding to the week of the trace.
  • The trace itself contained only information gathered from the headers of the wireless data packets.

D. Analysis

  • The analysis of the trace files and authentication log was done primarily with custom-written Perl [5] scripts.
  • The authors initial analysis of the trace files was a simple validation and error-checking pass.
  • This revealed that several portions of the trace contained mis-ordered or erroneous data.
  • This was what the authors expected, since the wireless network experienced no outages during the period of the trace, and the data was gathered directly from the router and authentication log.
  • The results of this analysis are discussed in Section V.A. Next, the authors began studying the authentication log.

Figure 1: Trace and Authentication Log Parsing Algorithm

  • The final stage of analysis combined the trace data and authentication log to match packets with access points.
  • In order to map packets to access points, a user/location lookup table had to be constructed and updated from the authentication log.
  • The algorithm used to simultaneously traverse both the authentication log and the trace files is outlined in Fig. 1 .
  • This stage revealed the most detailed information about the wireless network, presented in Section V.C.

A. Trace Data

  • Due to a configuration error, packet sizes were recorded for only a small fraction of the packets traced.
  • Between each day, the traffic level remains relatively steady at around 15 packets per second.
  • The authentication log contained 24973 records of wireless users authenticating.
  • The average number of authentications per user (186.4) seems high.
  • When a user is just within range of two or more access points, the software will often switch connections repeatedly on the basis of the perceived signal strengths at each access point.

Fraction of users

  • The reasons for this are discussed in C(3) below.
  • These non-authenticated packets were present in every second of the trace.
  • Furthermore, the average arrival rate of these non-wireless packets cycles between a high and low rate with a period of approximately 300 seconds (5 minutes).
  • Since this nonwireless traffic did not vary with the time of day it must have been generated by automated equipment on the network.
  • Duplicating multicast maintenance packets onto the virtual wireless network needlessly doubles the maintenance overhead on the underlying physical network.

Total Authentications

  • Fig. 6 shows the protocol mix for the actual wireless traffic.
  • As would be expected, web browsing (HTTP, HTTPS) and other common applications, including file sharing (CIFS, SMB, NetBIOS, NB), file transfer (FTP), e-mail (IMAP, POP3, SMTP), instant messaging (AOL, MSN), peer to peer , remote shell (SSH, TELNET), and network services (PING, DNS) dominate the user-generated traffic.
  • Other TCP traffic from unidentified applications makes up 34.6% of these wireless packets.
  • The fact that these protocols are those of end-user applications offers further confirmation that this traffic is user-generated and that the non-wireless traffic is not.

3) Traffic vs. Authentications

  • In Fig. 7 the authors compare the number of authentications at each access point to the number of packets sent to and from users authenticated at that access point over the course of the trace.
  • The difference between Law traffic and other traffic could be attributed to a difference in the usage patterns of their law students.
  • Fig. 8 shows the average traffic in packets per second for each day of the trace 3 at each access point.
  • Popular public areas for socializing and studying such as Place Riel (our student centre), the Learning Commons in the main library and a lounge outside Arts 145 (a busy Computer Science undergraduate lab) were used on every day of the trace.

5) Roaming

  • The authors were especially interested in the degree to which users roam between access points and they were able to study this using the authentication log.
  • Fig. 9 shows the distribution of the number of access points visited by each unique user.
  • Furthermore, students who connected in the Law Building also frequently connected in the nearby Arts building.
  • Few roaming users connected in the Geology Library.
  • More distant roaming can be attributed to users who normally connect at a familiar "home" access point near their offices or classes but bring their laptops with them when visiting more well-connected areas of the campus.

7) Design Principles

  • These principles were derived from constraints such as the geography of the campus and the technology chosen.
  • In order to maximize the usefulness of the network, their first access points were installed primarily at locations which best met the following criteria:.
  • As more course notes, announcements, textbooks, reference materials and other material becomes available online, the need to have ready access to that material will increase.
  • By improving and expanding wireless access in professional and high-tech colleges the authors can further capitalize on existing user-owned mobile devices.
  • The authors experience in the College of Law confirms that these guiding principles were an appropriate choice for effective deployment in their environment.

