[netsa-tools-discuss] Desc conditions in which records / packets column be same (rwtotal)

Timur D. Snoke tdsnoke at cert.org
Tue Sep 29 09:56:52 EDT 2015 

Hello Asad,

I would think of flows and records interchangeably as they are two names for 
the same thing.

I would create a hierarchy like this...

Flows/records -> conversation from Source to Destination(s) on a topic
Packets -> sentences in the conversation on a topic
Bytes -> data volume in the words or word fragments in the sentence on a topic

I know it is kind of clunky but I think it gets the main idea across.

There is no set size for packets per flow but there are hard limits for the 
size of a packet that can be transmitted across certain interfaces. In most 
cases a flow is broken down into the largest packet size that can traverse the 
communications path from end to end. This is the MTU (Message Transmission 
Unit) negotiation and can potentially provide for a larger packet size for 
traffic staying on the LAN as opposed to traffic going out to the internet.

I hope this helps,

Timur Snoke

> -----Original Message-----
> From: netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org
> [mailto:netsa-tools-discuss-bounces+tdsnoke=cert.org at cert.org] On Behalf
> Of asad
> Sent: Tuesday, September 29, 2015 5:24 AM
> To: netsa-tools-discuss at cert.org
> Subject: [netsa-tools-discuss] Desc conditions in which records / packets
> column be same (rwtotal)
>
> Hi,
>
> For cmd
>
> " rwtotal --proto --skip-zero int2int-S0_20150914.06"
>
> I see following
>
> protocol|        Records|               Bytes|                Packets|
>           1|        373755|            28135559|              373755|
>           6|        1480123|         79176833964|          1480123|
>          17|       329373|          2177196804|           329373|
>          47|              6|               12011|                      6|
>          89|             22|              359200|                    22|
>
> Usually the records and packets columns are not same (but in my case I'm
> getting flows from cisco asa which follows an event-driven model for flows
> exporting).
>
> This also begs a question for which I want some help from community, what
> is difference between "records" and "packets" and "flows". For me it works
> like with following analogy please correct me If I'm wrong
>
> "records" -> big box
> "packets" - > mini-boxes
> "flows"-> envelopes
>
> Also, between pkts and flows e.g for how many packets are needed to
> contain a single flow? Thanks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5587 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20150929/56d54ce2/attachment.p7s>

More information about the netsa-tools-discuss mailing list