Agurim


About Agurim

Agurim is a network traffic monitor based on flexible multi-dimensional flow aggregation in order to identify significant aggregate flows in traffic. A user can dynamically switch views based on traffic volume or packet counts, address or protocol attributes, with different temporal and spacial granularities. The supported data sources are pcap, sFlow, and netFlow.


How to Use


main view

The main view provides dual plots, a volume-based plot on the left and a packet-based plot on the right. Each plot presents 7 significant aggregate flows by default. The legend label shows each aggregate flow with the main attribute and its share against the total traffic, along with the sub-attributes and their shares within the aggregate flow. In the address view, the main attribute is source and destination addresses and the sub-attributes are protocols. In the protocol view, the main attribute is protocol and the sub-attributes are addresses. Addresses are presented with thier prefix length when aggregated. '*' is a wildcard (e.g., 0.0.0.0/0 for IPv4 address) but '*::' is used for IPv6 address. Protocols are presented by proto:sport:dport (e.g., '6:80:1234' for proto=TCP, sport=80, dport=1234).

basic operations: Use the navigation buttons on the bottom to zoom in, zoom out, forward and backward. The pulldown menus on the top right allow you to switch datasets (when there are multiple datasets), and address/protocol views. Click one of the plots (or use the gear button at the bottom) to move to the detail view. Click the home button to go back to the default settings.


detail view

The detail view allows further control. Selecting an area in the plot zooms into the specified time period. Clicking a legend label further decomposes the corresponding flow by applying the main attrbute as a flow filter. You can change the aggregation parameters in the browser's address bar, or clicking the gear button at the bottom for the input form. The following parameters can be specified.

Click the home button to go back to the main view.


Source code

The source code is available from github.


Sample dataset

This sample dataset is an effort to promote measurement data sharing and provide broader access to backbone traffic for the benefit of the networking community. You should follow research ethics to use the data. In particular, actions that trespass upon users' privacy are prohibited.

The data is taken from the transit link of the WIDE network (AS2500) in Japan since February 2013. IP addresses appearing in the dataset are anonymized using a prefix-preserving method. More information about the dataset is available from the MAWI working group traffic archive.


Acknowledgments

This work is conducted as research activities within the WIDE Project and the NECOMA Project.

This research has been partly supported by the Strategic International Collaborative R&D Promotion Project of the Ministry of Internal Affairs and Communication, Japan, and by the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement No. 608533 (NECOMA).


References

  1. Midori Kato, Kenjiro Cho, Michio Honda, Hideyuki Tokuda.
    Monitoring the Dynamics of Network Traffic by Recursive Multi-dimensional Aggregation.
    OSDI2012 MAD Workshop. Hollywood, CA. October 2012. (pdf).

contact info: Kenjiro Cho, WIDE Project (kjc at wide.ad.jp)