[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

more is more (ideas from NSPs)

To: opsec@ops.ietf.org
Subject: more is more (ideas from NSPs)
From: George Jones <gmj@pobox.com>
Date: Thu, 21 Aug 2003 13:11:30 -0400 (EDT)
Reply-to: gmj@pobox.com

I poked NSP incident response people about what they need on a
day-to-day basis and got the following input:

  > > > sho ip cache flow | incl freetext
  > > > sho ip cache verbose flow

Which got me thinking about IPFIX, but

  > > how important is local (on-the-box) analysis ("flow | grep foo")
  > > vs. getting the same data after export to a collection device ?

  > Sometimes one is away from the fancy systems and one has to ssh into the
  > rtr from some airport and determine what is going on.  on-the-box is very
  > important for immediate mitigation.

Which leads to reqs for

  - interactive login+CLI (dropped earlier/morphed into scripting requirement)
  - display of flow data locally (but what data ?)
  - ability to search flow data on the box ("support grep" ?)

  > > MRTG|RRD graphs

  - Which implies ability to collect data (what data, how collected).

---George

Prev by Date: Re: Less is more
Next by Date: Citing ANSI docs
Previous by thread: Less is more
Next by thread: vendor incompetence
Index(es):
- Date
- Thread