Live Traffic Monitoring with Tstat: Capabilities and Experiences

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6074)


Network monitoring has always played a key role in understanding telecommunication networks since the pioneering time of the Internet. Today, monitoring traffic has become a key element to characterize network usage and users’ activities, to understand how complex applications work, to identify anomalous or malicious behaviors, etc. In this paper we present our experience in engineering and deploying Tstat, a passive monitoring tool that has been developed in the past ten years. Started as a scalable tool to continuously monitor packets that flow on a link, Tstat has evolved into a complex application that gives to network researchers and operators the possibility to derive extended and complex measurements. Tstat offers the capability to track traffic flows, it integrates advanced behavioral classifiers that identify the application that has generated a flow, and automatically derives performance indexes that allow to easily characterize both network usage and users’ activity. After describing Tstat capabilities and internal design, in this paper we present some examples of measurements collected deploying Tstat at the edge of our campus network for the past years.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kapoor, R., Chen, L.-J., Lao, L., Gerla, M., Sanadidi, M.Y.: CapProbe: A Simple and Accurate Capacity Estimation Technique. In: ACM SIGCOMM’04, Portland, USA (2004)Google Scholar
  2. 2.
    Downey, A.B.: Using pathchar to estimate Internet link characteristics. ACM SIGCOMM Computer Communication Review (1999)Google Scholar
  3. 3.
    Rizzo, L.: Dummynet: a simple approach to the evaluation of network protocols. ACM Computer Communication Review (January 1997)Google Scholar
  4. 4.
    Wireshark Homepage,
  5. 5.
    Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: 13th USENIX LISA Conference (1999)Google Scholar
  6. 6.
    Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.: The CoralReef Software Suite as a Tool for System and Network Administrators. In: 15th USENIX Conference on System Administration, San Diego, CA (December 2001)Google Scholar
  7. 7.
  8. 8.
    TCPTrace Homepage,
  9. 9.
    Mellia, M., Meo, M., Muscariello, L., Rossi, D.: Passive analysis of TCP anomalies. Elsevier Computer Networks 52(14) (October 2008)Google Scholar
  10. 10.
    Rossi, D., Casetti, C., Mellia, M.: User Patience and the Web: a Hands-on Investigation. In: IEEE Globecom’03, San Francisco, CA, USA (December 2003)Google Scholar
  11. 11.
    IPP2P Homepage,
  12. 12.
    Bonfiglio, D., Mellia, M., Meo, M., Rossi, D., Tofanelli, P.: Revealing Skype Traffic: When Randomness Plays with You. ACM SIGCOMM Computer Communication Review 37(4), 37–48 (2007)CrossRefGoogle Scholar
  13. 13.
    Rossi, D., Mellia, M.: Real-Time TCP/IP Analysis with Common Hardware. In: IEEE International Conference of Communication (ICC’06), Istanbul, Turkey (June 2006)Google Scholar
  14. 14.
    Rossi, D., Valenti, S., Veglia, P., Bonfiglio, D., Mellia, M., Meo, M.: Pictures from the Skype. ACM Performance Evaluation Review (PER) 36(2), 83–86 (2008)CrossRefGoogle Scholar
  15. 15.
    Endace Homepage,
  16. 16.
    AITIA Homepage,
  17. 17.
  18. 18.
    TSTAT RRD Web interface,
  19. 19.

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.Politecnico di Torino 
  2. 2.TELECOM ParisTech 

Personalised recommendations