IETF Logo Mail Archive

Re: [IPFIX] Export of long lived flow information

John Court <johnwcrt@au1.ibm.com> Tue, 23 October 2012 22:00 UTC

Return-Path: <johnwcrt@au1.ibm.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BE6011E8115 for <ipfix@ietfa.amsl.com>; Tue, 23 Oct 2012 15:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oAlaTFXI1-4l for <ipfix@ietfa.amsl.com>; Tue, 23 Oct 2012 15:00:42 -0700 (PDT)
Received: from e23smtp07.au.ibm.com (e23smtp07.au.ibm.com [202.81.31.140]) by ietfa.amsl.com (Postfix) with ESMTP id 15C5E11E8114 for <ipfix@ietf.org>; Tue, 23 Oct 2012 15:00:41 -0700 (PDT)
Received: from /spool/local by e23smtp07.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <ipfix@ietf.org> from <johnwcrt@au1.ibm.com>; Wed, 24 Oct 2012 07:57:16 +1000
Received: from d23relay04.au.ibm.com (202.81.31.246) by e23smtp07.au.ibm.com (202.81.31.204) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 24 Oct 2012 07:57:05 +1000
Received: from d23av03.au.ibm.com (d23av03.au.ibm.com [9.190.234.97]) by d23relay04.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q9NLoOXe51642528 for <ipfix@ietf.org>; Wed, 24 Oct 2012 08:50:25 +1100
Received: from d23av03.au.ibm.com (loopback [127.0.0.1]) by d23av03.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q9NM0LUQ020147 for <ipfix@ietf.org>; Wed, 24 Oct 2012 09:00:21 +1100
Received: from d23mlc03.au.ibm.com (d23mlc03.au.ibm.com [9.190.26.210]) by d23av03.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q9NM0L09020144 for <ipfix@ietf.org>; Wed, 24 Oct 2012 09:00:21 +1100
To: ipfix@ietf.org
MIME-Version: 1.0
X-KeepSent: 96D061AA:F7F6CDD4-CA257AA0:00772818; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3 September 15, 2011
Message-ID: <OF96D061AA.F7F6CDD4-ONCA257AA0.00772818-4A257AA0.0078DF60@au1.ibm.com>
From: John Court <johnwcrt@au1.ibm.com>
Date: Wed, 24 Oct 2012 07:59:32 +1000
X-MIMETrack: Serialize by Router on d23mlc03/23/M/IBM(Release 8.5.3FP2HF29 | July 24, 2012) at 24/10/2012 08:59:38, Serialize complete at 24/10/2012 08:59:38
Content-Type: multipart/alternative; boundary="=_alternative 0078DF5E4A257AA0_="
x-cbid: 12102321-0260-0000-0000-00000205EAF7
Subject: Re: [IPFIX] Export of long lived flow information
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 22:00:43 -0000

Thanks for the interest in resolving this,

Andrew, I understand your persistent cache argument.  The reason I don't 
personally use "Total" and DO use "Delta"  is more around what the 
collector does should it not see some of the updates and suddenly gets one 
that shows large counter values.  This could mistakenly result in showing 
huge traffic over a short period incorrectly.  This is particularly true 
if you do as Brian suggested and are setting the flowStartTime based only 
on the current record view.

Brian, thanks for your detailed explanation.  Everything with the 
exception of flowStartTime was as I am currently doing.  I had perhaps 
mistakenly taken the approach that keeping the flowStartTime as the 
"conceptual" start rather than for this reporting period would make it 
easier for the collector to understand what was happening.  Not actually 
sure how I will co-ordinate reseting that time on export yet :-)

I would suggest that this sort of situation and Brians explanation be 
added as an example perhaps in 5101 or even 5472 as it would help with 
Collector interoperability I am sure :-)

Thanks again.


John Court
Software Engineer
IBM Security Systems Division
IBM Australia Development Laboratory
Office:  +61 7 5552 4014
Mobile: +61 430 841328

v2.23.0 | Report a Bug | By Email