Hi Jaime, just a brief follow-up as you brought valid and very interesting points to the discussion:
On Thu, Oct 12, 2006 at 04:18:16PM +0200, Jaime Nebrera wrote: > 2) Reduce the volume of data without affecting precision too much. You > can apply sampling or even better intelligent sampling techniques in the > collector too, not only in the probe. I think pmacct server has this > capability. Right. I forgot to mention the SQL Pre-processing layer, which importance is often underestimated - sql_preprocess directive in CONFIG-KEYS. Specifically, 'fss' and 'fsrc' keys are those of interest here: both are based on papers coming out AT&T Labs about smart sampling of network data. > 3) Aggregate even further, for example we take all connections going from > multiple ports to a single port (typicall websurfing behaviour) aggregate as > comming from "Non provileged" to port 80. Of course this reduces a bit the > precision, but you get 1 row instead of 5 for a very similar data Flow stitching - i think we can safely summarize the feature with this term. It's rather consolidated approach in the field of network security, pmacct is still missing it, but it has prime position in my todo list. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
