[netsa-tools-discuss] Desc conditions in which records / packets column be same (rwtotal)

Tue Sep 29 10:40:44 EDT 2015

If you have not done so yet, I would suggest you look at the
Analyst's Handbook.  Chapter 2 describes the concept of a flow
record.
http://tools.netsa.cert.org/silk/analysis-handbook.pdf

A flow record is usually comprised of multiple packets.
Unfortunately the NetFlow v9 templates used by some ASA routers do
not include an information element that contains the packets value,
so SiLK puts a value of 1 into the packets field for these flow
records.

-Mark

-----Original Message-----
From: asad <a.alii85 at gmail.com>
Date: Tue, 29 Sep 2015 14:24:18 +0500
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Desc conditions in which records / packets
	column be same (rwtotal)

Hi,

For cmd

" rwtotal --proto --skip-zero int2int-S0_20150914.06"

I see following

protocol|        Records|               Bytes|                Packets|
          1|        373755|            28135559|              373755|
          6|        1480123|         79176833964|          1480123|
         17|       329373|          2177196804|           329373|
         47|              6|               12011|                      6|
         89|             22|              359200|                    22|

Usually the records and packets columns are not same (but in my case
I'm getting flows from cisco asa which follows an event-driven model
for flows exporting).

This also begs a question for which I want some help from community,
what is difference between "records" and "packets" and "flows". For me
it works like with following analogy please correct me If I'm wrong

"records" -> big box
"packets" - > mini-boxes
"flows"-> envelopes

Also, between pkts and flows e.g for how many packets are needed to
contain a single flow? Thanks