As a couple of data points, NIST Net has been run successfully on a 25/50 MHz 486 with 16M of memory doing emulation on 10Mb Ethernet, and on a 200MHz Pentium with 32M of memory doing emulation on 100Mb Ethernet. Measured per-packet overhead for the first configuration was around 28 microseconds, and for the second, around 5-7 microseconds. Both values are well under the usual minimum inter-packet times on these networks, so should not have any (inherent) adverse effect on packet handling. (The emulator reports average observed overhead through the HITIOCTL_GLOBALSTATS ioctl.)
The overhead for the new alpha is currently a bit higher, as are its memory requirements. I will be working on these aspects over the next few weeks.
The code has only been tested on i386-type systems, but the current version does have some (totally untested) code for Alpha and Sparc processors. (Note: the code hasn't been updated for a little while and needs some touching up.)
There don't seem to be any compelling reasons to port it to other operating systems or widget sets at this time. When used as a router, NIST Net emulation can affect any IP traffic from any source to any destination, regardless of their operating systems.
If you want something similar that runs on SunOS, NIST Net was partially inspired by (and retains some of the interfaces of) the hitbox emulator used by USC in testing TCP/Vegas.
I understand there is a similar package for FreeBSD systems called dummynet, available at http://www.iet.unipi.it/~luigi/ip_dummynet/.
If for some reason you want something similar that runs on a MicroSoft Windows operating system, I understand there are commercial packages along these lines. I do not have any further details about them, though.
Version 2.0.10 of NIST Net should hopefully fix this problem completely. So first, try upgrading to it. If this still fails, try the following:
Two possibilities: The simple one is that you don't have the nistnet module still loaded. It is a prerequisite for loading mungemod or spymod. (Sometimes some system cleanup daemon might remove it, assuming it not to be in use.)
The complex one is that you've run into a module versioning bug. The drastic solution is to recompile the kernel with module versioning turned off ("Set version information on all symbols for modules" under "Loadable module support").
The less drastic solution is to remake the interface version files, to ensure they're all up-to-date. (They should all be updated automatically, but then there are lots of other things that should work properly all the time, aren't there?) Go to /usr/src/linux/include/linux/modules and remove everything there. Then remake the kernel and modules (make, make modules). This shouldn't take too long (assuming you've compiled the kernel before), since you haven't actually changed anything.
kernel-2.2.16-i386-BOOT.config kernel-2.2.16-i586.config kernel-2.2.16-i386-smp.config kernel-2.2.16-i686-enterprise.config kernel-2.2.16-i386.config kernel-2.2.16-i686-smp.config kernel-2.2.16-i586-smp.config kernel-2.2.16-i686.config
There are vague plans to redo the packet interception code to allow handling outgoing traffic too. Don't expect this anytime soon, though.
Of course, if the goal is actually to test RED or some variant thereof, it can be implemented as an "add-on" packet munger. And if you happen to want correlated drops, NIST Net does offer this as well.
hdparm -m16 -u1 /dev/hda
See the hdparm manual entry for various caveats on its use, first. If you can use these settings, do so; they will actually improve the performance and responsiveness of your system. If you can't use them, though, the "symptoms" may include massive disk corruption, so a little caution is indicated. (This shouldn't be a problem with any recent systems, though.)
So why are there delays for packet sizes 1473 (and above)? Well, including the IP header, the actual packet size is 1501 bytes. On most LANs (most networks, in fact), the maximum allowed IP packet size (MTU) is 1500. So when you try to send a larger packet, IP will fragment it into two packets. If you trace the traffic (with hitbox -S src dest), you'll see that for each ping, two packets are sent in a row, of sizes 1500 and 46 bytes. (46 bytes is the minimum ping packet size.) When the first packet arrives, NIST Net notes that 1500 bytes have been sent through that connection; to keep the instantaneous bandwidth utilization below 8000 bytes/second, it will then delay the second packet for 1500/8000 of a second (187.5 ms). This delays the reassembly of the packet fragments at the receiving end by the same amount.
NIST Net delays the packet because it looks at instantaneous bandwidth utilization, i.e., it's (roughly) emulating a network where at no time can you send more than 1 byte per 1/8000 of a second. So the second packet is delayed, even though the long term average utilization is only 1546 bytes/second. (By the way, you should see the delays stay about the same value for ping packets of size up to 2952; at 2953, the packet gets fragmented into three pieces, and the delay times will double.)
