Copyright 2001. Published in the Proceedings of the IEEE Visualization Conference (Vis 2001), San Diego CA. USA, October 2001. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works, must be obtained from the IEEE. Contact: Manager, Copyrights and Permissions / IEEE Service Center / 445 Hoes Lane / P.O. Box 1331 / Piscataway, NJ 08855-1331, USA. Telephone: +Intl. 732-562-3966.
PingTV: A Case Study in Visual Network Monitoring Alexander Gubin
William Yurcik
Larry Brumbaugh
Lucent Technologies Network Systems Naperville, IL USA 1-630-979-8923
Illinois State University Dept. of Applied Computer Science Normal, IL USA 1-309-827-4172
Illinois State University Dept. of Applied Computer Science Normal, IL USA 1-309-438-8338
[email protected]
[email protected]
[email protected]
ABSTRACT PingTV generates a logical map of a network that is used as an overlay on a physical geographical image of the location from the user perspective (buildings, floors within buildings, etc.). PingTV is used at Illinois State University as a visualization tool to communicate real-time network conditions to the university community via a dedicated channel on the campus cable TV system. Colored symbols allow students and staff to discern highcongestion “rush hours” and understand why their specific Internet connectivity is “broken” from the wide range of potential causes. Lessons learned include the use of color to visually convey confidence intervals using color shading and the visualization of cyclical network traffic patterns. Our implementation is general and flexible with potential for application for other domains.
Keywords network visualization, active network measurement, real-time television monitoring system
1. INTRODUCTION There are many reasons for desiring an intuitive network map showing real-time conditions. First, there is the inherent complexity resulting from the large volume of data that is potentially available but not able to be processed by humans in real-time. Other secondary reasons include documentation, recording history, problem diagnosis, determining usage patterns, planning for growth, and setting the expectations of users to network conditions.[3] This paper address both the first (processing volume) and last (user expectations) reasons. PingTV uses a ping program to proactively gather network status information. First, PingTV generates a logical map (BMP image) of the network based on the hierarchical network structure gathered either from manual input or automatically discovered from prior scanning. Then this logical map is used as an overlay on a physical geographical image of the location from the user perspective (buildings, floors within buildings). Host status is represented by green, yellow, and red icons corresponding to available, congested, and unavailable hosts respectively.
Ultimately, PingTV is used as a tool to communicate real-time network traffic conditions and announce network outages to the university community via a dedicated channel on a ubiquitous campus cable TV system. Illinois State University (ISU) requested research into a network monitoring system for its campus network with three requirements: 1)
independent of the network (would still operate if the entire network or parts of the network went down)
2)
user friendly output such that anyone could understand network status without special training or knowledge
3)
simple to maintain and configure
The first unique contribution of this work is the direct combining of active network management data and real-time television display. While there are Internet websites that successfully accomplish similar graphical display of network management information, to the best knowledge of the authors, there are no other real-time Internet>television implementations. It is, however, common practice in the television industry to indirectly broadcast information via a camera focusing on a real-time website (morning/evening rush hour traffic reports from local highways). The second unique contribution of this work is use of precise geographical data to map network devices to intuitive graphical maps. Network devices can either be dynamically located via real-time GPS (geostationary positioning system via satellite) or statically assigned location data into a management information base. Industry Group OpenGIS Consortium Inc. (OGC) is leading an effort to make searchable geospatial data sets available over the WWW. Interoperability between data sets from multiple sources is an open issue at present with parallel efforts on a Web Mapping Feature specification and Geographic Markup Language. Working with standards bodies such as the IETF and WWW Consortium, OGC intends to develop mapping standards that would allow developers to download and manipulate multisourced geographical maps. Using PingTV along with geospatial data sets allows network managers to graphically depict the status of networks to users without providing lower level technical network data (device types, IP addresses, topology) that would confuse users and reveal sensitive information that could be used maliciously. The remainder of the paper is organized as follows: Section 2 provides an architectural overview and implementation details of PingTV. Section 3 presents experience with using PingTV in its working environment and discussion of continuing challenges and limitations. We close with conclusions in Section 4. Lastly, we attach a page of colored PingTV video screen shots.
