Flows

A flow is a complete exchange of information between a sender and a recipient, as seen from the user's point of view. Examples of flows include sending a mail message, or downloading a web page.

A flow is defined by:

• The interface used

• The source and destination IP addresses

• The IP protocol (TCP, UDP or other)

• The source and destination ports (TCP and UDP)

• The IP type of service (TOS) value

• The URL

Since the TOS value can change during the lifetime of a flow, a flow can move from one class to another. However, this is not recommended, as packet ordering can be compromised.

Information about all current flows is stored in a cache. When a packet arrives, its flow characteristics are compared with the cache information to see whether it is part of an existing flow or whether a new flow has started. The cache record includes the flow identification information and the following statistics:

• The number of packets sent

• The number of octets sent

• The system uptime when the first packet arrived

• The system uptime when the last packet arrived

A flow is terminated 60 seconds after the last packet in the flow was detected. This is not configurable.

Monitoring flows rather than classes gives a more accurate picture of network usage, at finer granularity. This enables you to predict future network needs more accurately, and gives you information that can be used in accounting.

You can use batool to view flow statistics. See Chapter 8, Statistics. You can also use any billing or accounting package that is compatible with version 5 of the CISCO NetFlow protocol.