Skip to content

Secondary root server statistics

Jump to bottom
Christian Huitema edited this page May 5, 2020 · 1 revision

Once Ithitools summaries ave been computed, each capture file (PCAP or CBOR) is represented by a summary file. There are multiple files per "server". When a server uses anycast to split traffic between multiple nodes, there can will be one file per node and per 5 minute time slice. Secondary analysis investigates how the traffic varies with time and location. The basic process is:

  • Gather all summaries for the relevant set of locations and time slices in a folder,
  • Run the analysis script load_l_root_folders.py to obtain a CSV file, with one row per summary (time slice and location) and one column per attribute.

The CSV files can then serve as input to build graphs and performs analyses.

The analysis script load_l_root_folders.py operates on a set of input folders inside a "top" folder (first script parameter). The script creates one CSV file per input folder. The CSV files are created inside an output folder (second script parameter), and their names are derived from the name of the input folder.

The rows of the CSV files are computed using the function load_m3 of the python module summary.py. Each row in the CSV file contains the following data:

  • address, cc,city: IP address, country code and city code of the server node.
  • date,hour,duration: time and duration of capture.
  • queries: total number of queries in the capture file.
  • nx_domain: total number of NX domain queries
  • useful: number of first non-NX-domain queries (first for a TLD and a specific client).
  • useless: number of repeated non-NX-domain queries (second or more for a TLD and a specific client).
  • dga: queries identified a "domain generation algorithm" (7 to 15 character long, not otherwise identified)
  • jumbo: queries to TLD names at least 16 characters long
  • others: total NX domain queries, minus those already counted as DGA or Jumbo
  • local: queries for a ".local" TLD
  • localhost: queries for a ".localhost" TLD
  • rfc6761: queries for a TLD defined in the IANA registry for special names (per RFC 6761), excluding the queries already counted for ".local" and ".localhost"
  • home: queries to the ".home" TLD
  • lan: queries to the ".lan" TLD
  • internal: queries to the ".internal" TLD
  • ip: queries to the ".ip" TLD
  • localdomain: queries to the ".localdomain" TLD
  • corp: queries to the ".corp" TLD
  • mail: queries to the ".mail" TLD
  • other_names: NX-Domain queries not already counted as dga, jumbo, local, localhost, rfc6761, home, lan, internal, ip, localdomain, corp, or mail.
Clone this wiki locally