VI. CONCLUSIONS

  • Unlike previous studies of wireless networks, their trace was collected in a centralized manner made possible by the LEAP authentication system and the network environment in place at the University of Saskatchewan.
  • The authors centralized network design made possible a more complete and error-free trace than those analysed in previous projects.
  • The popularity of a given access point was largely determined by its accessibility and familiarity to users.
  • The usage patterns in the College of Law provide an excellent example of the success of their wireless network design.
  • In the long term, the authors hope to develop a methodology and a toolset which can be used to characterize the use and performance of a campus sized wireless network easily and accurately.

Did you find this useful? Give us your feedback

Content maybe subject to copyright    Report

Characterising the Use of a Campus Wireless Network
David Schwab and Rick Bunt
Department of Computer Science
University of Saskatchewan
Saskatoon, SK S7N 5A9 Canada
{das515, bunt}@cs.usask.ca
Abstract—We present the results of an analysis of the usage
of our new campus-wide wireless network. A week-long traffic
trace was collected in January 2003, recording address and
protocol information for every packet sent and received on the
wireless network. A centralised authentication log was used to
match packets with wireless access points. The trace was
analysed to answer questions about where, when, how much, and
for what our wireless network is being used. Such information is
important in evaluating design principles and planning for future
network expansion.
Keywords—Wireless network measurements; Wireless LANs;
Traffic analysis; Network design & planning
I. INTRODUCTION
The University of Saskatchewan campus covers a
large physical area, with more than 40 buildings
distributed over 147 hectares of land on the banks of the
South Saskatchewan River. Our geography has a
significant impact on our approach to delivery of IT. The
campus wireless network is one of several new projects
we have recently introduced to enhance the computing
environment for our 18,000 students. Our approach is to
provide mobile users with access to our wireline
network through high-speed wireless access points
located in very public areas. Our initial deployment
began in the 2001/02 academic year with a small number
of Cisco access points (18) placed strategically in a
number of locations. The demand for wireless access
continues to grow, and the network is being expanded to
offer higher capacity and greater coverage to the
campus.
In order for us to plan for this expansion, it is
important that we understand current usage patterns
that we understand where, when, how much, and for
what our wireless network is currently being used. This
paper describes the methodology we employed to collect
data on usage, and presents the results of our analysis.
Although our wireless network is small at the present
time, a description of our approach to this analysis will
be useful to others planning similar studies.
Usage data was collected in co-operation with our
Information Technology Services Division (ITS) over
the period of one week in January 2003. Although no
effort was made to ensure this week was representative
of overall usage patterns, we feel that the data we
collected represents a useful snapshot of the usage of a
campus wireless network.
The paper is organized as follows. Section II reviews
related work in wireless network measurement. A brief
description of the wireless network in place at the time
of our data collection follows in Section III. In Section
IV we describe the methodology followed when
gathering and analysing the data, including steps taken
to ensure user confidentiality. Section V contains the
results of our analysis. We conclude in Section VI with
a summary of our findings.
II. RELATED WORK
The design of this experiment was based largely on
work done by Balachandran et al. [1]. Their analysis
and characterization of the traffic generated by attendees
of an ACM conference provided many useful insights.
They employed two mechanisms to gather wireless
traffic traces during the conference. One trace was
gathered by periodically polling each of four access
points positioned in the conference hall with SNMP
requests. This trace revealed usage statistics at the
access-point level, including the number of users
currently connected and the number of transmission
errors. The second trace was gathered at a router that
connected the access points to the campus network.
This trace was done using tcpdump to gather
anonymised TCP packet headers. The analysis of those
headers revealed access-point independent statistics,
such as the total amount of traffic on the wireless
network and the application mix of that traffic.
Although the conference trace was gathered
successfully and analysed thoroughly, the findings from
its analysis have limited applicability to a full campus
setting. The conference had a set schedule, which
caused readily apparent traffic patterns as all attendees
moved from event to event. Furthermore, the access
points were all placed in the same conference hall area,
which resulted in almost identical usage patterns being
observed at each access point.
The analysis of the Dartmouth College wireless
network by Kotz and Essien [2] is more relevant to
campus-wide networks. Dartmouth’s wireless network
is made up of 476 access points providing coverage in
161 buildings for almost 2000 users. The Dartmouth
study used a combination of three forms of trace-
gathering: event-triggered log messages, SNMP polling

