In computer networking, an elephant flow is an extremely large (in total bytes) continuous flow set up by a TCP (or other protocol) flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time. It is not clear who coined "elephant flow", but the term began occurring in published Internet network research in 2001 when the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows).[1] [2] For example, researchers Mori et al. studied the traffic flows on several Japanese universities and research networks.[3] At the WIDE network they found elephant flows were only 4.7% of all flows but occupied 41.3% of all data transmitted during the time period.
The actual impact of elephant flows on Internet traffic is still an area of research and debate. Some research shows that elephant flows may be highly correlated with traffic spikes and other elephant flows (Lan & Heidemann and Mori et al.).[4] Elephant flows have varying definitions proposed by researchers including flows that occupy greater than 1% of total traffic in a time period,[5] measuring the duration of the flow,[6] and looking at flows whose size is greater than the mean plus three standard deviations of traffic during the time period.[4] One of the main goals of research into elephant flows is to develop more efficient bandwidth management tools and predictive models for the Internet. For example, researchers have focused on providing better quality of service to flows of small sizes (mice flows) by de-prioritizing elephant flows.[7]
Elephant flows can also be viewed from the perspective of a network appliance such as an Intrusion Prevention System (IPS). In this context the number of bytes on the flow is less significant than the instantaneous processing load required to service the flow, where the processing load depends on the IPS configuration (how much work it is supposed to do) and the byte rate (flow throughput). An elephant flow could thus be defined as a flow that exceeds a given total service time within a particular time interval
For example, if just a single CPU core is used to process a flow, an elephant flow could be considered any flow for which the processing load exceeds the capacity of the CPU core. This in turn could be defined by dropped packets or an excess latency for any packet to transit the device. Obviously, lower thresholds can be applied and more cores could be used but the basic concept of required processing load relative to processing capacity holds.
To see how this differs from simply looking at the total bytes on a flow, consider two flows F1 and F2 with N1 and N2 total bytes respectively and where N2 = 1000*N1. It is possible that N1 is an elephant flow while N2 is not, if for example the required inspection of F1 is more complex than that of F2 and/or if the rate of F1 is much greater than the rate of F2.