Now one quirk of the implementation is that it only takes bandwidth utilization by the previous packets into account, not the current one. So when you're only sending packets every second, like here, the first one essentially gets a free ride. I had thought about taking the current packet into account, but with sustained traffic this will tend to overcount bandwidth utilization and delay packets too much.
Some people haven't been happy with this quirk, so it is now a configuration option. If you look at the Config file in the top-level NIST Net directory, it indicates three possible ways of doing bandwidth delay. Check the comments there for more details.
This one seems to be a fairly common problem, especially affecting people who are not in a position to fix their DNS servers. So, in the latest versions, I have added a timeout around the DNS lookups. If they don't succeed within a fairly short period of time, they are aborted. The code sets this time period to 5 seconds; this should usually be fine, but if your DNS server is extraordinarily slow, this may be too short. If so, fix the alarm() calls in nistnet/lib/alarmingdns.c to use a longer period.
1. First of all, I finally unified all the disparate measurement units into one list:
| Quantity | Units |
| Delay times | milliseconds (floating point) |
| Bandwidth | bytes/second (integer) |
| Drop/dup probabilities | percentage of packets (i.e. 100xfraction) dropped or duplicated (floating point) |
2. The random delay stuff was done in a way to make it quick to implement, though a little clumsy to explain. I use a random number to do a lookup in a distribution table, generating a "number of standard deviations" value (multiplied by a scaling factor of 8192 to make it integral). The delay value is then:
specified (mean) delay + (# of std dev)*(size of std dev)/scaleThis gives random values which have the specified mean and standard deviation, and which match the specified distribution. It's perhaps a slightly cheesy method, but seems good enough for this purpose.
Of course, there's more to a distribution than just its shape. Successive delays, drops and so on tend to be strongly correlated with each other. For this reason, the new version of NIST Net allows specifying a (linear) correlation factor for these events. This is a number between -1 and 1, where -1 indicates complete anticorrelation; 0 indicates no correlation; and +1 indicates complete correlation. (Realistic values tend to be around .1 to .8.) The actual delay applied will then be
(1-correlation)* (calculated delay) + (correlation)*(previous delay)Now here I will have to admit I am oversimplifying. If you want to understand better what NIST Net is really doing here, check the README files in the math directory that comes with the NIST Net distribution.
3. One other slightly confusing note is that while I specify all times in microseconds, internally, they're rounded off to the nearest "minijiffy" (minor timer tick), which by default is set to 1/7600 sec, around 131 microseconds. (The weird value is because it needs to be an integral divisor of the frequency of the 8253 timer chip. Otherwise, the machine's clock will start drifting off due to roundoff errors. Here at NIST we have to have precise clocks!)
4. Along the same lines, internally all parameters are integers, so the percentages get converted to fractions of 2^16. What I do is generate a random number between 0 and 2^16. If it's less than x, the packet is dropped or duplicated.
5. The DRD parameters are the minimum and maximum queue lengths for the DRD algorithm. More precisely, if the number of packets queued is less than the minimum specified, DRD won't drop any packets. When the minimum is reached, DRD starts randomly dropping 10% of the incoming packets. This percentage ramps up with an increase in queue length, reaching 95% when the maximum is reached. (You can actually have more packets queued than the "maximum," but with 95% of all new packets being dropped, you tend not to get very much above the maximum.)
6. The ECN (explicit congestion notification) parameter must be a value between the minimum and maximum queue lengths (or 0, which means congestion notification will not be used for this connection). When this is set, if a packet arrives which is marked with the ECN_CAPABLE bit (currently bit 1) and the queue length is between the minimum and ECN parameter, then NIST Net will mark the packet with the ECN_NOTED bit (currently bit 0) rather than drop it. Not all packets will be so marked, but only those that would otherwise have been (randomly) dropped. If the queue length rises above the ECN parameter, then NIST Net will drop a packet whether or not it is marked as ECN_CAPABLE.
My reading of the ECN proposals is that the DRD ECN parameter should be set equal to the DRD maximum. An ECN-capable router should only drop ECN-enabled packets when it is in a condition of "distress," which is what exceeding the DRD maximum should mean. Of course, if you want to experiment with ECN, you can set the values however you wish!
(average) delay + (number of standard deviations)*delay sigma.This table used for "synthesizing" the distribution amounts to a scaled, translated, inverse to the cumulative distribution function.