and packet header recording. Because of the de-
centralised structure of the Dartmouth network,
however, packet headers could be gathered from only a
small number of locations, and because the SNMP and
log messages were sent by each access point
individually via UDP packets, some of the data was lost
or mis-ordered. Also, some of the access points
experienced power failures or mis-configuration
problems which resulted in gaps in the trace.
Both these studies were based on previous research
done at the Stanford University Computer Science
Department. Tang and Baker [3] used tcpdump and
SNMP polling to gather statistics on 74 wireless users
over a 12 week period. While their study did establish
the methodology used by subsequent wireless network
traces, the scope of their work was limited to a single
department in a single building and does not fully reflect
the activities of the broad spectrum of campus wireless
users.
III. NETWORK ENVIRONMENT
At the time of data collection our campus wireline
network operated as a switched network
1
. This means
that all the equipment connected to the University of
Saskatchewan campus network was part of the same
subnet. The campus network is connected to the internet
via a Cisco router.
For security purposes, our wireless network consists
of a virtual network, existing on a separate subnet from
the rest of the campus. Packets sent from and to
wireless devices travel on the same physical network as
normal campus traffic. Upon connection, wireless
devices on the network are assigned internal IP
addresses by a DHCP server. All wireless traffic is then
sent to the campus router, which routes it either to the
internet or back onto the campus network in the normal
subnet. This prevents unauthorized wireless users from
connecting directly to campus servers and the internet.
Since wireless and non-wireless packets travel on the
same physical network, capturing only the wireless
traffic proved to be much more of a technical challenge
than in previous studies. Fortunately, since the wireless
traffic is routed to and from a distinct subnet, it was
possible for us to distinguish wireless packets from
normal traffic. By re-programming the campus router,
we were able to mirror those packets originating from or
travelling to the wireless network. The wireless traffic
was mirrored to a router port that was monitored by a
trace gathering computer.
At the time of measurement the first 18 Cisco access
points were up and running. The selected locations
spanned the campus covering a wide range of
possibilities, from public spaces (lounges, libraries, even
a coffee shop), to classrooms and laboratories, to office
spaces, to allow ITS to gauge the nature of the user
1 We have since converted to a routed network.
demand. The availability of this technology was not
well-advertised, although wireless PCMCIA cards were
offered at a special price through the Campus Computer
Store and the locations of the access points were
provided on our student computing web site
2
.
IV. METHODOLOGY
A. Trace Collection
We ran a software package known as EtherPeek on a
dedicated computer to collect our trace. Although
EtherPeek is designed to allow network administrators to
monitor activity, its trace gathering capabilities were
deemed sufficient to meet the needs of this project.
While other applications might have been more suitable
for trace gathering, EtherPeek’s ability to record MAC
addresses allowed us to analyse the usage patterns in
greater detail.
A short trace was recorded as a trial run for the trace
gathering system. Doing this allowed us to determine
the traffic level on the wireless network, which would
dictate the bandwidth and storage requirements of the
trace gathering computer. The traffic level was low
enough that, with occasional dumps to CD, storage and
bandwidth were not problematic for the size of trace we
wanted.
Trace collection started on Wednesday, January 22,
2003 at 9:07 AM local time. Each packet sent from and
to the wireless network was mirrored to our trace
gathering computer. EtherPeek analysed each packet
individually, and recorded information such as the date,
time, origin, destination, and protocol. Trace collection
stopped one week later on Wednesday, January 29 at
8:37 AM. The trace data was later exported from
EtherPeek as a series of comma-separated-value (CSV)
files.
B. Authentication Logging
For security our network administrators have
deployed Cisco’s proprietary LEAP authentication
system [4] to control access to the wireless network.
This requires that any potential user provide a username
and password, which are verified by a central Radius
server before a connection is established. The LEAP
Radius server keeps track of every wireless user
currently connected to the network. This information is
also logged for security monitoring purposes. The log
includes a record of each authentication, including the
date, time, username, client MAC address and the IP
address of the access point the user is connected to. To
allow us to determine where users were connecting to
the network, we were provided with a one week
anonymised portion of the authentication log
corresponding to the week of the trace. By matching the
MAC addresses in the authentication log with the MAC
2 http://studentcomputing.usask.ca/

