I know this isn't possible today, but are there plans to make nfsen capable of using something other a nfcapd processes data for profiles? I'm still getting used to nfsen and the use of profiles, but it seems to me that it would be nice to be able to use a profiles as a channel source for other profiles, rather than parsing the same 'live' data each time. This is coming not just from the extra/duplicate processing overhead, but also to simplify the complexity of the filters when you have lots of data sources with the same filters in each case.
For example, a simple use case would be profiles which capture and store transit and wan flows based upon (router ip and if number). Then I could see wanting to further filter out and graph data for a few of my top transit ASes. Pretty simple to do if you only have a couple of transit links, but it becomes increasingly more difficult the more links and routers you have, and increasingly more flow data as well. It would be nice to simply be able to select the transit flow files as the channel rather than the live data and then just adding the "and AS xyz" to the filter. Another reason I'd like to do this is to eliminate "duplicate" flow data. Like lots of folks, I'm collecting flows on multiple interfaces and if I simply track all port traffic, I see the same flows if the traffic traverses my wan rather than arriving and leaving via the "nearest" interface. So I want to only keeping the "live" raw flows to a minimum and keeping just "transit" and "wan" real profiles for a much longer period of time. Ideally then, I'd have port tracker examine these profiles rather than the 'live' data, but that's a secondary concern. Now, at this point I haven't looked into the code yet to see if this would be difficult to implement or not. It would seem that one would need to establish two work queues so all 'live' channel processing would happen first, then process profiles which rely on profile-channel data (the queue would have to be orderly processed as well or some other restrictions applied to avoid nesting cases) . Is something like this on the development roadmap? If it is not, do you have any recommendations on how one would implement this or is this an unwise idea? The other aspect I could see this being useful would be in an attempt to separate nfdump management from nfsen. I'm attracted to this idea because we already have flow-tools and plan to move to nfdump. That move is pretty simple and straightforward. But every hour, we copy the flow files to a central location for processing, which is also fine for nfdump. But if we want to use nfsen as well, then what (I believe) we'd have to do is to instead relay/replay the flows to a central host - or is there a feature of nfsen that I've missed which allows for using flow files managed outside of nfsen? -James ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
