[netsa-tools-discuss] Understanding LOADMETHOD=4

Mark Thomas mthomas at cert.org
Thu Oct 1 13:39:19 EDT 2015 

Aha!  No wonder you are confused.  My math is wrong.

A flow that begins at 12:03:50 and ends at 12:06:20 has a duration
of 150 seconds, not 210 seconds.

If I keep the 60 bytes/second average flow rate, then the overall
number of bytes in the flow is 9000, not 12600.

The updated table reads:

 BIN                 12:03:00    12:04:00    12:05:00    12:06:00
                    
 time-proportional        600        3800        3600        1200
 bin-uniform             2250        2450        2250        2250
 start-spike             9000         200           0           0
 middle-spike               0         200        9000           0
 end-spike                  0         200           0        9000
 maximum-volume          9000        9200        9000        9000
 minimum-volume             0         200           0           0


The long flow spends 10 seconds in the first bin, 60 seconds in the
middle two bins, and 20 seconds in the final bin.

Thank you for pointing out this error.

-Mark


On Thu, 1 Oct 2015 22:14:00 +0500, asad wrote:

> Sorry,
>
> Last line would would be
>
> 12,600/210= 60.
>
>
>
> On Thu, Oct 1, 2015 at 10:04 PM, asad <a.alii85 at gmail.com> wrote:
>
>> Thanks Marks for step by step explanation, can using flows/second I can
>> fill in the table as needed.
>>
>> The only thing I'm still confused is for "time-proportional" or
>> "--load-scheme=4" how are "active flows" calculated,
>>
>> Like   (bytes/second  )* active flows=
>>
>> In the example mentioned in the link here
>> http://tools.netsa.cert.org/silk/rwcount.html
>>
>> Time proportional columns (first is ) 600
>>
>> Now
>> (60 bytes/210 seconds)=60 should I consider active flows as 10 seconds
>>
>> Thanks.
>>
>> On Thu, Oct 1, 2015 at 8:08 PM, Mark Thomas <mthomas at cert.org> wrote:
>>
>>> For a record that spans multiple bins, divide the flow by its
>>> duration to get values for
>>>
>>>   flows/second
>>>   bytes/second
>>>   packets/second
>>>
>>> The example flow has 3000 bytes and 300 packets across 60 seconds,
>>> and the values are:
>>>
>>>   flows/second   =    1/60
>>>   bytes/second   =   50
>>>   packets/second =    5
>>>
>>> To find the amount of volume to add to each bin, multiply the
>>> per-second values by the time spent in the bin.
>>>
>>> For the first bin, the number of seconds in the bin is
>>>
>>>   bin_end_time - flow_start_time
>>>
>>> For the final bin, the number of seconds is
>>>
>>>   flow_end_time - bin_start_time
>>>
>>> For the middle bin(s), the number of seconds is the bin_size.
>>>
>>> I think that example may have been more clear if the flow spent 10
>>> seconds in the first bin and 20 seconds in the final bin.
>>>
>>> There is another example in the rwcount manual page.
>>> http://tools.netsa.cert.org/silk/rwcount.html
>>>
>>> See also the discussion (and picture) in section 3.4.4 of the
>>> Analyst's Handbook.
>>> http://tools.netsa.cert.org/silk/analysis-handbook.pdf
>>>
>>> -Mark
>>>
>>>
>>> On Thu, 1 Oct 2015 14:56:43 +0500, asad wrote:
>>>
>>> > Hello,
>>> >
>>> > I'm following the excellent write - up here,
>>> >
>>> >
>>> https://tools.netsa.cert.org/confluence/display/tt/Using+--load-scheme+to+Allocate+Flows+to+Bins+in+rwcount
>>> >
>>> > I'm only stuck at last example for LOADMETHOD=4 here is the chart given
>>> >
>>> > The first bin 1 in bytes rows is given value of "750", If  Each bin is
>>> > allocated a percentage of the flow's record, packets and bytes
>>> > proportional to the amount of the flow's active time that spans the
>>> > bin what is the backend mathematical formula used? Thanks.
>>> >
>>> > regards.
>>> > Asad
>>>
>>
>>

More information about the netsa-tools-discuss mailing list