addresses on the packets, we could sort the data by
access point.
C. Anonymisation
Since the packets we were monitoring were being
sent from and to ordinary users, every precaution was
taken to ensure that their identities would remain
anonymous and that no private information would be
revealed in the trace. The authentication log was
stripped of user identifications, leaving only machine
addresses as identifiers. Since these machine addresses
are assigned by the network card manufacturer, they
cannot be used to reveal the identities of individual
users. The IP addresses present in the trace were only
temporary addresses assigned by the campus DHCP
server. Since the trace was being analysed weeks after it
was recorded, the IP addresses were no longer current,
and therefore could not be used to identify individual
users. The trace itself contained only information
gathered from the headers of the wireless data packets.
Since no message bodies were included in the trace, no
private information was revealed.
D. Analysis
The analysis of the trace files and authentication log
was done primarily with custom-written Perl [5] scripts.
Perl’s simple file i/o, associative arrays, powerful string
handling, flexible data types and regular expression
matching capabilities make it especially well-suited to
this application.
Our initial analysis of the trace files was a simple
validation and error-checking pass. This revealed that
several portions of the trace contained mis-ordered or
erroneous data. The erroneous data was due to a small
number of malformed or non-standard packets being
incorrectly identified and analysed by EtherPeek. The
resulting trace entries contained binary data which the
analysis scripts could not parse correctly. Due to human
error when transferring trace data, some files were
named incorrectly and parsed in the wrong order. This
was detected by calculating the time difference between
the last packet of one file and the first packet of the next.
The problems were resolved by sorting the mis-
ordered files and removing the erroneous data. The end
result of this validation was 7 days worth of wireless
packet trace with no apparent gaps, mis-ordered packets
or errors. This was what we expected, since the wireless
network experienced no outages during the period of the
trace, and the data was gathered directly from the router
and authentication log.
The second stage of the analysis focused solely on
the trace files. Studying the aggregate traffic patterns
and the protocol mix gave us an initial understanding of
the characteristics of the data. The results of this
analysis are discussed in Section V.A. Next, we began
studying the authentication log. Looking at only
authentication times, network card addresses and access
points addresses revealed characteristics of the users on
the wireless network and the access points they connect
to during the traced week. Results from the
authentication log are presented in Section V.B.
Figure 1: Trace and Authentication Log Parsing Algorithm
The final stage of analysis combined the trace data
and authentication log to match packets with access
points. In order to map packets to access points, a
user/location lookup table had to be constructed and
updated from the authentication log. The algorithm used
to simultaneously traverse both the authentication log
and the trace files is outlined in Fig. 1. This stage
revealed the most detailed information about the
wireless network, presented in Section V.C.
V. RESULTS
A. Trace Data
In Table I we summarize the information contained
in the trace log. Due to a configuration error, packet
sizes were recorded for only a small fraction of the
packets traced. As a result, we have characterised the
wireless traffic in terms of the number of packets. Fig. 2
shows the traffic over the entire length of the trace. The
traffic level rises each day at around 9:00 AM and
remains high until the evening. Between each day, the
traffic level remains relatively steady at around 15
packets per second. As we will show, this base level of
traffic was due to non-wireless traffic that was multicast
onto the wireless network as part of automated network
maintenance. On Saturday and Sunday, the traffic did
not increase as early or as much as on the weekdays.
This is expected on a campus network, since students
and staff use the campus much less on weekends.
TABLE I.
T
RACE DATA STATISTICS
Attribute Value
Total Packets 24,431,794
Total Seconds 603,054
Average Traffic 40.5 packets per second
Total Time 6 days, 23 hours, 30 minutes, 54 seconds
While (Read Next Trace Line)
Split Trace Line into Packet Fields
While(Packet Time > Next Auth Time)
Update Auth Table (Next Auth)
Read Next Auth Line
Split Auth Line into Auth Fields
If (Auth Table contains Packet From)
Count as Wireless Packet
Else If (Auth Table contains Packet To)
Count as Wireless Packet
Else
Count as Non-Wireless Packet