2. ARCHITECTURAL OVERVIEW Figure 1 depicts the PingTV architecture (Targa Vision is video capturing software). PingTV is written in the Java programming language to achieve computing platform independence. Two systems interact through bit map images, the network management system and the geospatial data mapping system, to create a combined geographical .bmp file containing an image intuitive for users. Targa vision periodically polls the .bmp files and broadcasts over the campus cable television system. We start at this high-level architecture but subsequent sections will go into more depth on important PingTV component systems.
Image “painting” (geospatial mapping of symbols onto a geographical image) is done sequentially since it is resource intensive (CPU cycles and disk access time). Images are about 900 Kb and it takes up to 5 seconds to create. Logging of ping data is accumulated into an easily parsable log Figure 3 shows the colored icons (corresponding to ping data) representing computing clusters that are superimposed onto a geographical image of campus. The use of color also allows PingTV to visually convey confidence intervals using color shading such that individual data values fall within predetermined shade ranges such that users do not need to be exposed to instantaneous data fluctuations.
Figure 3: Network Device Status Symbols
2.1 Network Monitoring System
Figure 1: PingTV Architecture PingTV uses multiple concurrent threads to maximize efficiency of data collection - to reduce query time with each ping query in a separate thread since an individual ping may take up to 30 seconds to complete. Figure 2 shows the three main classes: PingGUI, Pinger, and Painter. Hostinfo, Rootinfo, and myDialog are supplementary classes to hold information about ping parameters and nodes. Inputs include ping.exe (location data), ping parameters, and tree file (optional). Outputs include pingdata.txt (logfile), and data#.bmp (geographical painted image).
The Network Monitoring System (NMS) is implemented as a server program that contacts specific network hosts (edge and workgroup switches) at specified time intervals (see Figure 4). A pinging application is used to determine host status and network workload. Collected information is analyzed and summarized into a network status table. The status table is converted into an image file and sent to the broadcasting server where it is captured and sent over the TV channel. NMS is designed to monitor networks of hierarchical structure by pinging hosts in hierarchical order. Devices at the top level (nodes closest to the tree root) are pinged first, then their status determined. If the top-level host is down, neither of the children are pinged. If the upper-level devices are up, children are pinged at lower levels. This algorithm is repeated recursively.
Figure 2: Java Class Map 1
The “ping engine” is a thread that sleeps for a specified time and then wakes and launches pings. The graphical console to PingTV runs a separate thread so parameters can be changed while the system is running.
Figure 4: Network Management System Framework An image file is generated after each complete cycle of pings. Even though the system is developed for hierarchical structure, it is configurable to serve networks of different topologies, and hence can be used as a general-purpose network-monitoring tool.
Figure 5: Hierarchical Pinging Structure Along with the image, NMS generates a timestamped log file that contains unmodified ping echoes for each pinged host. This log file is created once a day with data of each subsequent run appended to the end of the log file. This log file has proved useful for data mining purposes such as reconstructing network events, tracking pathological and/or systemic network traffic. A GUI allows the system operator to specify the exact hosts to monitor by their IP addresses or fully-qualified domain name (see Figure 6). New nodes will be added at the top-level (child-of-theroot). An “add” button allows the user to add children to a specific node. The result is a hierarchical tree structure that can be dynamically edited and saved as a unit while PingTV is operational. By default the tree is two levels deep but this can be changed by adjusting the value in “levels” field.
Figure 7: Ping Configuration GUI
2.2 Ping Data for Visualization Ping is one of the most widely available tools bundled with TCP/IP. The Ping command, also called the Packet INternet Groper, uses a series of Internet Control Message Protocol (ICMP) echo messages to determine if a remote host is active or inactive and to determine the round-trip delay. Ping is desirable as a network performance tool since it is simple, light-weight, efficient, and does not require privileged access.[1] Ping has five network metrics it can quantify: (1) round-trip time; (2) reachability; (3) packet loss; (4) quiescence (target host load); and (5) unpredictability (variability of packet loss and round trip time).[2] Several other network monitoring research programs also use ping but do not use television: PingER (U.S. Department of Energy); and Active Measurement Program (National Laboratory for Applied Network Research, NLANR, an NSF-funded supercomputer activity).[2,4] There are, however, some caveats to PingTV as a measurement tool: (1) ping may be filtered by firewalls since ICMP can be used for malicious purposes; (2) ping measures roundtrip delay not unidirectional delay; and (3) periodic sampling as opposed to random sampling for statistical observation.[1] A fourth problem we discovered was the variability of the individual ping round-trip data points. PingTV was originally programmed to map round-trip times directly to colored icons using predetermined threshold values, however, we learned that this leads to flickering between contrasting colored symbols (up-green/down-red/slow-yellow) even in stable situations due to the natural variability of the data measurement across a network. We addressed this problem by processing data into running averages with corresponding shading so that individual data points would not cause a flicker.
