Hi all,

I'm currently working on traffic analysis for detecting various security
events on a network and finding flow paths throughout the network. Part
of this work includes tracking/visualizing network flows on a
per-host/per-port basis.

For this I'm currently working with OVS since it supports OpenFlow (used
to orchestrate the network), sFlow, and IPFIX, which is working wonderfully.

One caveat however is that, while IPFIX supports useful features such as
caching flows and limiting the amount of packet parsing I have to do, it
does not include the in/out port the flow was seen on.

On the other hand sFlow *does* include that information (and even the
OpenFlow port!), but doesn't have the caching feature and requires
parsing headers at the collector.
Since we're also experimenting with high sampling rates, I feel it would
be best if we could avoid that.

So my question is, is there a specific reason that the IPFIX
implementation does not include e.g. ingressInterface and
egressInterface? Could this be added?
And are there any plans to augment the default IPFIX template, or
perhaps even allow the user to select from e.g. various detail levels?

Ben de Graaff

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

discuss mailing list

Reply via email to