Right now I am writing a short user manual, and have to document all values we present in the reports. In the summary report we pretty much pass-thru the fields from flow-stat, and I could not find good documentation all the fields in that report. Therefore I need some help on understanding some fields, especially:
- "Total Time (1/1000 secs) (flows): "
- "Duration of data (realtime) : "
- "Duration of data (1/1000 secs) : "
I also am not 100% sure on the dirrerence between the difference between flow and real values on all the average-fields, in example flows/sek (real) and (flow).
Currently I got the following documentation on summary fields, and would really appreciate tips on topics I could have misunderstood, and understanding fields above which I don't understand. (The docs below is taken from the middle of a manual so a few things seems to be taken out of the air, in example we divide meassured octets and packets by sample rate, but we don't with flows, so we have to explain the accuracy of the respectively fields in the manual.)
<itemizedlist>
<listitem><para><emphasis>Total flows</emphasis>:
This shows the total number of flows in the time period.</para>
<para>When the source is sampled netflow, the data is not multiplied in contrast to packets and octets. Thus for sampled data the number of flows is not an estimation of the real value, but rather the measured number of flows it self, which only includes discovered flows.</para></listitem>
<listitem><para><emphasis>Total octets</emphasis>
This shows the estimated total octets in the time period. The traffic is meassured by the size of the whole IP packets, including both headers and payload.</para>
<para>When the source is sampled, octets is estimated by division on the sample rate, which introduce inaccuracy.</para></listitem>
<listitem><para><emphasis>Total packets</emphasis>
This shows the total number of packets in the time period selected. This data is still accurate, if the source is sampled.
</para></listitem>
<listitem><para><emphasis>Total time</emphasis>
This shows the cumulation of the time of each flow added together. This value will be the duration of all flows run in serial. Actually alot of flows are active simultanously in the router, so this total value would normally be much greater than the actual time period from which the data is collected.
</para>
<para>When the data is sampled, this value would be based on the meassured number flows, which is much lower than the actual value, because not all flows are discovered.</para>
</listitem>
<listitem><para><emphasis>Data duration</emphasis>
This show the duration from which the duration of the period from the <emphasis role="strong">start</emphasis> of the first flow represented in the period, until the <emphasis role="strong">end</emphasis> of the last flow.</para>
<para>The reason why the data duration is slightly different from the selected time period, is that netflow data for a flow is not exported from the router before the end of the flow. Therefore, a flow which span over the border from the previous to the current time period, will be included in the report. </para>
<note><title>Note on inaccuracy due to late exported flow data</title>
<para>The fact that flowdata from a previous time period can be included in the statistics for this time period, will obviously cause some inaccuracy related to the real traffic for that period. However, there will <emphasis>not</emphasis> be a general over- or underestimation of the flow data, because on average an equal number of flows will be lost on the end of the time period, as the one extra at the beginning of the period. The dealyed flow exports will give an effect of time delay on the time series, and long flows will affect the data as a time averaging filter (for those who know signal theory).</para>
</note>
</listitem>
<listitem><para><emphasis>Data duration [real]</emphasis>
</para></listitem><listitem><para><emphasis>Average flow time [ms]</emphasis>
The average flow time is an average over the flow time for each of the measured flows.</para>
<para>When sampling is enabled, flow start and end are not as accurate as if not. The reason is that <literal>SYN
and <literal>FIN</literal> packets may not be discovered, and in periods of the flow with small amount of traffic, the flow could be wrongly estimated to be eneded, and when the flow is discovered again it will count as a new flow.
</para></listitem>
<listitem><para><emphasis>Average packet size</emphasis>
This shows the average size of a packet, which is computed from estimated number of octets divided on number of packets. The average packet size is the IP Packet size including both headers and payload.
</para></listitem>
<listitem><para><emphasis>Average flow size</emphasis>
This shows the average size of the flows, from the meassured
</para></listitem> <listitem><para><emphasis>Average packets per flow</emphasis>
</para></listitem> <listitem><para><emphasis>Average flows per second (flow)</emphasis>
</para></listitem> <listitem><para><emphasis>Average flows per second (real)</emphasis>
</para></listitem> <listitem><para><emphasis>Average bits per second (flow)</emphasis>
</para></listitem> <listitem><para><emphasis>Average bits per second (real)</emphasis>
</para></listitem>
</itemizedlist>
Kind regards, Andreas
-- Andreas �kre Solberg, Bratt�rgata 3B, 7010 Trondheim, Norway [EMAIL PROTECTED] - <http://solweb.no> _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
