[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-morrow-filter-caps-00 comments

On Thu, 10 Mar 2005 08:58:57 -0500, Howard C. Berkowitz
<hcb@gettcomm.com> wrote:
> I'm sorry if I missed this being there already, but I'd like to see a
> survey of statistics/logging with respect to filters in operational
> practice.

Seems like another fine candidate for the Benchmark Methodology WG.

  Clearly, too fine-grained a level of filtering (e.g., with
> static ACL logging), with a high traffic volume, will overwhelm most
> processors.  Some means of reducing this load is probably going to be
> needed in any production system.

Or at least an understanding of the potential impact (silent drop, spike
processor, increased traffic due to logging)

> And what are these means?  Certainly there's a spectrum.  I'd put
> "diversion" at the top of the list -- rerouting problematic traffic
> to a sinkhole where detailed analysis can be done.
> At whatever point the filtering/inspection/whatever is done, there
> are a range of levels of detail that can be taken, such as:
>      Complete packet capture with decode [1]
>      Complete packet capture [1]
>      Header capture [1]

Isn't that what PSAMP was doing ?

>      Exact counts of packets matching complex expression [2]
>      Exact counts of packets matching simple expression (e.g., source)

Counts are good.  Accurate counts are better.    I believe these are 
already addressed.

>      Sampling counts of packets matching complex expressions [3]
>      Sampling counts of packets meeting expressions of lesser complexity [3]