Defining Flows based on TCP Connections

The first efforts to define a packet train or traffic flow on the network focused on connections. When using the TCP protocol, all connections are handled via the SYN and FIN control mechanism. It is therefore possible to watch the traffic on a network, check for SYN and FIN packets and thereby aggregate everything with identical service number, source and destination address etc between the SYN and FIN packet into one ``flow'' [26]. The strength of this approach is that the detection of beginning and end of a TCP connection based flow is relatively easy.