Specifying the traffic

First, we look at how to specify a flow in the advanced interface.

• The specification of the flow in the advanced interface is almost identical to that in the basic interface, but it makes available some additional fields. These fields include the number of packets in the flow, negation of the source IP, a source IP additional to the node IP, and the option of whether the destination is within or outside of PlanetLab. These fields are explained below.
• Source IP, negate source IP. Usually, the source IP address of the traffic coming out of the node is the same as the IP address of the node. This pair of options caters to the two exceptions: when a node is multi-homed, or when a slice spoofs packets. Spoofed packets can be found by specifying the node IP address to be the source IP address, and by selecting the negate option.
• Number of packets in the flow. The number of packets in the flow is often useful in characterizing flows to differentiate successful transactions, scans and data transfers. A flow with a large number of traffic may correspond to a file transfer, while a flow with a small number of packets may correspond to a failed communication or a scan attempt.
• Destination in/out of planetlab. Selecting that the flow involve interaction only with PlanetLab nodes or with nodes outside can help limit clarify the results further. If unusual traffic is limited mostly between PlanetLab nodes, then it is less serious than when it transacts with a large number of external nodes.