[c-nsp] Netflow Operation

[Simon Leinen]

Dave Temkin writes:
> That answers my question...  So basically it's up to the parser
> (whatever NF package) to represent it - whether it represents it 1
> second at a time or 1 minute or whatever duration...

Yes.  One notable difference between collectors is how they handle
flows that span multiple collector timeslices (whether a timeslice is
a second, a minute, five minutes).  Some collectors just attribute all
traffic of a received flow (accounting record) to the flow's end-time,
or the time the collector received the flow.  Other collectors
distribute the traffic counts of such long flows over timeslices,
usually assuming a constant rate for the lifetime of the flow (an
approximation that works fairly well in practice).

When there is a large amount of traffic in a single long flow (or a
few synchronized long flows), e.g. NNTP feeds, then you can easily
distinguish these two types of collectors by the shape of their
traffic curves - those that use only the end/reception time of flows
will show "combteeth" in their graphs (the distance between the teeth
being equal to the "active timeout" of the exporting router), while
those that distribute traffic over timeslices will produce smoother
graphs.
-- 
Simon.