Most medium to high-end routers and switches store flow data, but they don't necessarily provide a way for a human being to look at the flow data locally. Instead, to analyze flow records, you must first export the flow records from the hardware to a computer. Flow sensors export their records when the corresponding network activity is complete or when a timeout expires.

The exported record is not necessarily a complete TCP/IP session, however. For example, downloading an ISO image from an Internet site can take a very long time, and that session will probably be represented in several consecutive flow records.

Why break long-running sessions into multiple records? Suppose your router exported flow records only when each ...