Re: [Nfdump-discuss] Request for comment: flow tagging
netflow collecting and processing tools
Brought to you by:
phaag
From: Peter H. <ph...@us...> - 2012-08-21 19:09:38
|
Hi Nino, Thanks you for your feedback. On 21/8/12 11:00 AM, Nino Ciurleo wrote: > Hi Peter, > flow tags is a very good idea. > > On 08/20/2012 07:06 PM, Peter Haag wrote: >> >> How many labels and what flexibility would you want? Which >> version would you prefer? > > Version 2 ok - thnx. >> >> Would the tagging system as described above match the >> requirements for those planing to use tags? >> > Yes, for sure. > > Some feedback: > You wrote: "/These string labels are stored along the flows in the > nfdump file./" > Is it possible to apply them at flow arrive (nfcapd) ?. As of nfdump-1.6.x I do not want to run other tasks in the collector process for performance reason. In high performance networks, collection is vital. Processing the data, be be done any time later. As already mentionen, 1.7 will include a threaded collector to squeeze the CPUs better, which potentially allows such additional task. But there is nothing decided yet. > > It is very important for me changing tags rules (nfdump standard filter > files ) dynamically because flow associations could change; an example, > for my experience, could be: subnet network address/es (conditional > rule) <==> User Name/ID (tag) First of all, tags are integers. As all users preferred having multiple tags per flow, this is an integer from 1..32 for 32 tags. ( 0 == untagged. It means a bitset of a 32bit integer. ) Labels are simply strings along labels for better readability. The filter file can be as dynamic as you like, in the end you assign a number to a flow record and that is stored in the file including one reference per file with the translation tag number <=> label. - Peter > > Thank you for your precious work. > Nino Ciurleo >> Feedback is welcomed. >> >> - Peter >> > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > Nfdump-discuss mailing list > Nfd...@li... > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :) |