The multiplexing primitive is a simple operator for efficiently combining Tribeca streams. It can be used in two ways. In the first usage, mux is used to combine the logical substreams produced by demux. In the second usage, mux combines unrelated streams of the same data type.
Below is an example of the first usage of the multiplex operator. The
query uses demux to divide the stream by VCI and counts the packets on
each VC. The 4#4
VCI, count 5#5
pairs are then combined
into a single stream that is qualified and aggregated.
stream_demux {s1.atm.vci} p1
stream_agg {p1.atm.vci p1.count} p2
stream_mux p2 p3
stream_qual {p3.count.lt 100} p4
stream_agg {p4.count.mean} r1
Note that the mean applied after the mux operates on all
4#4
VCI, count 5#5
pairs with count greater than one
hundred. Without the mux, the aggregate would have been applied to
each virtual circuit separately.
If the stream is demultiplexed more than once, an optional argument to stream_mux allows the substreams to be partially recombined. Suppose a query demultiplexed an ATM cell stream by VCI, assembled it into IP packets (an aggregate), then demultiplexed it again by ip_type. The resulting stream is logically separated by both VCI and ip_type. Muxing by VCI, would leave a stream that was logically divided by only ip_type.
The second kind of multiplex operation, in which several streams are combined, is very common in traffic analysis. Often, several different combinations of the same high level and low level protocols are used in the same network. For instance, frame relay networks have many ways of transporting IP packets (routed, ethernet bridge, fddi bridge, etc.). The query below is a (much simplified) typical stage of frame relay analysis. It finds two types of IP packets, extracts the same interesting fields from both and then combines them into a single stream.
stream_qual {s1.is_routed_ip} p1
stream_proj {p1.ts p1.ip_type p1.ip_len} p2
stream_qual {s1.is_bridged_ip} p3
stream_proj {p3.ts p3.ip_type p3.ip_len} p4
stream_mux {p2 p4} p5
The output stream is a triple 4#4
time stamp, ip type, length
5#5.