Traffic measurement is an applied networking research methodology aimed at understanding packet traffic on the Internet. From its humble beginnings in LAN-based measurement of network applications and protocols, network measurement research has grown in scope and magnitude, and has helped providing insight to fundamental properties of the Internet, its protocols, and its users. For example, Internet traffic measurement and monitoring serves as the basis for a wide range of IP network operations, management, engineering tasks such as trouble shooting, accounting and usage profiling, routing weight configuration, load balancing, capacity planning, and so forth.

The lack of automatic tools able to produce statistical data from network packet traces was a major motivation to develop Tstat, a tool which, starting from standard software libraries, offers to network managers and researchers audit important information about classic and novel performance indexes and statistical data about Internet traffic. Started as evolution of TCPtrace, Tstat analyzes either real-time captured packet traces, using either common PC hardware or more sophisticated ad-hoc cards such as the DAG cards. Beside live capture, Tstat can analyze previously recorded packet-level traces, supporting various dump formats, such as the one supported by the libpcap library, and many more.

Assuming that both forward and backward stream of packets, so that it can correlate them to infer advanced measurement indexes. For example, if both TCP data and ACK segments can be analyzed, Tstat rebuilds each TCP connection status looking at the TCP header in the forward and backward packet flows. The bi-directionality of the TCP flow analysis allows the derivation of novel statistics (such as, for example, the congestion window size, out-of-sequence segments, duplicated segments, etc.) which are collected distinguishing both between clients and servers, (i.e., hosts that actively open a connection and hosts that reply to the connection request) and also identifying internal and external hosts (i.e., hosts located inside or outside the measurement point). This methodology has been applied to infer traffic characteristics at the transport layer, and in particular to the TCP and RTP/RTCP protocols. A detailed list of all the monitored performance indexes is available here .

Tstat builds histogram of measured indexes, dumping the collected distribution periodically (every five minutes by defaults), rather than dumping each single measured datum. The data produced by the on-line statistical analysis is ready to be visualized, for example, as either time plots or aggregated plots over different time spans: the old web interface, now unmaintained¹, features a total of more than 80 histogram types that can be inspected. A complete flow-level log, which is useful for post-processing purposes, tracks all analyzed transport layer flows by including all the performance indexes for later post-processing: many of the results presented in publications section have been gathered in this way. Finally, the latest version of Tstat has been integrated with RRDtool: the whole measurement indexes can now be stored as a round robin database. Since RRD database has fixed size, this allows ever-lasting live-capture without compromising the statistical relevance of the data, as you can gather by browsing the new web interface.