Retrieving Labeled Flows

Since labels are meant to aggregate flows as a specific attack, labels can be used to retrieve the full flow information from the FLOWS table. This is useful for retrieving all of the flows which were created by an attack and using them for synthetic attacks or getting statistical information about the attack at the flow level.

To see the short (not full flow information) version of the labeled flows, get_labeled_flows(label_id) and get_all_labeled_flows() methods can be used.

irb> get_labeled_flows(1).each {|interval,flow_id| puts "#{interval} #{flow_id}"}
2005-02-01 00:00:00 1000
2005-02-01 00:00:00 1001
2005-02-01 00:05:00 0
2005-02-01 00:05:00 1
2005-02-01 00:05:00 2

To get the flow information for a specific label, the get_full_labeled_flows(label_id) method can be used. It returns all of the full flow records from the FLOWS table. We spare some space in our example and only output some of the flow record, and show only some of the flows:

irb> get_full_labeled_flows(1).each {|_,stime,_,protocol,src_ip,dst_ip| \                           
irb*    puts "#{stime} #{protocol} #{src_ip} #{dst_ip}"}
2005-01-31 23:55:01 6 134747 1677473964
2005-01-31 23:54:50 6 182482 2526992
2005-01-31 23:59:50 6 -536215261 181849
2005-01-31 23:59:50 17 186393 -2045680705

The get_all_full_labeled_flows() method can be used to get all labeled flows in the entire database, prepending each flow record returned with the label_id of the label it is associated with.