[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

psamp filtering

In the sampling techniques draft: 

	6.1 Field Match Filtering 
    	We here define a basic Filtering schemes based on the IPIFIX 
    	flow definition. With this method a packet is selected if a 
    	specific field in the packet equals a predefined value. Possible

    	filter fields are all IPFIX flow attributes specified in [IPFIX-
    	INFO]. Further fields can be defined by vendor specific 
    	A packet is selected if Field=Value. Masks and ranges are only 
    	supported to the extend to which [IPFIX-INFO] allows them e.g. 
    	by providing explicit fields like the netmasks for source and 
    	destination addresses. AND operations are possible by 
    	concatenating filters. OR operations are not supported with this

    	basic model. More sophisticated filters (e.g. supporting 
    	bitmasks, ranges or OR operations etc.) can be realized as 
    	vendor specific schemes.

As it stands now, this text might give the impression that AND
operations are accomplished by composing a number of PSAMP selectors,
each being primitive and corresponding to filtering on a single field. I
don't think this is what is intended. (In any case, PSAMP can currently
only combine one filter with one sampling operation at present). 

Also, "concatenation" implies that an order amongst the basic filters is
to be specified. As Matt Grossglauser has pointed out, this might be
useful if one wants to put a "quick" filter (e.g. on port number) first,
to reduce the packet rate down for a "slow" filter (e.g. on routing
state) following. So do we want to require ordering of filters within
the combination? Or would some implementors want to implement some or
all combinations as a single composite mask/match across fields, without

If order is not specified, we might want to replace

"AND operations are possible by concatenating filters" 


"AND operations are possible by specifying multiple basic field match
Filters, the packet being selected if would be selected by all the
specified filters. The resulting combination is viewed as a primitive
PSAMP Selector."

Finally, it was suggested to me at IETF 61 that the current text in the
framework draft (it speaks of match/mask operations) should be replaced
with the text from the sampling draft. I can do this once the latter is



to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>