**5. Estimation of simulation parameters of measured network traffic**

The main problem of measured packet network traffic modeling is to estimate the parameter, which is needed for modeling measured network traffic in simulation tools. It has already been mentioned that the parameters of data source traffic processes are needed. We already described that transformation from packet network traffic Z*p*[*n*] to data source

Modeling and Simulating the Self-Similar Network Traffic in Simulation Tool 367

carried out by finding and summing fragmented packets' sequences without an in-depth analysis of packets. Fragmented sequence is defined as a sequence of *lMTU* sized packets associated with the same source and destination addresses and terminated by packet

In real networks, we have captured packets of different network traffic through a Wireshark sniffer. The two different types of measured traffic are used for analysis, modeling and

simulation purposes. These two test traffics are shown in Figure 10.

Fig. 10. Measured test traffic 1 and 2 captured by Wireshark sniffer.

parameter is estimated using different methods for both test traffics.

bit rate (kb/s)

test traffic 1 24.02 108.90 0.630 0.723 0.843

test traffic 2 35.612 114.51 0.592 0.580 0.477

Table 1. The main properties of captured traffics. On the right side of the table the Hurst

For each of test traffics, the Hurst parameter has been estimated through different methods. The Hurst parameters for both cases are bigger than 0.5, so we can classify these test traffics

variance method

R/S method periodogram method

packet rate (p/s)

shorter than *lMTU*.

measured test traffics

**6. Simulation results** 

network traffic Z*d*[*n*] is needed (section 2.6) [45]. There are many possibilities to make a transformation from Z*p*[*n*] to Z*d*[*n*], which allows estimation of parameters of data source network traffic processes. We investigated two algorithms [28]:


The main differences between them are complexity and the needed execution time. The first algorithm mimics a complete decapsulation process, and defragmentation in higher layers of the communication model. Any sniffers are able to extract this data from the IP header. Knowing them, it is then simple to calculate a length of IP PDU (Protocol Data Unit) which also contains a header of higher layer protocols. Through the use of an in-depth header analysis, it is possible, in the similar way as the IP header, to calculate the lengths of all these headers. Each packed IP header has four the so-called fragmentation fields that contain information about data fragmentation, which is shown on Figure 9.


Fig. 9. IP header. Shadowed fields are used in the defragmentation process. Legend: V: protocol version; IHL: Internet Header Length; ToS: Type of Service; TL: Total Length; ID: Identification Data; F: Flags; FO: Fragment Offset; TTL: Time to Live.

Extensive research and investigation about traffic sources in contemporary networks show that this approach requires an in-depth analysis of packets (where need specialized, very powerful and consequently, expensive instruments), which in case of encrypted packets and non-standard application protocols, is not completely possible. In such cases, it is also necessary to capture the entire packets, which can be problematic in the high-speed networks. For these reasons, a simple algorithm has been developed, where only information of packets sizes, packet time stamps and IP addresses are needed.

The second algorithm skips decapsulation by considering the average lengths of packet headers and then uses only packet lengths and inter-arrival times. In the second case, the algorithm offers the estimation of data source network traffic, not the exact reconstructed data source traffic. The second algorithm represents the main part of method by mimic defragmentation process, which is described in detail in [45]. The main idea of mimic defragmentation process method is to compose data from the captured packet traffic, which is previously fragmented at the transmitter. The data source traffic estimation is carried out by finding and summing fragmented packets' sequences without an in-depth analysis of packets. Fragmented sequence is defined as a sequence of *lMTU* sized packets associated with the same source and destination addresses and terminated by packet shorter than *lMTU*.
