-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On March 4, 2008 11:15:33 +0100 Vegard Vesterheim <[EMAIL PROTECTED]> wrote:
| We would like to add a new filter primitive to nfdump. Assume we have
| a mapping
| ipaddr -> org_id
| which identifies the organizational unit to which the ipaddr is
| allocated. Now, we would like to be able to do filtering and
| aggregation based on this value. Note that this is not the same as
| filtering on AS number.
|
| Our basic idea is that we do not need to alter the on-disk format, but
| we could generate this information on-the-fly upon reading the netflow
| data. Naturally this would slow down the process considerably, unless
| we have a very efficient lookup.
|
| This idea can be generalized to any mapping from ipaddr -> function(ipaddr).
I would do it as follows:
You would need a table with all the relations of org_id and IP space.
# org1
org1 192.168.1/24
org1 172.16.17/23
# org2
org2 192.168.10/24
and so on.
This information is kept in a file.
Now when running nfdump, at the time the filter is compiled and the parser finds
a filter syntax containing an org_id related filter, it will resolve that org_id
in an appropriate IP net list:
'src org_1' resolves to '(src net 192.168.1/24 or src net 172.16.17/23)'
which then will be compiled and used in nfdump. This is most likely fastest
and most efficient, however, does not allow you to aggregate org_id flows.
If aggregation is required, a new field in the master record would be required
holding the org label. An appropriate function mapping the IP address to an org
label, while filling the master record ( ExpandRecord function ) could be a
Berkely
db or similar b-tree lookups with custom lookup function allowing, not only to
lookup a single IP address but a IP range to org mapping. As input for this
b-tree
you may use the file as described above. The filter then can be extended to this
new org label in the master record.
Hope this helps
- Peter
|
| Has anyone considered doing something similar?
|
| Any ideas on how to go about implementing this?
|
| --
| Vegard Vesterheim : Phone: +47 73 55 79 12
| UNINETT : Mobile:+47 48 11 98 98
| N-7465 Trondheim, NORWAY : Email: [EMAIL PROTECTED]
|
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by: Microsoft
| Defy all challenges. Microsoft(R) Visual Studio 2008.
| http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
| _______________________________________________
| Nfdump-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBR8073P5AbZRALNr/AQJ65AP/Q7J/0bdIw2V/Bd7tw4/MCZgfVJqim3lv
FgUF2dElbzSbx7Mtxh5HRWoyUm4hojEC+/4UCibtJfge6si5Q3nkzjQeo3wS7DqC
p/mgEmMHOTNCf1pRg1zuJipVAOnce/UK5YUErPC1RNQmouHVD3ODogJV7rd4dnw+
GuHGnFD4nAo=
=r2N7
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
