[Bloat] measuring "flows-in-progress" over an interval
Dave Taht
dave.taht at gmail.com
Mon Jul 30 14:11:12 EDT 2018
Of mice, elephants, ants, and lemmings....
I frequently take packet captures to look at actual traffic on my
production network, then look at them in wireshark or take them apart
via tcptrace. eyeball gives one measurement. Tcptrace gives me a
measurement of how many tcp flows were present over that interval, and
completed, but not udp. We can't easily measure udp quic traffic for
"completion", but we can look at peaks and valleys and the actual
presence of that "flow". DNS, and a zillion other sorts of
transactions (even arp), to me, count as one or two packet flows.
Is there a tool out there that can pull out active flows of all sorts
from a cap?
somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190
There was a classic one (early 90s) on self similar behavior that I
cannot remember just now. Used to cite it....
--
Dave Täht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619
More information about the Bloat
mailing list