Stream Query Repository: Network Traffic Management

Schema

Introduction

This page provides schema and query specifications from the network traffic management domain, which involves monitoring network packet header information and network performance measurements across a set of network elements such as routers and switches. The schema and queries were provided by members of the STREAM project.

Schema

The schema consists of a single stream of network packet traces.

Packets: Stream of network packet traces.

Packets(srcIP     /* source host IP address */, 
        srcPort   /* port number on source host */, 
        destIP    /* destination host IP address */, 
        destProt  /* port number on destination host */, 
        len       /* length of the packet */,
        flags     /* bitmap containing flags used by the TCP protocol */
        id        /* (almost) unique packet identifier. E.g., hash of fields that 
                   *  remain unchanged over the packet's route */, 
        colID     /* unique ID of the packet trace collector that recorded
                   *  this packet header */, 
        timestamp /* time when packet was collected */);

Queries

Queries in English
Queries in CQL. The latest information on CQL is available here.
Queries in ATLaS

Queries in English

Top-k Traffic Query: Monitor the source-destination pairs in the top 5 percentile in terms of total traffic in the past 20 minutes over a backbone link B.
Customer Monitoring Query: Maintain the fraction of packets on a particular backbone link B generated by a particular customer network C in the past hour.
Protocol Analysis Query: For each source IP address and each 5 minute interval, count the number of bytes and number of packets resulting from HTTP requests.
Source Monitoring Query: Monitor the 10-minute exponentially decaying average of the number of packets from each source host on a per-minute basis.
Misbehaving Host Query: Identify TCP SYN packets for which a SYNACK was sent, but no ACK was received within a specified maximum bound of 2 minutes on the TCP handshake completion latency.
Flow Information Query: Generate the flows in the packet stream. A flow is defined as a sequence of packets from the same source to the same destination arriving "close together" in time. For simplicity assume that "close together" means less than 2 minutes apart, i.e., a flow ends when no packets arrive on the flow over a 2 minute interval. For each flow, output the source and destination addresses, the number of packets constituting the flow, and the length of the flow.

Last modified: Dec 2 2002. Please send comments and questions to shivnath@stanford.edu