[netsa-tools-discuss] Understanding LOADMETHOD=4

Mark Thomas mthomas at cert.org
Mon Oct 5 10:07:15 EDT 2015


Asad-

There is no concept of a "inactive flow" record in SiLK.  Each flow
that exists is an "active" flow record.  Alternatively, one could
say a flow record is active from its start-time to its end-time.

In rwcount, a flow is said to be "active" during a bin when the time
window of the bin overlaps with at least part of the flow record's
duration.  Mathematically, a flow record is active in a bin when
both of these are true:

  flow.start_time < bin.end_time

  flow.end_time >= bin.start_time

Does that help?

-Mark


On Mon, 5 Oct 2015 13:06:01 +0500, asad wrote:

> Mark,
> I'm glad I'm of any help to this wonderful community.
>
> At , the end you mentioned about the time a long flow spends in return
> you are referring to "active flows" I believe but where these values
> are defined/calc in the first place.
>
> regards
> Asad
>
>
> On 10/1/15, Mark Thomas <mthomas at cert.org> wrote:
>> Aha!  No wonder you are confused.  My math is wrong.
>>
>> A flow that begins at 12:03:50 and ends at 12:06:20 has a duration
>> of 150 seconds, not 210 seconds.
>>
>> If I keep the 60 bytes/second average flow rate, then the overall
>> number of bytes in the flow is 9000, not 12600.
>>
>> The updated table reads:
>>
>>  BIN                 12:03:00    12:04:00    12:05:00    12:06:00
>>
>>  time-proportional        600        3800        3600        1200
>>  bin-uniform             2250        2450        2250        2250
>>  start-spike             9000         200           0           0
>>  middle-spike               0         200        9000           0
>>  end-spike                  0         200           0        9000
>>  maximum-volume          9000        9200        9000        9000
>>  minimum-volume             0         200           0           0
>>
>>
>> The long flow spends 10 seconds in the first bin, 60 seconds in the
>> middle two bins, and 20 seconds in the final bin.
>>
>> Thank you for pointing out this error.
>>
>> -Mark
>>
>>
>> On Thu, 1 Oct 2015 22:14:00 +0500, asad wrote:
>>
>>> Sorry,
>>>
>>> Last line would would be
>>>
>>> 12,600/210= 60.
>>>
>>>
>>>
>>> On Thu, Oct 1, 2015 at 10:04 PM, asad <a.alii85 at gmail.com> wrote:
>>>
>>>> Thanks Marks for step by step explanation, can using flows/second I can
>>>> fill in the table as needed.
>>>>
>>>> The only thing I'm still confused is for "time-proportional" or
>>>> "--load-scheme=4" how are "active flows" calculated,
>>>>
>>>> Like   (bytes/second  )* active flows=
>>>>
>>>> In the example mentioned in the link here
>>>> http://tools.netsa.cert.org/silk/rwcount.html
>>>>
>>>> Time proportional columns (first is ) 600
>>>>
>>>> Now
>>>> (60 bytes/210 seconds)=60 should I consider active flows as 10 seconds
>>>>
>>>> Thanks.
>>>>
>>>> On Thu, Oct 1, 2015 at 8:08 PM, Mark Thomas <mthomas at cert.org> wrote:
>>>>
>>>>> For a record that spans multiple bins, divide the flow by its
>>>>> duration to get values for
>>>>>
>>>>>   flows/second
>>>>>   bytes/second
>>>>>   packets/second
>>>>>
>>>>> The example flow has 3000 bytes and 300 packets across 60 seconds,
>>>>> and the values are:
>>>>>
>>>>>   flows/second   =    1/60
>>>>>   bytes/second   =   50
>>>>>   packets/second =    5
>>>>>
>>>>> To find the amount of volume to add to each bin, multiply the
>>>>> per-second values by the time spent in the bin.
>>>>>
>>>>> For the first bin, the number of seconds in the bin is
>>>>>
>>>>>   bin_end_time - flow_start_time
>>>>>
>>>>> For the final bin, the number of seconds is
>>>>>
>>>>>   flow_end_time - bin_start_time
>>>>>
>>>>> For the middle bin(s), the number of seconds is the bin_size.
>>>>>
>>>>> I think that example may have been more clear if the flow spent 10
>>>>> seconds in the first bin and 20 seconds in the final bin.
>>>>>
>>>>> There is another example in the rwcount manual page.
>>>>> http://tools.netsa.cert.org/silk/rwcount.html
>>>>>
>>>>> See also the discussion (and picture) in section 3.4.4 of the
>>>>> Analyst's Handbook.
>>>>> http://tools.netsa.cert.org/silk/analysis-handbook.pdf
>>>>>
>>>>> -Mark
>>>>>
>>>>>
>>>>> On Thu, 1 Oct 2015 14:56:43 +0500, asad wrote:
>>>>>
>>>>> > Hello,
>>>>> >
>>>>> > I'm following the excellent write - up here,
>>>>> >
>>>>> >
>>>>> https://tools.netsa.cert.org/confluence/display/tt/Using+--load-scheme+to+Allocate+Flows+to+Bins+in+rwcount
>>>>> >
>>>>> > I'm only stuck at last example for LOADMETHOD=4 here is the chart
>>>>> > given
>>>>> >
>>>>> > The first bin 1 in bytes rows is given value of "750", If  Each bin
>>>>> > is
>>>>> > allocated a percentage of the flow's record, packets and bytes
>>>>> > proportional to the amount of the flow's active time that spans the
>>>>> > bin what is the backend mathematical formula used? Thanks.
>>>>> >
>>>>> > regards.
>>>>> > Asad
>>>>>
>>>>
>>>>
>>


More information about the netsa-tools-discuss mailing list