Bill,
Rather than perform the lookup as the traffic arrives, we're interested in have the lookup performed at the time of purge. In our case the purge interval is 60 minutes, so there are fewer aggregated data (IP addresses) to perform the lookup on. Also if the lookup results are cached, only the first purge will have a significant impact on performance. But the reason why it's so critical for pmacct to perform it for us is our consumers (ex. presentation) aren't in the same network or have access to the same DNS servers where pmacct collected the data. To clarify, our consumer can try to lookup the IP against its own DNS servers, but it won't find a match for IP's that are localized to the network (and DNS servers) that pmacct ran in. ________________________________ From: pmacct-discussion <pmacct-discussion-boun...@pmacct.net> on behalf of Bill Nash <bi...@billn.net> Sent: Monday, December 5, 2016 3:27 PM To: pmacct-discussion@pmacct.net Cc: Steven Sheehy; Mark Ponthier Subject: Re: [pmacct-discussion] Outputting DNS equivalent of src_host and dst_host IP addresses? DNS lookups will effectively rate limit flow export, though, even if you're hitting a cache. Do it after the fact in your presentation layer with a cache, don't do it at the collection level, because you'll also have to store it. I dunno what your flow volume is, but this is generally a bad idea. You're increasing processing time per flow with a multi-millisecond block, and you're increasing storage per flow by up to 64 bytes, in more egregious cases. Per flow. This is a scale exercise that can get out of hand very quickly. On Mon, Dec 5, 2016 at 9:10 AM, Hiep Huynh <hhu...@firescope.com<mailto:hhu...@firescope.com>> wrote: When aggregating on src_host and dst_host, the outputs are IP addresses. Is it possible to also get DNS equivalent? Can pmacct perform a reverse DNS lookup and output it along with the IP addresses? If not, is there a workaround involving the 'networks_file' option where both IP address and its DNS/label are included in its output? Thanks. _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists -- - billn
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
