RFC 2723 (rfc2723) - Page 3 of 22
SRL: A Language for Describing Traffic Flows and Specifying Actions for Flow Groups
Alternative Format: Original Text Document
RFC 2723 SRL: A Traffic Flow Language October 1999
traffic (PeerType == 1) PeerAddress is an IP address, TransType is
TCP(6), UDP(17), ICMP(1), etc., and TransAddress is usually an IP
port number.
An 'RTFM Traffic Flow' is simply a stream of packets observed by a
meter as they pass across a network between two end points (or
to/from a single end point). Each 'end point' of a flow is specified
by the set of values of its address attributes.
An 'RTFM Meter' is a measuring device - e.g. a program running on a
Unix or PC host - which observes passing packets and builds 'Flow
Data Records' for the flows of interest.
RTFM traffic flows have another important property - they are bi-
directional. This means that each flow data record in the meter has
two sets of counters, one for packets travelling from source to
destination, the other for returning packets. Within the RTFM
architecture such counters appear as further attributes of the flow.
An RTFM meter must be configured by the user, which means creating a
'Ruleset' so as to specify which flows are to be measured, and how
much information (i.e. which attributes) should be stored for each of
them. A ruleset is effectively a program for a minimal virtual
machine, the 'Packet Matching Engine (PME),' which is described in
detail in [RTFM-ARC]. An RTFM meter may run multiple rule sets, with
every passing packet being processed by each of the rulesets. The
rule 'actions' in this document are described as though only a single
ruleset were running.
In the past creating a ruleset has meant writing machine code for the
PME, which has proved rather difficult to do. SRL provides a high-
level language which should enable users to create effective rulesets
without having to understand the details of the PME.
The language may be useful in other applications, being suitable for
any application area which involves selecting traffic flows from a
stream of packets.
1.2 SRL Overview
An SRL program is executed from the beginning for each new packet
arriving at the meter. It has two essential goals.
(a) Decide whether the current packet is part of a flow which is of
interest and, if necessary, determine its direction (i.e. decide
which of its end-points is considered to be its source). Other
packets will be ignored.
Brownlee Informational