LISA '07 – Abstract
Pp. 39–47 of the Proceedings
NetADHICT: A Tool for Understanding Network Traffic
Hajime Inoue, ATC-NY, Ithaca, NY; Dana Jansens, Abdulrahman Hijazi, and Anil Somayaji, Carleton University, Ottawa, Canada
Computer and network administrators are often confused or
uncertain about the behavior of their networks. Traditional analysis
using IP ports, addresses, and protocols are insufficient to
understand modern computer networks. Here we describe NetADHICT, a
tool for better understanding the behavior of network traffic. The key
innovation of NetADHICT is that it can identify and present a
hierarchical decomposition of traffic that is based upon the learned
structure of both packet headers and payloads. In particular, it
decomposes traffic without the use of protocol dissectors or other
application-specific knowledge. Through an AJAX-based web interface,
NetADHICT allows administrators to see the high-level structure of
network traffic, monitor how traffic within that structure changes
over time, and analyze the significance of those changes. NetADHICT
allows administrators to observe global patterns of behavior and then
focus on the specific packets associated with that behavior, acting as
a bridge from higher level tools to the lower level ones. From
experiments we believe that NetADHICT can assist in the identification
of flash crowds, rapidly propagating worms, and P2P applications.
- View the full text of this paper in HTML and PDF.
Listen to the presentation in
Until November 2008, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2007 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.