Figure 2: Traffic Rate over the Entire Trace with 15 Minute and Daily Average Traffic Levels
B. Authentication Data
Looking at the authentication log alone, we were able
to determine several key characteristics of the wireless
network’s users and access points as summarised in
Table II. Over the week-long period of the trace, 134
unique users (machine addresses) connected to the
network. The authentication log contained 24973
records of wireless users authenticating. The average
number of authentications per user (186.4) seems high.
A graph of the cumulative distribution function shows
that most users authenticated many fewer times.
From Fig. 3 we can see that over half our users
authenticated more than 50 times during the week. This
seems like a large number of authentications, but there
are several contributing factors. Cisco’s wireless
network card drivers store the username and password
information permanently and authenticate automatically
whenever the computer is near a wireless access point.
Additionally, the authentication log reveals that users
often re-authenticate at the same access point several
times a minute. This is likely due to low, fluctuating
signal strength at the edge of an access point’s signal
range. When a user is just within range of two or more
access points, the software will often switch connections
repeatedly on the basis of the perceived signal strengths
at each access point. These factors cause an artificial
inflation of the number of authentications per user,
meaning that authentications cannot be literally
interpreted as distinct sessions of network usage. This
rapid AP switching behaviour was also observed in
previous studies [2].
TABLE II.
A
UTHENTICATION LOG STATISTICS
Attribute Value
Total Authentications 24973
Unique Users 134
Mean Authentications Per User 186.4
Mode Authentications Per User 5
Median Authentications Per User 54.5
Access Points 18
Mean Authentications Per AP 1387.4
Figure 3: CDF of Authentications Per User
Fig. 4 shows the total number of authentications at
each of the 18 access points observed over the period of
the trace. Once again, the distribution of authentications
is heavily skewed, with a small number of access points
accounting for the vast majority of authentications.
1
10
100
1000
10000
22,09:00
22,15:00
22,21:00
23,03:00
23,09:00
23,15:00
23,21:00
24,03:00
24,09:00
24,15:00
24,21:00
25,03:00
25,09:00
25,15:00
25,21:00
26,03:00
26,09:00
26,15:00
26,21:00
27,03:00
27,09:00
27,15:00
27,21:00
28,03:00
28,09:00
28,15:00
28,21:00
29,03:00
29
,
09:00
Day, Time
Packets per Second (Log Scale)
Daily Average Traffic
Traffic
15 per. Mov. Avg. (Traffic)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0
100
200
300
400
500
600
700
800
900
1000
1100
1200
1300
1400
1500
1600
1700
1800
1900
2000
2100
2200
2300
2400
2500
2600
2700
2800
2900
3000
Number of Authentications
Fraction of users

