flowy/examples/3http-download.flw

splitter S {}

filter www_req {
	dstport = 80
}

filter www_res {
	srcport = 80
}

filter www_res1 {
	srcport = 80
}

grouper g_www_req {
   module g1 {
      srcip = srcip
      dstip = dstip
      etime < stime delta 1s
   }
   aggregate srcip, dstip, sum(bytes) as bytes, count(rec_id) as n,
   bitOR(tcp_flags) as flags, union(srcport) as srcports
}

grouper g_www_res {
   module g1 {
      srcip = srcip
      dstip = dstip
      etime < stime delta 1s
   }
   aggregate srcip, dstip, sum(bytes) as bytes, count(rec_id) as n,
   bitOR(tcp_flags) as flags, union(dstport) as dstports
}

grouper g_www_res1 {
   module g1 {
      srcip = srcip
      dstip = dstip
      etime < stime delta 5s
   }
   aggregate srcip, dstip, sum(bytes) as bytes, count(rec_id) as n,
   bitOR(tcp_flags) as flags, union(dstport) as dstports
}

groupfilter ggf {
  bitAND(flags, 0x13) = 0x13
}

merger M {
   module m1 {
	branches C, B, A
	A.srcip = B.dstip 
	A.srcip = C.dstip
	A.srcports = B.dstports 
	A.srcports = C.dstports
	A.bytes < B.bytes
	A.bytes < C.bytes
	B oi A OR B d A
	C o B
	C m A
	
   }
   export m1
}

ungrouper U {}

"./netflow-trace.h5" -> S
S branch A -> www_req -> g_www_req -> ggf -> M
S branch B -> www_res -> g_www_res -> ggf -> M
S branch C -> www_res1 -> g_www_res1 -> ggf -> M
M->U->"./ungroped.h5"