Figure 1 graphically shows a query used in characterizing IP-over-ATM traffic [7]. The analysts in this case look for ``burstiness'' in the packet arrival rates and changes in the distribution of packet lengths in order to help plan network capacity. They compare the characteristics of interest over several different time scales (ms, sec, min, hour). In order to isolate a bursty host, they group packet streams by source and destination, calculating similar aggregates over these groups.
The data set for the example is a traffic trace including Asynchronous Transfer Mode (ATM) cells from a dozen virtual circuits (VCs) multiplexed onto the monitored network link. Each trace record contains a time stamp and an ATM cell. The query takes a stream of ATM cells, discards those cells belonging to an uninteresting VC, demultiplexes the stream by virtual circuit identifier (VCI), assembles IP packets (which are fragmented across successive cells on each VC), remultiplexes the packets back into a single stream, then counts the number of ICMP packets and finds the average length of all IP packets in each 5 ms interval.
The example shows several features of the query language presented in this section. Different layers of protocol are implemented by different data types. The example uses simple filters, aggregates, demultiplexing, multiplexing and some simple windows. Each of these is described in subsections below.