There is particularly heavy usage in our College of Law.
The reasons for this are discussed in C(3) below.
Figure 4: Authentications per Access Point
C. Combined Data
1) Non-Wireless Traffic
Approximately 38% (a total of 9,230,131) of the
packets recorded in the trace data could not be
associated with any of the users found in the
authentication log. These non-authenticated packets
were present in every second of the trace. They arrived
at a near-constant rate of approximately 15 packets per
second throughout the week, and did not vary with the
number of wireless users on the network. Furthermore,
the average arrival rate of these non-wireless packets
cycles between a high and low rate with a period of
approximately 300 seconds (5 minutes). These
characteristics led us to conclude that this traffic was not
being generated by wireless users. Since this non-
wireless traffic did not vary with the time of day it must
have been generated by automated equipment on the
network. Given our network environment we conclude
that this traffic is automated network-maintenance traffic
generated by switches and other network devices on the
campus and flooded onto the wireless subnet. This
conclusion is supported by the protocol makeup of the
unauthenticated traffic presented in the next section.
If this traffic is indeed being flooded from the wired
campus network onto the virtual network which carries
the wireless traffic, then it might represent some degree
of unnecessary overhead. Since the wireless network is
configured independently, and since the router which
connects the two has been configured properly, local
network maintenance traffic should not be passed from
one network onto the other. Duplicating multicast
maintenance packets onto the virtual wireless network
needlessly doubles the maintenance overhead on the
underlying physical network. While the size of these
packets may be trivial, a continuous arrival rate of 15
packets per second means they represent a significant
amount of traffic. Eliminating these duplicate packets
from the wireless subnet could improve the performance
of the wireless network.
At this time we have been unable determine why
these non-wireless packets are present in the trace. It
might be because they were actually routed onto the
wireless subnet or simply because the router mirrored
both wireless and multicast traffic to our monitored port.
Figure 5: Protocol Mix of Non-Wireless Traffic
2) Protocol Mix
Fig. 5 shows the protocol mix for non-wireless
traffic. Over 87% of this non-wireless traffic is made up
of sub-network addressing protocol (SNAP) packets – a
simple, low-level protocol used by network hardware. A
further 7% is made up of address resolution protocol
(ARP) messages (used to find a particular machine on a
network via flooding) and 802.1 network maintenance
messages. Radius authentication messages are passed
from access points to the campus Radius server in order
to authenticate wireless (and other) user logins. HTTP
traffic and all other protocols make up only 3% of the
non-wireless traffic. On this basis, we feel it is safe to
assume that this traffic is not directly related to wireless
user activity, but comes from the rest of the campus
network. All packet headers recorded in the trace
deemed to be non-wireless were excluded from the
remaining analysis.
Figure 6: Protocol Mix of Wireless Traffic
SNAP-00-00-0C-01-0B 50%
SNAP-00-40-96-00-00 37%
ARP Request 4%
802.1 3%
RADIUS Acct 1%
RADIUS 1%
AFP 1%
HTTP 1%
Other 2%
TCP Other 34.6%
HTTP 27.6%
CIFS 6.4%
SMB 3.3%
SNAP-00-40-96-00-00 3.3%
UDP 3.2%
NetBIOS 3.0%
RTSP 2.3%
HTTPS 2.1%
ICMP DestUnreach 1.8%
Gnutella 1.5%
NB Name Svc 1.3%
MSN Messenger 1.0%
FTP Data 0.8%
FileMaker 0.7%
IMAP 0.7%
NB SessMsg 0.6%
TELNET 0.6%
DNS 0.5%
SMTP 0.5%
POP3 0.4%
SNMP 0.4%
ARP Request 0.3%
SSH 0.3%
Kerberos 0.2%
PING Req 0.2%
FTP Ctl 0.2%
ARP Response 0.2%
PING Reply 0.2%
AOL 0.2%
Other 1.5%
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
L
aw Library (1)
L
aw Library (2)
L
a
w St
u
dent
Loun
g
e
Moot Co
u
rt
H
e
lp
De
sk
Ou
t
si
d
e
1
4
5
Art
s
Le
ar
n
in
g
C
omm
ons
A
d
mi
n
istr
a
tio
n
L
o
w
er P
la
ce
R
ie
l
Eng. Library
Geology
L
ibrary
Eng. Comp. Sc. Lab
Browsers
Arts
1
10
An
im
a
l Scie
n
ces
I
T
S
Off
i
ce
s
Pe
t
e
rson
B
ldg
.
S
ask
H
al
l
7
8
Access Point
Total Authentications

Citations
More filters
Proceedings ArticleDOI
26 Sep 2004
TL;DR: This paper analyzes an extensive network trace from a mature 802.11 WLAN, including more than 550 access points and 7000 users over seventeen weeks, and defines a new metric for mobility, the "session diameter," to show that embedded devices have different mobility characteristics than laptops, and travel further and roam to more access points.
Abstract: Wireless Local Area Networks (WLANs) are now commonplace on many academic and corporate campuses. As "Wi-Fi" technology becomes ubiquitous, it is increasingly important to understand trends in the usage of these networks.This paper analyzes an extensive network trace from a mature 802.11 WLAN, including more than 550 access points and 7000 users over seventeen weeks. We employ several measurement techniques, including syslogs, telephone records, SNMP polling and tcpdump packet sniffing. This is the largest WLAN study to date, and the first to look at a large, mature WLAN and consider geographic mobility. We compare this trace to a trace taken after the network's initial deployment two years ago.We found that the applications used on the WLAN changed dramatically. Initial WLAN usage was dominated by Web traffic; our new trace shows significant increases in peer-to-peer, streaming multimedia, and voice over IP (VoIP) traffic. On-campus traffic now exceeds off-campus traffic, a reversal of the situation at the WLAN's initial deployment. Our study indicates that VoIP has been used little on the wireless network thus far, and most VoIP calls are made on the wired network. Most calls last less than a minute.We saw greater heterogeneity in the types of clients used, with more embedded wireless devices such as PDAs and mobile VoIP clients. We define a new metric for mobility, the "session diameter." We use this metric to show that embedded devices have different mobility characteristics than laptops, and travel further and roam to more access points. Overall, users were surprisingly non-mobile, with half remaining close to home about 98% of the time.

