[e2e] number of flows per unit time in routers
Yann Berthier
yb at bashibuzuk.net
Mon Oct 31 10:54:39 PST 2005
On Mon, 31 Oct 2005, Clark Gaylord wrote:
> Ghanwani, Anoop wrote:
>
> >I have a very basic question -
> >
> >Is there industry consensus on what constitutes a flow?
> >Theoretically, it could be some arbitrary bit mask being
> >applied to every packet. However, in practice people talk
> >about TCP flows, UDP flows, ICMP flows, etc. Just wondering
> >if there is a comprehensive list of these anywhere.
> >
> >
>
> You could read more from the ipfix group, but basically cisco got the
> definition right with netflow. This gets messy with non-TCP traffic,
> but what are you gonna do? "The five-tuple" is the usual shorthand
> (dst/src address/port + protocol). Non-port protocols either have
> something similar (a la icmp message) or ignore the port field. Note
> that a flow is uni-directional, so some have tried to define the
> bi-directional pair, but that gets dicey since there are plenty of
> applications (e.g. multicast streaming) that are inherently
> uni-directional. Of course, multicast is a bit of a special case anyway.
I would be tempted to say that uni-directional applications (which
are quite the minority for many networks) are just a special case of
bi-directional flows, with 'back' fields (number of bytes, packets
and so on) filled with zeros. Now that doesn't change the fact that
what is exported by routers is uni-directional ;), and that some
post-processing work is needed to match the in and out part of a
bi-directional flow. And i know no collector doing this job, so it
would have to be done after the flows have been stored on disk, which
seems to me rather sub optimal.
Btw, there is now a draft for a bi-directional support in IPFIX:
http://www.rfc-editor.org/internet-drafts/draft-boschi-ipfix-biflow-01.txt
Regards,
- yann
--
Flowop - collecting NetFlow related discussions
flowop at lists.csrrt.org
More information about the end2end-interest
mailing list