[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
In the sampling techniques draft:
6.1 Field Match Filtering
We here define a basic Filtering schemes based on the IPIFIX
flow definition. With this method a packet is selected if a
specific field in the packet equals a predefined value. Possible
filter fields are all IPFIX flow attributes specified in [IPFIX-
INFO]. Further fields can be defined by vendor specific
A packet is selected if Field=Value. Masks and ranges are only
supported to the extend to which [IPFIX-INFO] allows them e.g.
by providing explicit fields like the netmasks for source and
destination addresses. AND operations are possible by
concatenating filters. OR operations are not supported with this
basic model. More sophisticated filters (e.g. supporting
bitmasks, ranges or OR operations etc.) can be realized as
vendor specific schemes.
As it stands now, this text might give the impression that AND
operations are accomplished by composing a number of PSAMP selectors,
each being primitive and corresponding to filtering on a single field. I
don't think this is what is intended. (In any case, PSAMP can currently
only combine one filter with one sampling operation at present).
Also, "concatenation" implies that an order amongst the basic filters is
to be specified. As Matt Grossglauser has pointed out, this might be
useful if one wants to put a "quick" filter (e.g. on port number) first,
to reduce the packet rate down for a "slow" filter (e.g. on routing
state) following. So do we want to require ordering of filters within
the combination? Or would some implementors want to implement some or
all combinations as a single composite mask/match across fields, without
If order is not specified, we might want to replace
"AND operations are possible by concatenating filters"
"AND operations are possible by specifying multiple basic field match
Filters, the packet being selected if would be selected by all the
specified filters. The resulting combination is viewed as a primitive
Finally, it was suggested to me at IETF 61 that the current text in the
framework draft (it speaks of match/mask operations) should be replaced
with the text from the sampling draft. I can do this once the latter is
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.