On Mon, Sep 24, 2007 at 04:38:04PM -0300, Caio Brentano wrote: > Please, someone answer this stupid doubt. > > Any report have 3 basic values: packets, octets and flows. If I want to know > the traffic between 2 IP address, I must analyse the OCTETS value, right?
If you want to estimate a traffic rate, in bits per second, yes. Packets per second and flows per second are also interesting, especially for appliation such as detecting anomalies such as denial-of-service attacks that are often invisible if you only consider bits per second. > This is the "amount of data" in each flow collect, right? Yes, at the IP level. So remember to account for layer-2 headers and such when considering link capacity. > What I have to calculate to get this data in Mbytes ? Apart from the octet bit that has already been followed-up... Remember that we measure bandwidth/utilization in bits/per second. and that while 1KByte = 1024 bytes, and 1MByte = 1024*1024 bytes, 1Kbit = 1000 bits, and 1Mbit = 1000*1000 bits. So, bits per second is calculated by totaling up byte values from flow records and multiplying by 8, then converting to a rate by dividing by the collection interval in seconds (ie. 300 = 5 mins). (We also multiple by the sample rate if packet sampling is used for the specific flow export implementation you're using.) To get the appropriate metrix prefix for the magnitude, I use a perl subroutine called "scale" based on Tobi Oetiker's code to convert to "M", "k", or whatever prefix is appropriate. Search for "sub scale" in here: http://net.doit.wisc.edu/~plonka/FlowScan/new/CampusIO.pm I'll admit some early versions of my code had a problem with using 1024 rather than 1000, as I incorrectly thought bits were measured like bytes (with power of 2 multipliers). Dave As an aside, "Networks: A Systems Approach" by Larry Peterson and Bruce Davie is a good book with side-bars about this and other such topics. -- [EMAIL PROTECTED] http://net.doit.wisc.edu/~plonka/ Madison, WI _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
