Background: Know: prereq - TCP connection, socket, UDP, TCP, FIN, interface, IP Type Of Service, Recognize:
Flow is a set of packets with common characteristics within a given time frame and a given direction. It is identified as a unidirectional stream of packets between a given source and destination. Hence, flow is burst of traffic which normally refers to TCP connection, but could be UDP traffic as well. Flows are identified by socket parameters, interface, type of service, and time :
Socket is used for communication between two devices on network. Socket needs some key fields for carrying out it's functions :
- IP addresses of source and destination nodes ,because it has a function bind, which associates socket with a socket address structure ,i.e port number and IP address.
- Ports on source and destination are needed for communication to be carried out through sockets (code for ICMP)
- Protocols, layer 3 protocol type, such as TCP and UDP, need to be specified for socket, as they define the mode of communication (connection-oriented or connection less).
Interface on observing devices (from where flow originate or terminate)could be helpful in creating a globally unique host identifier in case private IP addresses are used for packets traversing it. Lets take an example of router between UNSW EE building and CSE building, which has their own private networks, using private addresses for their nodes. Now interfaces on the router could be used to identify a packet whether its coming from EE or CSE network, although they could be using same private IP addresses.
Service} which flow receives is identified by the byte in IPV4 packet header, which could specify where packets from the flow will be forwarded on the basis of throughput, delay and other quality of service requirements.
Each active flow record is saved in cache, which holds information about key fields of flow, which could be later used to export data to collection device. Time is an optional parameter, which could indicate when flow expires and removed from cache :
- after 15 seconds of inactivity (default)
- after 30 minutes of activity (default, the underlying packet conversation remains undisturbed)
- each flow record in cache is exported to a flow collector server periodically based upon flow timers, so that collector becomes aware of long flows without delay.
- TCP connections which have reached the end of the byte stream(FIN}) or which have been reset (RST}), hence flow closing will indicate that higher layer session is closing
- if the cache, holding flows, is full.