flow-based accounting
similar to packet header sniffing
turns packet headers into 'flows', which are summaries of traffic for a given unique tuple
flows are usually based (at least) on a 5 tuple: protocol, source IP address, source port (if UDP or TCP), destination IP address, destination port (if UDP or TCP)
flow created when new unique tuple is seen in traffic, terminated via timeout or flow-termination indicator in flow (TCP FIN, for example)