566 citations

Journal ArticleDOI
TL;DR: This paper analyzes the mobility patterns of users of wireless hand-held PDAs in a campus wireless network using an eleven week trace of wireless network activity and develops two wireless network topology models for use in wireless mobility studies.
Abstract: In this paper, we analyze the mobility patterns of users of wireless hand-held PDAs in a campus wireless network using an eleven week trace of wireless network activity. Our study has two goals. First, we characterize the high-level mobility and access patterns of hand-held PDA users and compare these characteristics to previous workload mobility studies focused on laptop users. Second, we develop two wireless network topology models for use in wireless mobility studies: an evolutionary topology model based on user proximity and a campus waypoint model that serves as a trace-based complement to the random waypoint model. We use our evolutionary topology model as a case study for preliminary evaluation of three ad hoc routing algorithms on the network topologies created by the access and mobility patterns of users of modern wireless PDAs. Based upon the mobility characteristics of our trace-based campus waypoint model, we find that commonly parameterized synthetic mobility models have overly aggressive mobility characteristics for scenarios where user movement is limited to walking. Mobility characteristics based on realistic models can have significant implications for evaluating systems designed for mobility. When evaluated using our evolutionary topology model, for example, popular ad hoc routing protocols were very successful at adapting to user mobility, and user mobility was not a key factor in their performance.

392 citations


Cites background from "Characterising the use of a campus ..."

  • ...Finally, Schwab and Hunt [5] recorded a week-long trace in early 2003 of the wireless network deployed at the University of Saskatchewan....

    [...]

  • ...[5] David Schwab and Rick Bunt....

    [...]

  • ...Again, we .nd substan­tially more mobility in the PDA users in our trace an average of 15 visited APs per user for the .rst week in our workload versus three visited APs in the week long Schwab [5] workload....

    [...]

  • ...Over the past few years there have been a number of wireless workload studies characterizing user behavior and network performance in a variety of settings, including metropolitan networks [1], university campuses [2, 3, 4, 5], conferences [6, 7], and corporate networks [8]....

    [...]

  • ...Finally, Schwab and Hunt [5] recorded a week-long trace in early 2003 of the wireless network deployed at the University of Saskatchewan....

    [...]

Journal ArticleDOI
TL;DR: This paper analyzes an extensive network trace from a mature 802.11 WLAN, including more than 550 access points and 7000 users over seventeen weeks, and defines a new metric for mobility, the ''session diameter,'' to show that embedded devices have different mobility characteristics than laptops, and travel further and roam to more access points.

373 citations

Journal ArticleDOI
11 Aug 2006
TL;DR: This paper presents a system called Jigsaw, a system that uses multiple monitors to provide a single unified view of all physical, link, network and transport-layer activity on an 802.11 network, and believes this is the first analysis combining this scale and level of detail for a production 802.
Abstract: The combination of unlicensed spectrum, cheap wireless interfaces and the inherent convenience of untethered computing have made 802.11 based networks ubiquitous in the enterprise. Modern universities, corporate campuses and government offices routinely de-ploy scores of access points to blanket their sites with wireless Internet access. However, while the fine-grained behavior of the 802.11 protocol itself has been well studied, our understanding of how large 802.11 networks behave in their full empirical complex-ity is surprisingly limited. In this paper, we present a system called Jigsaw that uses multiple monitors to provide a single unified view of all physical, link, network and transport-layer activity on an 802.11 network. To drive this analysis, we have deployed an infrastructure of over 150 radio monitors that simultaneously capture all 802.11b and 802.11g activity in a large university building (1M+ cubic feet). We describe the challenges posed by both the scale and ambiguity inherent in such an architecture, and explain the algorithms and inference techniques we developed to address them. Finally, using a 24-hour distributed trace containing more than 1.5 billion events, we use Jigsaw's global cross-layer viewpoint to isolate performance artifacts, both explicit, such as management inefficiencies, and implicit, such as co-channel interference. We believe this is the first analysis combining this scale and level of detail for a production 802.11 network.

334 citations


Cites background from "Characterising the use of a campus ..."

