Design and Implementation of a Distributed Platform for Sharing IP Flow Records

  • Cristian Morariu
  • Peter Racz
  • Burkhard Stiller
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5841)


Experiments using real traffic traces are of key importance in many network management research fields, such as traffic characterization, intrusion detection, and accounting. Access to such traces is often restricted due to privacy issues; research institutions typically have to sign non-disclosure agreements before accessing such traces from a network operator. Having such restrictions, researchers rarely have more than one source of traffic traces on which to run and validate their experiments.

Therefore, this paper develops a Distributed Platform for Sharing IP Flows (DipSIF) based on NetFlow records between multiple institutions. It is assumed that NetFlow traces collected by each participant are archived on separate storage hosts within their premises and then made available to others using a server that acts as a gateway to the storage. Due to privacy reasons the platform presented here uses a prefix-preserving, cryptography-based, and consistent anonymization algorithm in order to comply to different regulations determining the exchange of traffic traces data.


Application Program Interface Internet Protocol Request Message Transport Control Protocol Internet Protocol Address 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Argus Homepage, (last access, April 2009)
  2. 2.
    Baumgardt, N.: Design and Setup of a Distributed Storage Repository for NetFlow Records; Student Thesis. CSG@IFI, University of Zürich, Switzerland (March 2008)Google Scholar
  3. 3.
    cflowd Homepage, (last access April 2009)
  4. 4.
  5. 5.
    Claise, B.(ed.): Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. IETF RFC 5101 (January 2008)Google Scholar
  6. 6.
    DatCat, Intenet Measurement Data Catalog, (last access August 2009)
  7. 7.
    EMANICS Project Homepage, (last access May 2009)
  8. 8.
    Koukis, D., Antonatos, S., Antoniades, D., Trimintzios, P., Markatos, E.P.: A Generic Anonymization Framework for Network Traffic. In: IEEE International Conference on Communications (ICC 2006), Istanbul, Turkey (June 2006)Google Scholar
  9. 9.
    Li, Y., Slagell, A., Luo, K., Yurcik, W.: CANINE: A Combined Conversion and Anonymization Tool for Processing NetFlows for Security. In: International Conference on Telecommunication Systems, Modeling and Analysis, Dallas, Texas, USA (November 2005)Google Scholar
  10. 10.
    nfdump Homepage, (last access April 2009)
  11. 11.
    Plonka, D.: FlowScan: A Network Traffic Flow Reporting and Visualization Tool. In: 14th USENIX Conference on System Administration, New Orleans, Louisiana, USA, December 2000, pp. 305–318 (2000)Google Scholar
  12. 12.
    TCPDpriv Homepage, (last access April 2009)
  13. 13.
    Tcpdump Homepage, (last access May 2009)
  14. 14.
    Xu, J., Fan, J., Ammar, M., Moon, S.B.: On the Design and Performance of Prefix-preserving IP Traffic Trace Anonymization. In: 1st ACM SIGCOMM Workshop on Internet Measurement (IMW 2001), San Francisco, California, USA, November 2001, pp. 263–266 (2001)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Cristian Morariu
    • 1
  • Peter Racz
    • 1
  • Burkhard Stiller
    • 1
  1. 1.Department of Informatics IFIUniversity of ZurichSwitzerland

Personalised recommendations