Figure 6: Host Configuration GUI Figure 7 is the ping configuration GUI allowing a user to specify the monitoring interval between ping cycles (default 5 minutes), number of ping echo requests per node (default 1 echo), and cut-off roundtrip time (used to indicate congestion using yellow symbols, default 500ms).
3. PRACTICAL EXPERIENCE The initial implementation of PingTV was developed for the ISU Office of Residential Life where it collects network status from the segments of Residence Hall Network (ResNet) and delivers this information into a dedicated campus cable television channel. Outages create a large workload as users report (often quite upset) that they are experiencing problems. The traditional way of reporting network status on a website was unacceptable since when the network went down, users were not able to access the web server. The goals of the project were achieved based on the following: 1)
Users are made aware of current network conditions with information about the entire campus and their segment in particular. This relieves user confusion and frustration.
2)
PingTV is a stable monitoring system capable of accurately communicating system information independent of network faults. PingTV is written in Java so it is also platform independent.
3)
PingTV is a user-friendly system, which broadcasts intuitive images over campus television with easily recognizable symbols.
4)
PingTV is implemented in a graphical console, which allows operators to adaptively review and change parameters.
ResNet consists of several thousand active users in dynamic configurations. The ResNet base topology consists of a tree structure with a single-point-of-entry; 10 edge switches, and up to 20 workgroup switches per edge switch. Instead of reporting status of a particular switch, the network status table is mapped to buildings and floors and presented in a symbolic format so an ordinary user without a technical background can comprehend the information. Implementation of PingTV guarantees access to ResNet status information as a whole and by segment on 24x7 basis. One specific lesson lead to the modification of PingTV for testing. A PingTV test pings all nodes in the tree and changes a tree “node” to a “host” by finding missing information (IP# or fully-qualified domain name). Testing without generating an image or log file was found useful to verify tree topologies and obtain host information on a routine basis as ResNet is frequently reconfigured. We have not yet attempted to use PingTV between local networks or across the Internet and seek interested parties who have both a peer network and access to their corresponding geographical dataset. Of course, as in any proactive monitoring, PingTV adds traffic to the operational network links and hosts under study which makes use across the Internet problematic without coordination in advance (transit networks, timing of periodic test cycles, ping payload, time synchronization).
4. SUMMARY PingTV provides a case study of visually monitoring a network using colored symbols upon a geographical image based on geospatial data
sets. The unique contribution of this project is the development of direct real-time television visualization. Continuing development of PingTV includes the simultaneous generation of HTML output with television output; web accessible “remote control” accomplished with servlet technology; and “network weather” or “traffic temperature” forecasts based on past ping data benchmarks and trends.
5. ACKNOWLEDGMENTS We would like to first acknowledge the help of Dean Plumadore of ResNet/Illinois State University who is the operational manager using PingTV. Dean posed this idea as a potential research project and we hope to work with him in the future to gather benefit quantification. We would also like to thank Martin B.H. Weiss/University of Pittsburgh who forwarded Doug Burke’s M.S. thesis to us so we could learn about “ping” idiosyncrasies when used as a network management tool. Lastly, we would like to thank the five anonymous reviewers whose insightful comments have greatly improved this paper.
6. REFERENCES [1] Burke, D.W. An Empirical Analysis of ping as an Internetwork Performance Tool. M.S. Thesis, Department of Information Science and Telecommunications, University of Pittsburgh, May 1, 1994. [2] Matthews, W, and L. Cottrell. The PingER Project: Active Internet Performance Monitoring for the HENP Community. IEEE Communications Magazine, May 2000, pp. 130-136. [3] Midden, M. How to Create a Network Map. Connexions: the Interoperability Report, Vol. 7 No. 6, pp. 18-25.
[4] National Laboratory for Applied Network Reseach. End-to-End Internet Performance
Assessments.
Figure 8: PingTV Screenshot Showing a Single Subnet with Status of Devices With Corresponding Domain Names
Figure 9: PingTV Screenshot Showing Two Subnets
Figure 10: PingTV Screenshot of Previous Figure After Dynamically Adding a New Node
