[Flow-tools] Newbie doubt
Dave Plonka
plonka at doit.wisc.edu
Tue Sep 25 09:56:50 EDT 2007
On Mon, Sep 24, 2007 at 04:38:04PM -0300, Caio Brentano wrote:
> Please, someone answer this stupid doubt.
>
> Any report have 3 basic values: packets, octets and flows. If I want to know
> the traffic between 2 IP address, I must analyse the OCTETS value, right?
If you want to estimate a traffic rate, in bits per second, yes.
Packets per second and flows per second are also interesting, especially
for appliation such as detecting anomalies such as denial-of-service
attacks that are often invisible if you only consider bits per second.
> This is the "amount of data" in each flow collect, right?
Yes, at the IP level. So remember to account for layer-2 headers
and such when considering link capacity.
> What I have to calculate to get this data in Mbytes ?
Apart from the octet bit that has already been followed-up...
Remember that we measure bandwidth/utilization in bits/per second.
and that while 1KByte = 1024 bytes, and 1MByte = 1024*1024 bytes,
1Kbit = 1000 bits, and 1Mbit = 1000*1000 bits.
So, bits per second is calculated by totaling up byte values from
flow records and multiplying by 8, then converting to a rate by
dividing by the collection interval in seconds (ie. 300 = 5 mins).
(We also multiple by the sample rate if packet sampling is used
for the specific flow export implementation you're using.)
To get the appropriate metrix prefix for the magnitude, I use a perl
subroutine called "scale" based on Tobi Oetiker's code to convert to
"M", "k", or whatever prefix is appropriate. Search for "sub scale"
in here:
http://net.doit.wisc.edu/~plonka/FlowScan/new/CampusIO.pm
I'll admit some early versions of my code had a problem with using
1024 rather than 1000, as I incorrectly thought bits were measured
like bytes (with power of 2 multipliers).
Dave
As an aside, "Networks: A Systems Approach" by Larry Peterson and Bruce
Davie is a good book with side-bars about this and other such topics.
--
plonka at doit.wisc.edu http://net.doit.wisc.edu/~plonka/ Madison, WI
More information about the Flow-tools
mailing list