[pmacct-discussion] Hy, seeking advice, tag flows

Sun, 20 Mar 2005 14:28:12 +0100 

hy,
i currently face a horrible problem, since i have to stop using an imature NetFlow exporter probe on linux, because core dumps and 
high memory usage. (ipcad + flow-tools).
My network traffic is divided into *2 major bands*. The Metropolitan Band which is a high speed band and External Band that is the rest of the traffic 
which is not Metropolitan., obviously, running at a lower speed.
*I need to differentiate the two bands for each host.* (62+ hosts beeing forwarded trought the gateway). The Metropolitan segment is composed by dozens of ip classes (no need to go further, with subnetting and so ... the base 256 ips class taken as a whole) flow-tools perminted me a less complicated setup (tagging) by a simple algorythm: 

OTHER_SRC (internet)
OTHER_DST (internet)
METRO_SRC (metro classes)
METRO_DST (metro classes)
(
detailed tag example:
...
match XXX/24 set-destination/set-source 0x00a/0x00b
match XXY/24 set-destination/set source 0x00a/0x00b
match XXZ/24 set-destination/set source 0x00a/0x00b
match XYY/24 set-destination/set source 0x00a/0x00b
...
)
IP_SRC (individual hosts beeing tagged)
IP_DST (individual hosts beeing tagged)


at the end ... i was able to aggregate traffic for each host into 
destinations/sources listed above e.g. IP's traffic to / from internet ; 
to/from Metropolitan segment
now... considering pmacctd, i've seriously taken some large doses of 
caffeine while solving this , in a pmacctd/libcap way.


So, any1 has some comments on this, how should i "treat" this disease?

*does pmacctd parse the tag definition file recursively*? the only thing 
that i did and it works but i dont't know when it comes to memory management

how it will look

1= incoming, 2 = outgoing; composed tags with ip
id=2216   filter='dst host XXX.XXX.XXX.216 and src net YYY.YYY.148.0/24'
id=2216   filter='dst host XXX.XXX.XXX.216 and src net YYY.YYY.149.0/24'
id=2216   filter='dst host XXX.XXX.XXX.216 and src net YYY.YYY.136.0/24'
id=2216   filter='dst host XXX.XXX.XXX.216 and src net YYY.YYY.121.0/24'
....
id=1216   filter='src host XXX.XXX.XXX.216 and dst net YYY.YYY.148.0/24'
id=1216   filter='src host XXX.XXX.XXX.216 and dst net YYY.YYY.149.0/24'
.... and so on

... it will look "awesome": N (src/dst) known classes taken 62 times 
(hosts), twice


Thanks in advance, for your patience,
will be forever indebt to whom might throw a hint

mr






























					Reply via email to