0

What features/statistics of network traffic uniquely identifies a specific flow?

My initial thoughts were unique identifiers such as all packets going from eth_src to eth_dst and in and out of the same ports.

I have been using the Ryu Traffic Monitor to try and get my head around flows, it seems to use the in_port and eth_dst:

    for stat in sorted([flow for flow in body if flow.priority == 1],
                       key=lambda flow: (flow.match['in_port'],
                                         flow.match['eth_dst'])):
        self.logger.info('%016x %8x %17s %8x %8d %8d',
                         ev.msg.datapath.id,
                         stat.match['in_port'], stat.match['eth_dst'],
                         stat.instructions[0].actions[0].port,
                         stat.packet_count, stat.byte_count)
HCF3301
  • 508
  • 1
  • 4
  • 14

1 Answers1

0

Further investigation has helped me understand this more:

A network traffic flow is a flow of traffic from a source to a destination.

The answer to my specific question (which is in relation to transport protocols) is a network flow is defined as a 5-tuple consisting of a source IP address/port number, destination IP address/port number and the protocol in use. Ethernet addresses may also be added in here.

https://www.techopedia.com/definition/28190/5-tuple

edit: Thanks to Ron for mentioning that this is only valid for transport protocols that use ports

HCF3301
  • 508
  • 1
  • 4
  • 14
  • 1
    "_a flow can be uniquely identified as traffic being sent from a eth_src + port number to an eth_dst + port number._" That is only valid for transport protocols that use ports, e.g. TCP and UDP. Other transport protocols may use other types of addressing, or no addressing at all. – Ron Maupin Jan 02 '19 at 17:22
  • Another way, for IPv6, would be to use the Flow Label in the IPv6 header. That is what it is for, although it hasn't seen much use, so far. The idea is that is simplifies identifying a flow. You do not need to look in the IPv6 payload to identify the transport protocol and decipher its header to get a port number, too. – Ron Maupin Jan 08 '19 at 16:37