First, we look at packet interarrivals as triples of (size, IA time, size). By plotting these points in 3d space, we can get a feel for the kinds of consecutive packets each protocol tends to send, and what the interarrival times tend to be for each pair of sizes.
For example, two big packets with a small delay between them probably indicate some sort of bulk data transfer. Similarly, small or medium-sized packets with a longer interarrival period indicate some sort of query-response behavior, possibly involving user interaction.
Both types of behavior are visible in the graph below of HTTP, SMTP, and SSH
traffic. We see that many of the HTTP packets are medium-sized or large, and are
sent by the server, while SMTP tends to send data from the client to the server.
SSH, on the other hand, exhibits two main behavior patterns. First, we see SSH
has a higher density of small packets with longer interarrival times than the
other two protocols, representing its interactive (Telnet-like) mode. We also
see several blue SSH packets in the lower left area of the graph, which
correspond to back-to-back big packets from the server --- these probably belong
to SCP bulk data transfer sessions, or to other programs such as CVS or rsync
using SSH in place of the aging rsh facility for copying files across the
Here we use heatmaps to give us an idea of what the "average" sequence of packets for each protocol looks like.
The X axis shows the time from when we observed the first packet in the session. The Y axis shows the packets' size. We use the sign bit of the size to indicate direction, so packets with size less than zero are those observed in transit from server to client. Similarly, packets sent from the client to the server have size greater than zero.
The color of each pixel indicates the "packet density" at the given
time and size. Brighter areas indicate higher packet density, so the
yellow areas are where we tend to see a lot of packets, and the dark areas
are where we rarely, if ever, observe a packet.
Similarly, we can look at packet densities to get an idea of the kinds of individual packets a protocol tends to generate, regardless of arrival time or position in the sequence. In the following graphs, each pixel represents a certain type of packet, identified by its interarrival time (on the X axis) and its directed size (on the Y axis, as before). Bright areas indicate the kinds of packets that the given protocol tends to generate very frequently; dark areas correspond to packet types that the protocol (almost) never generates.
So, for example, a protocol which consisted only of the client repeatedly
sending a large packet to the server, at intervals of about one second, would
produce a very bright spot in the top middle of the graph, and darkness everywhere
else. In reality, we see that small packets (40-48 bytes) are much more common,
and that their interrival times can be quite varied.