Design of an IP Flow Record Query Language

  • Vladislav Marinov
  • Jürgen Schönwälder
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5127)


Internet traffic is often summarized by collecting NetFlow/IPFIX flow records. Several tools exist to filter or to search for specific flows in a collection of flow records. However, there is a need for a framework (filter language) which allows certain types of traffic patterns to be defined and matched in a collection of flow records. The goal of this project is to research the various filter/query languages used by tools or proposed in the literature and to extract a common basis for a new orthogonal flow record query language. We present research motivation and state of the art in this paper.


NetFlow IPFIX network traffic analysis query language 


  1. 1.
    Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (October 2004)Google Scholar
  2. 2.
    Claise, B.: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. RFC 5101 (January 2008)Google Scholar
  3. 3.
    Nickless, B.: Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics. In: Proc. of LISA 2000, pp. 285–290. USENIX Association (2000)Google Scholar
  4. 4.
    Babcock, B., Babu, S., Datar, M., Motwani, R., Widom, J.: Models and issues in Data Stream Systems. In: Proc. of PODS 2002, pp. 1–16. ACM, New York (2002)Google Scholar
  5. 5.
    Cranor, C., Johnson, T., Spataschek, O., Shkapenyuk, V.: Gigascope: A Stream Database for Network Applications. In: Proc. of SIGMOD 2003, pp. 647–651. ACM, New York (2003)Google Scholar
  6. 6.
    Sullivan, M., Heybey, A.: Tribeca: a System for Managing Large Databases of Network Traffic. In: Proc. of ATEC 1998, pp. 13–24. USENIX Association (1998)Google Scholar
  7. 7.
    McCanne, S., Jacobson, V.: The BSD Packet Filter: A New Architecture for User-level Packet Capture. In: Proc. of USENIX 1993, pp. 259–270. USENIX Association (1993)Google Scholar
  8. 8.
  9. 9.
    Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.: The Coral Reef Software Suite as a Tool for System and Network Administration. In: Proc. of LISA XV, pp. 133–144. USENIX Association (2001)Google Scholar
  10. 10.
    Keys, K., Moore, D., Koga, R., Lagache, E., Tesch, M., Claffy, K.: The Architecture of CoralReef: an Internet Traffic Monitoring Software Suite. In: Proc. of PAM 2001, CAIDA, RIPE NCC (April 2001)Google Scholar
  11. 11.
    Kornexl, S., Paxson, V., Dreger, H., Feldmann, A., Sommer, R.: Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic. In: Proc. of IMC 2005, USENIX Association (2005)Google Scholar
  12. 12.
  13. 13.
    Plonka, D.: FlowScan: A Network Traffic Flow Reporting and Visualization Tool. In: Proc. of LISA 2000, pp. 305–318. USENIX Association (2000)Google Scholar
  14. 14.
  15. 15.
    Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: Proc. of SIGCOMM 2003, pp. 137–148. ACM, New York (2003)Google Scholar
  16. 16.
    Collins, M., Kompanek, A., Shimeall, T.: Analysts Handbook: Using SiLK for Network Traffic Analysis. CERT. 0.10.3 edn. (November 2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Vladislav Marinov
    • 1
  • Jürgen Schönwälder
    • 1
  1. 1.Computer ScienceJacobs University BremenGermany

Personalised recommendations