The input interface could be guessed if there is only one source, if one
server interface was dedicated per mirrored session, or perhaps using a
few other creative ideas. Since the entire packet is sent, the payload
is present for an end tool to generate the appropriate flow summaries
but certainly with the added network/processing overhead. Having a knob
on the router to just send x-bytes in a port-mirror would be interesting
if nothing else, to ease the load on the flow generator.
-- steve
> -----Original Message-----
> From: Mark Fullmer [mailto:maf@eng.oar.net]
> Sent: Friday, November 09, 2001 10:23 PM
> To: Stephen Gill
> Cc: 'Greg Ketell'; 'Robert O'Hara'; juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] cflowd sampling
>
> On Fri, Nov 09, 2001 at 06:12:28PM -0600, Stephen Gill wrote:
> >
> > If using port-mirroring to send sampled traffic out to a collector
> > server, does anyone know of any well-written efficient flow
generators
> > (not flow collectors)?
>
> Slick feature.
>
> It looks like there are a few things missing to use this for flow
> generation.
> The input/output interface would need to show up in the mirrored
traffic,
> and the ability to only send the IP/TCP/UDP headers or headers + n
bytes
> of payload. Access to a few bytes of the payload would potentially
allow
> the collector/generator to make better guesses at the application.
>
> mark
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT