Gigascope: High Performance Network Monitoring with an. SQL Interface

• network monitoring 2
• streaming database 2

1 page acm copy

monitoring ranging from long-term (e.g., monitoring link utilizations, computing traffic matrices) to ad-hoc (e.g., detecting network intrusions, debugging performance problems). many … are complex (e.g., reconstruct TCP/IP sessions), operate over huge volumes of data, and have real-time reporting requirement (e.g., to raise performance or intrusion alert)

• use TCPdump to monitor a network port and an user-level application program to process data: flexible, but not fast enough to handle
• network monitoring devices: high-speed monitoring, but inflexible
• lack query interface: the data from the monitors are dumped to a file or piped through a file stream without an association to the semantics of the data. The burden of managing and interpreting the data is left to the analyst. Due to the volume and complexity of the data, the burden can be sever.

Gigascope takes a different approach, provides an SQL interface to the network monitoring system, greatly simplifying the task of managing and interpreting a stream of data.

Gigascope architecture: stream manager + registry

modeling network packets as data streams, crucial to aggressive optimizations such as executing part or all of a query in the NIC.