Conventions =========== ts = timestamp ipt = inter-packet time (ipt = -1 means that it's the first packet of its session) ps = payload size ================================================================================ Host mode ================================================================================ - Files generated "hosts": hosts information "hosts_ip2id": IP <-> hostID equivalence. This file can be used as input with the "-H" option, to import the Host table "pkts_all": ipt and ps; related to ALL aggregate traffic "pkts_up": ipt and ps; packets sent by a single host "pkts_dw": ipt and ps; packets recevied by a single host "rate": rate of some parameters* "report.txt": summary report - Fields of each file "hosts" ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ hostID | time elapsed since previous host sending packets (us)* | time elapsed since previous host receiving packets (us)** | time elapsed since previous host (us) | # of packets sent | # of packets received | host status*** ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ host status: 1 = host is suspect, marked packet count is over the threshold (default=5) 0 = host is not a suspect "hosts_id2IP" ---------------- hostID | host IP ---------------- "pkts_all" ---------- ipt | ps ---------- "pkts_up" (packets generated by a host) ------------------------- hostID | ipt | ps | mark**** ------------------------- "pkts_dw" (packets received by a host) ------------------------- hostID | ipt | ps | mark**** ------------------------- rate***** -------------------------------------------------------------------------- rate tick | # of packets | # of bytes | # of flows | # of tcp pure pkts | -------------------------------------------------------------------------- * set to "-1" if the host has not sent any packets ** set to "-1" if the host has not received any packets *** "host status" is printed only if "-g" option is given **** "mark" is printed only if "-g" option is given ***** rate file is generated only if "-R" option is given ================================================================================ Flow mode ================================================================================ - Files generated "flows": flows information "IPs": flow 5-upla "pkts_up": ipt and ps "rate": rate of some parameters* "report.txt": summary report - Fields of each file flows ------------------------------------------------------------------------------------------------------------------------ hostID* | flowID | time elapsed since previous flow (us) | # of packets | # of bytes | flow duration (ms) | flow status** ------------------------------------------------------------------------------------------------------------------------ IPs --------------------------------------------- flowID | srcIP:srcPort dstIP:dstPort Protocol --------------------------------------------- pkts_up -------------------------------------- flowID | ipt | ps | mark*** | mss**** -------------------------------------- rate***** -------------------------------------------------------------------------- rate tick | # of packets | # of bytes | # of flows | # of tcp pure pkts -------------------------------------------------------------------------- * "hostID" is printed only if "-H" option is used. Host table is generated in Host mode. ** "flow status" is printed only if "-g" option is used. *** "mark" is printed only if "-g" option is used. **** "mss" is printed only if "-m" option is used. ***** rate file is generated only if "-R" option is used. ================================================================================ Conversation mode ================================================================================ - Files generated "conversations": conversations information "IPs": client IP, server IP "pkts_up": ipt and ps; upstream (client to server) "pkts_dw": ipt and ps; downstream (server to client) "rate": rate of some parameters* "report.txt": summary report - Fields of each file conversations ------------------------------------------------------------------------------------------------------------------------------------------------------------------- convID | time elapsed since previous conv (us) | # of packets to server | # of packets to client| # of bytes to server | # of bytes to client | conv duration (ms) ------------------------------------------------------------------------------------------------------------------------------------------------------------------- IPs --------------------------- convID | clientIP serverIP --------------------------- pkts_up (from client to server) ------------------------- convID | ipt | ps | mss* ------------------------- pkts_dw (from server to client) ------------------------- convID | ipt | ps | mss* ------------------------- payloads ------------------------------- convID | D/U | payload_string ------------------------------- rate** --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- rate tick | # of upstream packets | # of downstream packets | # of upstream bytes | # of downstream bytes | # of sessions |# of tcp pure upstream packets | # of tcp pure downstream packtes --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * "mss" is printed only if "-m" option is used. ** rate file is generated only if "-R" option is given