Playing With the DB

tracefile -- is just some metadata about the originating trace file

packets -- just what you'd expect - gobs of packets with anything you'd want to know about them. foreign key to tracefile and sockets.

sockets -- this is really a partial rollup of the packet table capturing information related to a set of packets between a single client socket and a single server socket.

Let's start:
let's get have a look at some sockets first:

mysql> select * from sockets limit 30;

of note is that the starttime column is only populated if we find a SYN (signifying the start of a conversation) otherwise it defaults to -1.

Choose the idsock (18 is chosen for the example) of one of the sockets and we'll use it to pull the equivalent of "follow socket conversation" from a tool like Ethereal:

mysql> select idpack, srcip, dstip, srcport, dstport, packetsize,
ttl, winsz, flags, seqnum, acknum,
from_unixtime(timestamp), idtrace, idsocket
from packets
where idsocket = 18;

Ooooh.... ahhh, huh?

So, just with the rollups in socket, you can answer all kinds of questions. What sockets ran longer than N? What sockets passed very little data? What sockets passed data over a certain threshold and to what host? What conversations were carried on to a certain host?