RE: [j-nsp] cflowd sampling

From: Przemyslaw Karwasiecki (karwas@ifxcorp.com)
Date: Tue Nov 13 2001 - 15:00:51 EST

Next message: Mark M. Forest: "[j-nsp] One for the masses"
Previous message: David McGaugh: "[j-nsp]"
In reply to: Stephen Gill: "RE: [j-nsp] cflowd sampling"
Next in thread: Robert O'Hara: "RE: [j-nsp] cflowd sampling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Steve,

If you need to "guess" _only_ destination interface,
you pretty much need to perform lookup in a copy of FIB.

Isn't it, what is proven to be complex enough,
to build routers for? :-)

If you add extra requirement to guess (unguessable IMHO)
input interface than you will probably need n*100ms per packet
per single clairvoyant :-).

Just my $.001

Przemek

PS. Nevertheless, this port mirroring is slick feature, IMHO.

-----Original Message-----
From: Stephen Gill [mailto:gillsr@yahoo.com]
Sent: Saturday, November 10, 2001 2:07 AM
To: 'Mark Fullmer'
Cc: 'Greg Ketell'; 'Robert O'Hara'; juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] cflowd sampling

The input interface could be guessed if there is only one source, if one
server interface was dedicated per mirrored session, or perhaps using a
few other creative ideas. Since the entire packet is sent, the payload
is present for an end tool to generate the appropriate flow summaries
but certainly with the added network/processing overhead. Having a knob
on the router to just send x-bytes in a port-mirror would be interesting
if nothing else, to ease the load on the flow generator.

-- steve

> -----Original Message-----
> From: Mark Fullmer [mailto:maf@eng.oar.net]
> Sent: Friday, November 09, 2001 10:23 PM
> To: Stephen Gill
> Cc: 'Greg Ketell'; 'Robert O'Hara'; juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] cflowd sampling
>
> On Fri, Nov 09, 2001 at 06:12:28PM -0600, Stephen Gill wrote:
> >
> > If using port-mirroring to send sampled traffic out to a collector
> > server, does anyone know of any well-written efficient flow
generators
> > (not flow collectors)?
>
> Slick feature.
>
> It looks like there are a few things missing to use this for flow
> generation.
> The input/output interface would need to show up in the mirrored
traffic,
> and the ability to only send the IP/TCP/UDP headers or headers + n
bytes
> of payload. Access to a few bytes of the payload would potentially
allow
> the collector/generator to make better guesses at the application.
>
> mark

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Next message: Mark M. Forest: "[j-nsp] One for the masses"
Previous message: David McGaugh: "[j-nsp]"
In reply to: Stephen Gill: "RE: [j-nsp] cflowd sampling"
Next in thread: Robert O'Hara: "RE: [j-nsp] cflowd sampling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT