The traffic reports are computed automatically. They describe the traffic mix by giving the traffic of selected traffic clusters (aggregates) defined using the source and destination IP address, source and destination ports and protocol field. There are separate reports that measure the traffic in bytes, packets and flows.
Using traffic clusters, one can divide the traffic into meaningful categories. AutoFocus uses RRDtool to produce time series plots of the traffic mix with each category in a different color. AutoFocus produces reports and plots for various time periods ranging from weeks to half hour intervals. Also, the user can drill down into separate pages for each category. The filter from the user interface allows drill down into arbitrary directions. AutoFocus accepts two types of input: packet header traces and NetFlow data. Both types of input can be sampled, but AutoFocus only compensates for the sampling in the reports that measure the traffic in bytes and packets, and not in those measuring the traffic in flows (to avoid giving biased estimates).
The beta version of AutoFocus is available for download.
The paper below describes the formal research that AutoFocus builds on.Automatically Inferring Patterns of Resource Consumption in Network Traffic
Cristian Estan, Stefan Savage and George Varghese
My presentation at NANOG 29 was more about AutoFocus than about the research behind it. It is availalble in PDF and PowerPoint.
For more details contact Cristian Estan
AutoFocus is available for commercial use under copyright license from The Regents of the University of California. For information please contact firstname.lastname@example.org referencing invention SD2004-806.