Hi all, I'm currently working on traffic analysis for detecting various security events on a network and finding flow paths throughout the network. Part of this work includes tracking/visualizing network flows on a per-host/per-port basis.
For this I'm currently working with OVS since it supports OpenFlow (used to orchestrate the network), sFlow, and IPFIX, which is working wonderfully. One caveat however is that, while IPFIX supports useful features such as caching flows and limiting the amount of packet parsing I have to do, it does not include the in/out port the flow was seen on. On the other hand sFlow *does* include that information (and even the OpenFlow port!), but doesn't have the caching feature and requires parsing headers at the collector. Since we're also experimenting with high sampling rates, I feel it would be best if we could avoid that. So my question is, is there a specific reason that the IPFIX implementation does not include e.g. ingressInterface and egressInterface? Could this be added? And are there any plans to augment the default IPFIX template, or perhaps even allow the user to select from e.g. various detail levels? Regards, Ben de Graaff
Description: S/MIME Cryptographic Signature
_______________________________________________ discuss mailing list email@example.com http://openvswitch.org/mailman/listinfo/discuss