[Nfsen-discuss] Request for comment: flow tagging

Mon, 20 Aug 2012 10:08:29 -0700 

Dear all,
As I'm currently implementing some nfdump features, I could
implement flow tags, an issue which I was asked every now
and then.

Please comment on the following ideas, if you are interested
in this feature:

Question: What do you prefer:
1. Each flow may be assigned a unique tag/label. The number of
   tags is limited to 16 or 32 bits. Least storage requirement.
2. Each flow may be assigned multiple tags/labels. The number of
   total tags is limited to 32 or 64. More storage, more flexible.
Using as 32bit value could take either version.

How many labels and what flexibility would you want? Which
version would you prefer?

o tags are numerical ids with an optional string labels. These
  string labels are stored along the flows in the nfdump file.
o The nfdump filter language is extended, such that each valid
  nfdump filter expression can assign or filter a tag:
  set tag <nr>[(label)] if <expr> for example:
  # numerical assignment:
  set tag 10 if dst port 80
  # numerical and string assignment:
  set tag 20(http) if dst port 80
o matching tags in the filter language:
  tag <nr>
  tag <label>
o printing tags in output with %tag
o instead of a new tag file, tag assignment can be specified in
  a standard nfdump filter file such as:

# tags to be assigned:
set tag 10(http) if ( src port 80 ) or

# comment your tags/labels
set tag 11(https) if ( dst port 443) or
...

which can be given to nfdump as an argument -f <filter>

Would the tagging system as described above match the
requirements for those planing to use tags?

Feedback is welcomed.

        - Peter

-- 
Be nice to your netflow data. Use NfSen and nfdump :)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to