Here's how to think about it: Let F() be the cumulative distribution function for a probability distribution X. We'll assume we've scaled things so that X has mean 0 and standard deviation 1, though that's not so important here. Then:
F(x) = P(X <= x) =where f is the probability density function.
F is monotonically increasing, so has an inverse function G, with range 0 to 1. Here, G(t) = the x such that P(X <= x) = t. (In general, G may have singularities if X has point masses, i.e., points x such that P(X = x) > 0.)
Now we create a tabular representation of G as follows: Choose some table size N, and for the ith entry, put in G(i/N). Let's call this table T.
The claim now is, I can create a (discrete) random variable Y whose distribution has the same approximate "shape" as X, simply by letting Y = T(U), where U is a discrete uniform random variable with range 1 to N. To see this, it's enough to show that Y's cumulative distribution function, (let's call it H), is a discrete approximation to F. But
H(x) = P(Y <= x)as desired.= (# of entries in T <= x) / N -- as Y chosen uniformly from T
= i/N, where i is the largest integer such that G(i/N) <= x
= i/N, where i is the largest integer such that i/N <= F(x)
-- since G and F are inverse functions (and F is increasing)
= floor(N*F(x))/N
How can we create this table in practice? In some cases, F may have a simple expression which allows evaluating its inverse directly. The pareto distribution is one example of this. In other cases, and especially for matching an experimentally observed distribution, it's easiest simply to create a table for F and "invert" it. Here, we give a concrete example, namely how the new "experimental" distribution was created. Note: starting with version 1.4, tools to do all the operations described here are provided.
To load a new distribution table, you can of course recompile the NIST Net driver. However, the driver actually supports loading new tables at runtime. Simply write the table, which must be an array of 4096 short words (8192 bytes), to the device driver:
int readfd, writefd;
char buffer[8192];
/* Assume binary.table is your previously prepared table of 4096 short ints */
readfd = open("binary.table", O_RDONLY);
read(readfd, buffer, 8192);
writefd = open("/dev/hitbox", O_WRONLY);
write(writefd, buffer, 8192);
When updating the table by this means, you must use a table size of 4096
and a table factor of 8192. (More precisely, these must be the same as
whatever table is currently loaded.)
I had previously advised just using cat to write the table to the device. This falls into the category of "things which seem like they so obviously will work that they don't require testing, and of course in practice will fail." The problem is that cat will try to break the write into pieces of 4096 bytes, which will fail. So you have to use a little program, as indicated above.
After writing the above, it occurred to me (and I actually tested it this time) that dd will do the job in writing the table. Just use this line:
dd if=binary.table of=/dev/hitbox bs=8192 count=1
Here, there's some good news and some bad news. Most likely, what you've witnessed is the lack of stability in the radix sort used for Linux timers (which I incorporated into the fast timer). This is fixed in version 2.0.8, so first try upgrading to it (or a later version).
If you're still seeing the problem, this means that it is taking longer than one timer tick to process all the packets scheduled for that tick. I can't see how this could happen, unless you're going from a much faster network to a much slower one (like, forwarding gigabit Ethernet to 10 Mbit Ethernet), and have no flow control. Of course, in that case you'd be having a few other network problems anyway...
For unrelated reasons, I added another lock to packet processing in version 2.0.10, so this problem should be gone for good now.
As a U.S. government publication, so to speak, NIST Net is not copyrighted. You can do whatever you want with it, including employing its code in whole or in part in any other package or product. You need not credit me or NIST (though not doing so would be a bit rude).
As is usual for code provided on this basis, there is absolutely no warranty of any sort. We are interested in receiving any reports of problems or requests for improvements and will try to help, but can't make any specific promises!
I had thought the above was fairly explicit, but apparently not explicit enough. What the lack of copyright means is that you have a non-exclusive right to use this code in any fashion you wish, including incorporating it into a product without any further compensation or permission required. "Non-exclusive" just means that other people can do it as well, so just because you used NIST Net in your product doesn't mean somebody else can't.
Please note these remarks only apply to the code I originated; some code (like the fast timer) is based directly on existing Linux kernel code and hence carries exactly the same copyright restrictions as Linux does.
Q. Where can I get a big/small/whatever sized NIST Net logo?
Home Page]
[Installing NIST Net]
[Using NIST Net]
[NIST Net FAQ]