== Retrieving Labeled Flows ==

Since labels are meant to aggregate flows as a specific attack, labels can be used to retrieve the full flow information from the ''[wiki:PartitioningFlowsTable#PartitioningtheFlowsTable FLOWS]'' table.  This is useful for retrieving all of the flows which were created by an attack and using them for synthetic attacks or getting statistical information about the attack at the flow level.

To see the short (not full flow information) version of the labeled flows, ''[wiki:DPUserFunctions#LabelingAnomalies get_labeled_flows(label_id) and get_all_labeled_flows()]'' methods can be used.
{{{
irb> get_labeled_flows(1).each {|interval,flow_id| puts "#{interval} #{flow_id}"}
2005-02-01 00:00:00 1000
2005-02-01 00:00:00 1001
2005-02-01 00:05:00 0
2005-02-01 00:05:00 1
2005-02-01 00:05:00 2
}}}

To get the flow information for a specific label, the [wiki:DPUserFunctions#LabelingAnomalies get_full_labeled_flows(label_id)] method can be used.  It returns all of the full flow records from the ''[wiki:PartitioningFlowsTable#FLOWS FLOWS]'' table.  We spare some space in our example and only output some of the flow record, and show only some of the flows:
{{{
irb> get_full_labeled_flows(1).each {|_,stime,_,protocol,src_ip,dst_ip| \                           
irb*    puts "#{stime} #{protocol} #{src_ip} #{dst_ip}"}
2005-01-31 23:55:01 6 134747 1677473964
2005-01-31 23:54:50 6 182482 2526992
2005-01-31 23:59:50 6 -536215261 181849
2005-01-31 23:59:50 17 186393 -2045680705
}}}

The [wiki:DPUserFunctions#LabelingAnomalies get_all_full_labeled_flows()] method can be used to get all labeled flows in the entire database, prepending each flow record returned with the ''label_id'' of the label it is associated with.