The Tribeca window operator groups successive records in a stream so they may be operated on as a unit. Tribeca supports two kinds of windows. A fixed window is effectively a demultiplex operation for the stream's sort field. (Network traffic traces are sorted by time, so the sort field is usually a time stamp). It partitions the stream into non-overlapping groups of records. A moving window breaks the stream into successive overlapping groups of records. Each one is illustrated in the example below. Result r1 contains the number and mean length of large (>100 byte) packets in successive five ms intervals. R2 contains the inter-arrival time between successive packets:
stream_window w1 on s1
defined by {s1.ts.interval 0.005} is fixed
stream_qual {w1.length.gt 100} p1
stream_agg {p1.count p1.length.mean } r1
stream_window w2 on s1 defined by {s1.count 2} is moving
stream_agg {w2.ts.diff} r2
As the example shows, a Tribeca user-defined function delineates each
window. The function may be applied either to the sort field value
(time interval) or to the record's position in the stream (count).
The window names, w1 and w2, can be used as input to other
Tribeca operators in the same way as Tribeca pipes.
In traffic analysis, aggregates are almost always used in conjunction with windows. After every windowfull of data, downstream aggregates produce values and are reinitialized for the next window. Also, packet assembly in ATM analysis is actually implemented using a combination of a window and an aggregate function. The window function is a predicate that returns TRUE on the ATM cell that contains the last byte of the IP packet. The aggregate is a function that combines ATM cell payloads into a single IP packet.