[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-morrow-filter-caps-00 comments
I'm sorry if I missed this being there already, but I'd like to see a
survey of statistics/logging with respect to filters in operational
practice. Clearly, too fine-grained a level of filtering (e.g., with
static ACL logging), with a high traffic volume, will overwhelm most
processors. Some means of reducing this load is probably going to be
needed in any production system.
And what are these means? Certainly there's a spectrum. I'd put
"diversion" at the top of the list -- rerouting problematic traffic
to a sinkhole where detailed analysis can be done.
At whatever point the filtering/inspection/whatever is done, there
are a range of levels of detail that can be taken, such as:
Complete packet capture with decode [1]
Complete packet capture [1]
Header capture [1]
Exact counts of packets matching complex expression [2]
Exact counts of packets matching simple expression (e.g., source)
Sampling counts of packets matching complex expressions [3]
Sampling counts of packets meeting expressions of lesser complexity [3]
[1] Almost certainly means diversion to a sinkhole
[2] Complex expression meaning enough to define a flow: at least IP
source and destination, preferably protocol number, source
and destination port numbers or ICMP code, etc.
[3] The recording is turned on only for a certain number of packets
or for a period of time.