Passive Measurement of One-Way and Two-Way Flow Lifetimes

Flow based analysis has been considered a simple and effective approach in network analysis. 5-tuple (unidirectional) flows are used in many network traffic, however, often these analyses require bidirectional packet matching to observe the interactions. Separating the flows into two categories as one-way (packets in one direction only) and two-way (packets in both directions) flows can yield further insight. The authors have examined traces of Auckland traffic for 2000, 2003 and 2006, and analyzed their one-way and two-way flows. They observed several behaviors and the changes in flow sizes and their lifetimes over time. In the authors' traces, they observe that one-way flows are mostly malicious, re-transmissions, and some are long-lived.