[netsa-tools-discuss] Understanding LOADMETHOD=4
Mark Thomas
mthomas at cert.org
Mon Oct 5 10:07:15 EDT 2015
Asad-
There is no concept of a "inactive flow" record in SiLK. Each flow
that exists is an "active" flow record. Alternatively, one could
say a flow record is active from its start-time to its end-time.
In rwcount, a flow is said to be "active" during a bin when the time
window of the bin overlaps with at least part of the flow record's
duration. Mathematically, a flow record is active in a bin when
both of these are true:
flow.start_time < bin.end_time
flow.end_time >= bin.start_time
Does that help?
-Mark
On Mon, 5 Oct 2015 13:06:01 +0500, asad wrote:
> Mark,
> I'm glad I'm of any help to this wonderful community.
>
> At , the end you mentioned about the time a long flow spends in return
> you are referring to "active flows" I believe but where these values
> are defined/calc in the first place.
>
> regards
> Asad
>
>
> On 10/1/15, Mark Thomas <mthomas at cert.org> wrote:
>> Aha! No wonder you are confused. My math is wrong.
>>
>> A flow that begins at 12:03:50 and ends at 12:06:20 has a duration
>> of 150 seconds, not 210 seconds.
>>
>> If I keep the 60 bytes/second average flow rate, then the overall
>> number of bytes in the flow is 9000, not 12600.
>>
>> The updated table reads:
>>
>> BIN 12:03:00 12:04:00 12:05:00 12:06:00
>>
>> time-proportional 600 3800 3600 1200
>> bin-uniform 2250 2450 2250 2250
>> start-spike 9000 200 0 0
>> middle-spike 0 200 9000 0
>> end-spike 0 200 0 9000
>> maximum-volume 9000 9200 9000 9000
>> minimum-volume 0 200 0 0
>>
>>
>> The long flow spends 10 seconds in the first bin, 60 seconds in the
>> middle two bins, and 20 seconds in the final bin.
>>
>> Thank you for pointing out this error.
>>
>> -Mark
>>
>>
>> On Thu, 1 Oct 2015 22:14:00 +0500, asad wrote:
>>
>>> Sorry,
>>>
>>> Last line would would be
>>>
>>> 12,600/210= 60.
>>>
>>>
>>>
>>> On Thu, Oct 1, 2015 at 10:04 PM, asad <a.alii85 at gmail.com> wrote:
>>>
>>>> Thanks Marks for step by step explanation, can using flows/second I can
>>>> fill in the table as needed.
>>>>
>>>> The only thing I'm still confused is for "time-proportional" or
>>>> "--load-scheme=4" how are "active flows" calculated,
>>>>
>>>> Like (bytes/second )* active flows=
>>>>
>>>> In the example mentioned in the link here
>>>> http://tools.netsa.cert.org/silk/rwcount.html
>>>>
>>>> Time proportional columns (first is ) 600
>>>>
>>>> Now
>>>> (60 bytes/210 seconds)=60 should I consider active flows as 10 seconds
>>>>
>>>> Thanks.
>>>>
>>>> On Thu, Oct 1, 2015 at 8:08 PM, Mark Thomas <mthomas at cert.org> wrote:
>>>>
>>>>> For a record that spans multiple bins, divide the flow by its
>>>>> duration to get values for
>>>>>
>>>>> flows/second
>>>>> bytes/second
>>>>> packets/second
>>>>>
>>>>> The example flow has 3000 bytes and 300 packets across 60 seconds,
>>>>> and the values are:
>>>>>
>>>>> flows/second = 1/60
>>>>> bytes/second = 50
>>>>> packets/second = 5
>>>>>
>>>>> To find the amount of volume to add to each bin, multiply the
>>>>> per-second values by the time spent in the bin.
>>>>>
>>>>> For the first bin, the number of seconds in the bin is
>>>>>
>>>>> bin_end_time - flow_start_time
>>>>>
>>>>> For the final bin, the number of seconds is
>>>>>
>>>>> flow_end_time - bin_start_time
>>>>>
>>>>> For the middle bin(s), the number of seconds is the bin_size.
>>>>>
>>>>> I think that example may have been more clear if the flow spent 10
>>>>> seconds in the first bin and 20 seconds in the final bin.
>>>>>
>>>>> There is another example in the rwcount manual page.
>>>>> http://tools.netsa.cert.org/silk/rwcount.html
>>>>>
>>>>> See also the discussion (and picture) in section 3.4.4 of the
>>>>> Analyst's Handbook.
>>>>> http://tools.netsa.cert.org/silk/analysis-handbook.pdf
>>>>>
>>>>> -Mark
>>>>>
>>>>>
>>>>> On Thu, 1 Oct 2015 14:56:43 +0500, asad wrote:
>>>>>
>>>>> > Hello,
>>>>> >
>>>>> > I'm following the excellent write - up here,
>>>>> >
>>>>> >
>>>>> https://tools.netsa.cert.org/confluence/display/tt/Using+--load-scheme+to+Allocate+Flows+to+Bins+in+rwcount
>>>>> >
>>>>> > I'm only stuck at last example for LOADMETHOD=4 here is the chart
>>>>> > given
>>>>> >
>>>>> > The first bin 1 in bytes rows is given value of "750", If Each bin
>>>>> > is
>>>>> > allocated a percentage of the flow's record, packets and bytes
>>>>> > proportional to the amount of the flow's active time that spans the
>>>>> > bin what is the backend mathematical formula used? Thanks.
>>>>> >
>>>>> > regards.
>>>>> > Asad
>>>>>
>>>>
>>>>
>>
More information about the netsa-tools-discuss
mailing list