Check out the new USENIX Web site.

USENIX Home . About USENIX . Events . membership . Publications . Students
IMC '05, 2005 Internet Measurement Conference — Abstract

Pp. 267–272 of the Proceedings

Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic

Stefan Kornexl, TU München; Vern Paxson, ICSI/LBNL; Holger Dreger, Anja Feldmann, and Robin Sommer, TU München

Abstract

There are times when it would be extraordinarily convenient to record the entire contents of a high-volume network traffic stream, in order to later ``travel back in time'' and inspect activity that has only become interesting in retrospect. Two examples are security forensics--determining just how an attacker compromised a given machine--and network trouble-shooting, such as inspecting the precursors to a fault after the fault. We describe the design and implementation of a Time Machine to efficiently support such recording and retrieval. The efficiency of our approach comes from leveraging the heavy-tailed nature of network traffic: because the bulk of the traffic in high-volume streams comes from just a few connections, by constructing a filter that records only the first N bytes of each connection we can greatly winnow down the recorded volume while still retaining both small connections in full, and the beginnings of large connections (which often suffices).
  • View the full text of this paper in HTML and PDF.
    The Proceedings are published as a collective work, © 2005 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.

?Need help? Use our Contacts page.

Last changed: 24 Oct. 2005 rc
IMC '05 Tech Sessions
IMC '05 Home
USENIX home