Twitter
Facebook
LinkedIn
Google+
YouTubeusenix conference policies
You are here
Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic
Website Maintenance Alert
Due to scheduled maintenance, the USENIX website may not be available on Monday, March 17, from 10:00 am–6:00 pm Pacific Daylight Time (UTC -7). We apologize for the inconvenience and thank you for your patience.
If you would like to register for NSDI '25, SREcon25 Americas, or PEPR '25, please complete your registration before or after this time period.
There are times when it would be extraordinarily convenient to record the entire contents of a high-volume network traffic stream, in order to later ``travel back in time'' and inspect activity that has only become interesting in retrospect. Two examples are security forensics--determining just how an attacker compromised a given machine--and network trouble-shooting, such as inspecting the precursors to a fault after the fault. We describe the design and implementation of a Time Machine to efficiently support such recording and retrieval. The efficiency of our approach comes from leveraging the heavy-tailed nature of network traffic: because the bulk of the traffic in high-volume streams comes from just a few connections, by constructing a filter that records only the first N bytes of each connection we can greatly winnow down the recorded volume while still retaining both small connections in full, and the beginnings of large connections (which often suffices).
author = {Stefan Kornexl and Vern Paxson and Holger Dreger and Anja Feldmann and Robin Sommer},
title = {Building a Time Machine for Efficient Recording and Retrieval of {High-Volume} Network Traffic },
booktitle = {Internet Measurement Conference 2005 (IMC 05)},
year = {2005},
address = {Berkeley, CA},
url = {https://www.usenix.org/conference/imc-05/building-time-machine-efficient-recording-and-retrieval-high-volume-network},
publisher = {USENIX Association},
month = oct
}
connect with us