IMC '05, 2005 Internet Measurement Conference Abstract
Pp. 267272 of the Proceedings
Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic
Stefan Kornexl, TU München; Vern Paxson, ICSI/LBNL; Holger Dreger, Anja Feldmann, and Robin Sommer, TU München
Abstract
There are times when it would be extraordinarily convenient to record the
entire contents of a high-volume network traffic stream, in order to later
``travel back in time'' and inspect activity that has only become interesting
in retrospect. Two examples are security forensics--determining just how an
attacker compromised a given machine--and network trouble-shooting, such as
inspecting the precursors to a fault after the fault. We describe
the design and implementation of a Time Machine to efficiently support
such recording and retrieval. The efficiency of our approach comes from
leveraging the heavy-tailed nature of network traffic: because the bulk of the
traffic in high-volume streams comes from just a few connections, by
constructing a filter that records only the first N bytes of each connection
we can greatly winnow down the recorded volume while still retaining
both small connections in full, and the beginnings of large connections
(which often suffices).
- View the full text of this paper in HTML and PDF.
The Proceedings are published as a collective work, © 2005 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
|