[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-morrow-filter-caps-00 comments



I'm sorry if I missed this being there already, but I'd like to see a survey of statistics/logging with respect to filters in operational practice. Clearly, too fine-grained a level of filtering (e.g., with static ACL logging), with a high traffic volume, will overwhelm most processors. Some means of reducing this load is probably going to be needed in any production system.

And what are these means? Certainly there's a spectrum. I'd put "diversion" at the top of the list -- rerouting problematic traffic to a sinkhole where detailed analysis can be done.

At whatever point the filtering/inspection/whatever is done, there are a range of levels of detail that can be taken, such as:

    Complete packet capture with decode [1]
    Complete packet capture [1]
    Header capture [1]
    Exact counts of packets matching complex expression [2]
    Exact counts of packets matching simple expression (e.g., source)
    Sampling counts of packets matching complex expressions [3]
    Sampling counts of packets meeting expressions of lesser complexity [3]


[1] Almost certainly means diversion to a sinkhole [2] Complex expression meaning enough to define a flow: at least IP source and destination, preferably protocol number, source and destination port numbers or ICMP code, etc. [3] The recording is turned on only for a certain number of packets or for a period of time.