[netsa-tools-discuss] Desc conditions in which records / packets column be same (rwtotal)
asad
a.alii85 at gmail.com
Thu Oct 1 05:57:49 EDT 2015
Thanks, Mark I'm definitely going to read the book you mentioned. It
looks very useful.
On 9/29/15, Mark Thomas <mthomas at cert.org> wrote:
> If you have not done so yet, I would suggest you look at the
> Analyst's Handbook. Chapter 2 describes the concept of a flow
> record.
> http://tools.netsa.cert.org/silk/analysis-handbook.pdf
>
> A flow record is usually comprised of multiple packets.
> Unfortunately the NetFlow v9 templates used by some ASA routers do
> not include an information element that contains the packets value,
> so SiLK puts a value of 1 into the packets field for these flow
> records.
>
> -Mark
>
>
> -----Original Message-----
> From: asad <a.alii85 at gmail.com>
> Date: Tue, 29 Sep 2015 14:24:18 +0500
> To: <netsa-tools-discuss at cert.org>
> Subject: [netsa-tools-discuss] Desc conditions in which records / packets
> column be same (rwtotal)
>
> Hi,
>
> For cmd
>
> " rwtotal --proto --skip-zero int2int-S0_20150914.06"
>
> I see following
>
> protocol| Records| Bytes| Packets|
> 1| 373755| 28135559| 373755|
> 6| 1480123| 79176833964| 1480123|
> 17| 329373| 2177196804| 329373|
> 47| 6| 12011| 6|
> 89| 22| 359200| 22|
>
> Usually the records and packets columns are not same (but in my case
> I'm getting flows from cisco asa which follows an event-driven model
> for flows exporting).
>
> This also begs a question for which I want some help from community,
> what is difference between "records" and "packets" and "flows". For me
> it works like with following analogy please correct me If I'm wrong
>
> "records" -> big box
> "packets" - > mini-boxes
> "flows"-> envelopes
>
> Also, between pkts and flows e.g for how many packets are needed to
> contain a single flow? Thanks
>
More information about the netsa-tools-discuss
mailing list