Adds docs/socket-analysis.md — the analysis companion to the Parquet docs, for a data/analytics team that wants to find the natural RTT bands (and other socket groupings) in the fleet statistically.

Stacked on #41 (docs/parquet-format) so the cross-links resolve. Merge order: #39 → #41 → this; each retargets to main as its base merges.

What it covers

• The RTT-band mental model — intra-DC / metro-CDN / regional / outliers / mobile — framed as hypotheses the data must confirm, that drift over time and differ per DC.
• Right signal — min_rtt (not srtt) on a log scale.
• Data prep — the critical "aggregate to one row per socket, not per poll" step (key on socket_cookie+hostname+netns), filtering (ESTABLISHED, loopback, survivorship), unit conversions, cumulative-counter handling, deriving the DC dimension.
• Finding RTT bands — GMM+BIC (recommended, adaptive/drift-aware), Jenks/KDE (simple), Snowflake NTILE/APPROX_PERCENTILE (quick win, with the quantiles≠modes caveat); labeling/validating against dest_asn/geo/port; tracking centroids per (DC, day).
• Multi-feature clustering — {log min_rtt, log throughput, retrans_rate, rel jitter, log cwnd} via K-means/GMM/HDBSCAN (recommended — finds the outlier band as noise); validation.
• Other analyses — throughput bands, loss bands, congestion-algo comparison, per-ASN/CDN, diurnal, drift/anomaly.
• Worked example — DuckDB/Snowflake feature SQL → Python GMM+BIC and HDBSCAN → Snowflake quick bands.
• Pitfalls — µs units, per-socket grain, cumulative counters, survivorship, app-limited throughput, raw-byte addresses, band drift, per-host clocks.

Notes

• Every xtcp column named in the doc was verified to exist in the schema; code snippets are illustrative/adaptable (not run in CI). Soft-wrapped to match the repo convention; links/anchors verified.
• Cross-linked from the docs hub and parquet-format.md.

🤖 Generated with Claude Code