Abstract
Analyzing Internet traffic has become an important and challenging task. NetFlow/IPFIX flow records are widely used to provide a summary of the Internet traffic carried on a link or forwarded by a router. Several tools exist to filter or to search for specific flows in a collection of flow records, however the filtering or query languages that these tools use have limited capabilities when it comes to describing more complex network activity. This paper proposes a framework and a new stream-based flow record query language, which allows certain types of traffic patterns to be defined and matched in a collection of flow records. The usage of the proposed new language is exemplified by constructing a query identifying the Blaster.A worm.
Chapter PDF
Similar content being viewed by others
Keywords
References
Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954, Cisco Systems (October 2004)
Claise, B.: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. RFC 5101, Cisco Systems (January 2008)
Sullivan, M., Heybey, A.: Tribeca: a System for Managing Large Databases of Network Traffic. In: Proceedings of ATEC 1998, pp. 13–24. USENIX Association, Berkeley (1998)
Babcock, B., Babu, S., Datar, M., Motwani, R., Widom, J.: Models and issues in Data Stream Systems. In: Proceedings of PODS 2002, pp. 1–16. ACM, New York (2002)
Marinov, V., Schönwälder, J.: Design of an IP Flow Record Query Language. In: Hausheer, D., Schönwälder, J. (eds.) AIMS 2008. LNCS, vol. 5127, pp. 205–210. Springer, Heidelberg (2008)
Nickless, B.: Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics. In: Proceedings of LISA 2000, pp. 285–290. USENIX Association, Berkeley (2000)
Cranor, C., Johnson, T., Spataschek, O., Shkapenyuk, V.: Gigascope: A Stream Database for Network Applications. In: Proceedings of SIGMOD 2003, pp. 647–651. ACM, New York (2003)
McCanne, S., Jacobson, V.: The BSD Packet Filter: A New Architecture for User-level Packet Capture. In: Proceedings of USENIX 1993, pp. 259–270. USENIX Association, Berkeley (1993)
Haag, P.: nfdump, http://nfdump.sourceforge.net/
Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.: The Coral Reef Software Suite as a Tool for System and Network Administration. In: Proceedings of LISA 2001, pp. 133–144. USENIX Association, Berkeley (2001)
Keys, K., Moore, D., Koga, R., Lagache, E., Tesch, M., Claffy, K.: The Architecture of CoralReef: an Internet Traffic Monitoring Software Suite. In: Proceedings of PAM 2001, CAIDA, RIPE NCC (2001)
Kornexl, S., Paxson, V., Dreger, H., Feldmann, A., Sommer, R.: Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic. In: Proceedings of IMC 2005. USENIX Association, Berkeley (2005)
Fullmer, M.: flow-tools, http://www.splintered.net/sw/flow-tools/
Plonka, D.: FlowScan: A Network Traffic Flow Reporting and Visualization Tool. In: Proceedings of LISA 2000, pp. 305–318. USENIX Association, Berkeley (2000)
Oetiker, T.: RRDTool, http://oss.oetiker.ch/rrdtool/
Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: Proceedings of SIGCOMM 2003, pp. 137–148. ACM, New York (2003)
Collins, M., Kompanek, A., Shimeall, T.: Analysts’ Handbook: Using SiLK for Network Traffic Analysis. CERT. 0.10.3 edn. (November 2006)
Quittek, J., Bryant, S., Claise, B., Aitken, P., Meyer, J.: Information Model for IP Flow Information Export. RFC 5102, Cisco Systems (January 2008)
Marinov, V.: Design of an IP Flow Record Query Language. Master’s thesis, Jacobs University Bremen (May 2009)
Fin, A.: A Genetic Approach to Qualitative Temporal Reasoning with Constraints. In: Proceedings of ICCIMA 1999, Washington, DC, USA. IEEE Computer Society, Los Alamitos (1999)
Symantec: W32.Welchia.Worm (August 2003)
Dübendorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 103–122. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Marinov, V., Schönwälder, J. (2009). Design of a Stream-Based IP Flow Record Query Language. In: Bartolini, C., Gaspary, L.P. (eds) Integrated Management of Systems, Services, Processes and People in IT. DSOM 2009. Lecture Notes in Computer Science, vol 5841. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04989-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-04989-7_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04988-0
Online ISBN: 978-3-642-04989-7
eBook Packages: Computer ScienceComputer Science (R0)