AutoFocus is a new traffic analysis and visualization tool that produces automatic traffic reports that reveal the composition of the traffic mix. We tested AutoFocus directly on traffic traces from the uplinks of two networks, with tens of thousands of active computers. The traffic reports helped us identify the structure of the normal traffic mix (regular backups, large web and squid servers, networks with many web clients, frequent ftp transfers between a pair of networks, etc.) and led to very informative time series plots. These automatic reports also provided an insightful analysis of unusual events that generate significant traffic: we observed a routing change and the outbreak of the Sapphire/SQL Slammer worm. For Sapphire, not only did the report point out the port the worm was using, but it gave the IP addresses of the computers on the campus network generating high amounts of worm traffic. The presentation will contain further details/case studies.

Given packet header traces or NetFlow data for the traffic on a given link, AutoFocus produces compact traffic reports that reveal all traffic aggregates above a certain threshold (we currently use 20%, 5% and 1% of the total traffic). Two important characteristics of our automated reports are that they describe the traffic at the right level of granularity and that they describe aggregates defined through multiple fields. For example, individual addresses that have traffic above the threshold will appear in the report directly, whereas for less active portions of the address space the report gives the traffic of prefixes of appropriate length.

By using five important fields in the packet header (source and destination IP and port and protocol number), our reports can capture a wide variety of aggregates: busy servers, prefixes that heavily use certain applications, pairs of prefixes exchanging much traffic, individual IP addresses or prefixes subject to high-volume denial of service attacks, worms generating large amounts of traffic to normally quiescent ports, etc. Our report describes *all* traffic aggregates above the threshold, but we use "compression" to eliminate redundant information from the report. For example if a /24 is reported, even though the /23, /22, etc. that include it are also above the threshold we do not report them explicitly unless their traffic is significantly larger than that of the /24 we reported. AutoFocus also produces time series plots of the traffic similar to those of Dave Plonka's FlowScan. One advantage of our plots is that they can capture aggregates defined on more than one field.

AutoFocus is in the final stages of development and will be available for download. The research paper describing it is at http://www.cs.ucsd.edu/users/cestan/papers/p0403-estan.pdf.