Design of a Stream-Based IP Flow Record Query Language

  • Vladislav Marinov
  • Jürgen Schönwälder
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5841)


Analyzing Internet traffic has become an important and challenging task. NetFlow/IPFIX flow records are widely used to provide a summary of the Internet traffic carried on a link or forwarded by a router. Several tools exist to filter or to search for specific flows in a collection of flow records, however the filtering or query languages that these tools use have limited capabilities when it comes to describing more complex network activity. This paper proposes a framework and a new stream-based flow record query language, which allows certain types of traffic patterns to be defined and matched in a collection of flow records. The usage of the proposed new language is exemplified by constructing a query identifying the Blaster.A worm.


Network measurement NetFlow IPFIX 


  1. 1.
    Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954, Cisco Systems (October 2004)Google Scholar
  2. 2.
    Claise, B.: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. RFC 5101, Cisco Systems (January 2008)Google Scholar
  3. 3.
    Sullivan, M., Heybey, A.: Tribeca: a System for Managing Large Databases of Network Traffic. In: Proceedings of ATEC 1998, pp. 13–24. USENIX Association, Berkeley (1998)Google Scholar
  4. 4.
    Babcock, B., Babu, S., Datar, M., Motwani, R., Widom, J.: Models and issues in Data Stream Systems. In: Proceedings of PODS 2002, pp. 1–16. ACM, New York (2002)Google Scholar
  5. 5.
    Marinov, V., Schönwälder, J.: Design of an IP Flow Record Query Language. In: Hausheer, D., Schönwälder, J. (eds.) AIMS 2008. LNCS, vol. 5127, pp. 205–210. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Nickless, B.: Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics. In: Proceedings of LISA 2000, pp. 285–290. USENIX Association, Berkeley (2000)Google Scholar
  7. 7.
    Cranor, C., Johnson, T., Spataschek, O., Shkapenyuk, V.: Gigascope: A Stream Database for Network Applications. In: Proceedings of SIGMOD 2003, pp. 647–651. ACM, New York (2003)Google Scholar
  8. 8.
    McCanne, S., Jacobson, V.: The BSD Packet Filter: A New Architecture for User-level Packet Capture. In: Proceedings of USENIX 1993, pp. 259–270. USENIX Association, Berkeley (1993)Google Scholar
  9. 9.
  10. 10.
    Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.: The Coral Reef Software Suite as a Tool for System and Network Administration. In: Proceedings of LISA 2001, pp. 133–144. USENIX Association, Berkeley (2001)Google Scholar
  11. 11.
    Keys, K., Moore, D., Koga, R., Lagache, E., Tesch, M., Claffy, K.: The Architecture of CoralReef: an Internet Traffic Monitoring Software Suite. In: Proceedings of PAM 2001, CAIDA, RIPE NCC (2001)Google Scholar
  12. 12.
    Kornexl, S., Paxson, V., Dreger, H., Feldmann, A., Sommer, R.: Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic. In: Proceedings of IMC 2005. USENIX Association, Berkeley (2005)Google Scholar
  13. 13.
  14. 14.
    Plonka, D.: FlowScan: A Network Traffic Flow Reporting and Visualization Tool. In: Proceedings of LISA 2000, pp. 305–318. USENIX Association, Berkeley (2000)Google Scholar
  15. 15.
    Oetiker, T.: RRDTool,
  16. 16.
    Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: Proceedings of SIGCOMM 2003, pp. 137–148. ACM, New York (2003)Google Scholar
  17. 17.
    Collins, M., Kompanek, A., Shimeall, T.: Analysts’ Handbook: Using SiLK for Network Traffic Analysis. CERT. 0.10.3 edn. (November 2006)Google Scholar
  18. 18.
    Quittek, J., Bryant, S., Claise, B., Aitken, P., Meyer, J.: Information Model for IP Flow Information Export. RFC 5102, Cisco Systems (January 2008)Google Scholar
  19. 19.
    Marinov, V.: Design of an IP Flow Record Query Language. Master’s thesis, Jacobs University Bremen (May 2009)Google Scholar
  20. 20.
    Fin, A.: A Genetic Approach to Qualitative Temporal Reasoning with Constraints. In: Proceedings of ICCIMA 1999, Washington, DC, USA. IEEE Computer Society, Los Alamitos (1999)Google Scholar
  21. 21.
    Symantec: W32.Welchia.Worm (August 2003)Google Scholar
  22. 22.
    Dübendorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 103–122. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Vladislav Marinov
    • 1
  • Jürgen Schönwälder
    • 1
  1. 1.Computer ScienceJacobs University BremenGermany

Personalised recommendations