CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata
  rwcount ... --load-scheme=LOADMETHOD

The rwcount command provides counts of records, packets and bytes by splitting the time span into equally-spaced bins as specified by the --bin-size argument. But because flows can have durations from milliseconds up to the active timeout threshold (30 minutes), it is not uncommon for a flow to span several adjacent bins. Also, the way the flow is split across bins can be counter-intuitive; for instance a 32-second flow may be split across 3 30-second bins, with only one second in each of the first and last bins.

As an illustrative example, suppose we have a 60-second flow with 300 packets and 3000 bytes that is active across 3 30-second bins. Say the flow started in the 15th second of the first bin and ended at the 15th second of the third bin. The --load-scheme argument allows the user to select among several methods for allocating this flow to bins. Currently, LOADMETHOD can take values from 0 to 4 (where the default behavior if --load-scheme is not specified is LOADMETHOD=4):

LOADMETHOD=0 (equal allocation across bins)

Each bin is allocated an equal portion of the flow's record, packets, and bytes. In the example, each of the first, second and third bins would be allocated 100 packets, 1000 bytes, and 1/3 of a record.

Count type

Bin 1

Bin 2

Bin 3

Packets

100

100

100

Bytes

1000

1000

1000

Records

0.33

0.33

0.33

LOADMETHOD=1 (first bin allocation)

The bin that contains the flow's start time (sTime) is allocated all of the flow's record, packets and bytes, regardless of the flow's duration. In the example, the first bin would be allocated 300 packets, 3000 bytes and 1 record.

Count type

Bin 1

Bin 2

Bin 3

Packets

300

0

0

Bytes

3000

0

0

Records

1

0

0

LOADMETHOD=2 (last bin allocation)

The bin that contains the flow's end time (eTime) is allocated all of the flow's record, packets and bytes, regardless of the flow's duration. In the example, the third bin would be allocated 300 packets, 3000 bytes, and 1 record.

Count type

Bin 1

Bin 2

Bin 3

Packets

0

0

300

Bytes

0

0

3000

Records

0

0

1

LOADMETHOD=3 (center bin allocation)

The bin that contains the midpoint between the flow's start time (sTime) and end time (eTime) is allocated all of the flow's record, packets and bytes, regardless of the flow's duration. In the example, the center bin would be allocated 300 packets, 3000 bytes and 1 record.

Count type

Bin 1

Bin 2

Bin 3

Packets

0

300

0

Bytes

0

3000

0

Records

0

1

0

LOADMETHOD=4 (proportional allocation across active time) DEFAULT

Each bin is allocated a percentage of the flow's record, packets and bytes proportional to the amount of the flow's active time that spans the bin. In the example, both the first and third bins would be allocated 75 packets, 750 bytes, and 1/4 of a record, while the middle bin would be allocated 150 packets, 1500 bytes, and 1/2 of a record.

Count type

Bin 1

Bin 2

Bin 3

Active time

15

30

15

Packets

75

150

75

Bytes

750

1500

750

Records

0.25

0.5

0.25

  • No labels