  • ...Starting with small studies focused on low-level channel behavior between pairs of nodes [6, 7, 19] the field has expanded to cover a range of more abstract characteristics (including application workloads, user session duration, user mobility, increasingly larger environments etc.) over ever larger environments (including university campuses [10, 11, 16, 18, 22 , 23, 25, 26], industrial factories [24], corporate networks [2], and ......

    [...]

References
More filters
Proceedings ArticleDOI
01 Jun 2002
TL;DR: The goals of this study are to extend the understanding of wireless user behavior and wireless network performance, and to characterize wireless users in terms of a parameterized model for use with analytic and simulation studies involving wireless LAN traffic.
Abstract: This paper presents and analyzes user behavior and network performance in a public-area wireless network using a workload captured at a well-attended ACM conference. The goals of our study are: (1) to extend our understanding of wireless user behavior and wireless network performance; (2) to characterize wireless users in terms of a parameterized model for use with analytic and simulation studies involving wireless LAN traffic; and (3) to apply our workload analysis results to issues in wireless network deployment, such as capacity planning, and potential network optimizations, such as algorithms for load balancing across multiple access points (APs) in a wireless network.

566 citations


"Characterising the use of a campus ..." refers methods in this paper

  • ...The design of this experiment was based largely on work done by Balachandran et al. [ 1 ]....

    [...]

Proceedings ArticleDOI
01 Aug 2000
TL;DR: A twelve-week trace of a building-wide local-area wireless network is examined to understand better how users take advantage of wireless networks, finding that users are divided into distinct location-based sub-communities, each with its own movement, activity, and usage characteristics.
Abstract: To understand better how users take advantage of wireless networks, we examine a twelve-week trace of a building-wide local-area wireless network. We analyze the network for overall user behavior (when and how intensively people use the network and how much they move around), overall network traffic and load characteristics (observed throughput and symmetry of incoming and outgoing traffic), and traffic characteristics from a user point of view (observed mix of applications and number of hosts connected to by users).Amongst other results, we find that users are divided into distinct location-based sub-communities, each with its own movement, activity, and usage characteristics. Most users exploit the network for web-surfing, session-oriented activities and chat-oriented activities. The high number of chat-oriented activities shows that many users take advantage of the mobile network for synchronous communication with others. In addition to these user-specific results, we find that peak throughput is usually caused by a single user and application. Also, while incoming traffic dominates outgoing traffic overall, the opposite tends to be true during periods of peak throughput, implying that significant asymmetry in network capacity could be undesirable for our users.While these results are only valid for this local-area wireless network and user community, we believe that similar environments may exhibit similar behavior and trends. We hope that our observations will contribute to a growing understanding of mobile user behavior.

415 citations


"Characterising the use of a campus ..." refers methods in this paper

  • ...Tang and Baker [3] used tcpdump and SNMP polling to gather statistics on 74 wireless users over a 12 week period....

    [...]

01 Jan 2002
TL;DR: It was found that residential traffic dominated all other traffic, particularly in residences populated by newer students; students are increasingly choosing a wireless laptop as their primary computer.
Abstract: Wireless local-area networks (WLANs) are increasingly common, but little is known about how they are used. A clear understanding of usage patterns in real WLANs is critical information to those who develop, deploy, and manage WLAN technology, as well as those who develop systems and application software for wireless networks. This paper presents results from the largest and most comprehensive trace of network activity in a large, production wireless LAN. For eleven weeks we traced the activity of nearly two thousand users drawn from a general campus population, using a campus-wide network of 476 access points spread over 161 buildings. Our study expands on those done by Tang and Baker, with a significantly larger and broader population. We found that residential traffic dominated all other traffic, particularly in residences populated by newer students; students are increasingly choosing a wireless laptop as their primary computer. Although web protocols were the single largest component of traffic volume, network backup and file sharing contributed an unexpectedly large amount to the traffic. Although there was some roaming within a network session, we were surprised by the number of situations in which cards roamed excessively, unable to settle on one access point. Cross-subnet roams were an especial problem, because they broke IP connections, indicating the need for solutions that avoid or accommodate such roams.

54 citations


"Characterising the use of a campus ..." refers methods or result in this paper

  • ...This rapid AP switching behaviour was also observed in previous studies [2]....

    [...]

  • ...The analysis of the Dartmouth College wireless network by Kotz and Essien [2] is more relevant to campus-wide networks....

    [...]