Analysis of Ethernet Traffic Patterns on NTP Servers at CSIR NPL

Network Time Protocol (NTP) servers are specialized timekeeping devices that provide synchronized and accurate time information to networked devices, ensuring precise coordination and reliability in various critical applications. CSIR-NPL is the National Metrology Institute of India which has the responsibility of time dissemination to the nation. Network time dissemination is one of the services which provide the time synchronization facility over the network via NTP servers. These NTP servers are designated as stratum 1 NTP servers in the network hierarchy as they are taking time from the authoritative atomic clock. NTP servers at CSIR-NPL are available in public domain for time dissemination. Many critical stakeholders such as internet service providers, data centres, various government organizations are the primary customers of CSIR-NPL for time services over the network. Hence, to understand the traffic dynamics coming towards the NTP servers is essential. This study aims to analyze Ethernet traffic patterns directed towards NTP servers at CSIR NPL using open-source monitoring software, i.e., Zabbix and Grafana. The study captures Ethernet traffic throughput in bits per second (bps) coming on NTP servers located at CSIR-NPL. These NTP servers are part of stacks of NTP servers responsible for disseminating Indian Standard Time over the internet. The study involves an investigation of Ethernet throughput to understand the NTP requests (packets per second) arriving for time synchronization and the pattern of incoming NTP request traffic on these servers. To evaluate NTP requests from Ethernet throughput, the conversion of Ethernet traffic from bps to packets per second (pps) is done and validation of the captured Ethernet throughput with actual traffic values obtained from the OEM software is accomplished. The investigation further explores incoming NTP traffic patterns and identifies regions where traffic reaches maximum and minimum loads, as well as its respective peaks and troughs, utilizing 5-day Ethernet datasets. The Savitzky–Golay filter is employed for data smoothing, and the gradient of the smoothed data is calculated to determine distinct regions of the traffic pattern. The results provide a comprehensive understanding of the traffic behaviour directed towards NTP servers for time synchronization, enabling the monitoring of anomalies associated with cybersecurity and contributing to the optimization of network resource allocation.