IETF Logo Mail Archive

Re: [sip-clf] draft-salgueiro-sipclf-indexed-ascii /draft-niccolini-sipclf-ipfix Tuning for Implementation

Peter Musgrave <peter.musgrave@magorcorp.com> Sun, 17 October 2010 15:01 UTC

Return-Path: <peter.musgrave@magorcorp.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA00B3A6A48 for <sip-clf@core3.amsl.com>; Sun, 17 Oct 2010 08:01:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.863
X-Spam-Level:
X-Spam-Status: No, score=-101.863 tagged_above=-999 required=5 tests=[AWL=0.113, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wtfsrFQho1af for <sip-clf@core3.amsl.com>; Sun, 17 Oct 2010 08:01:19 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id AC92B3A68F7 for <sip-clf@ietf.org>; Sun, 17 Oct 2010 08:01:19 -0700 (PDT)
Received: by qwc9 with SMTP id 9so3783qwc.31 for <sip-clf@ietf.org>; Sun, 17 Oct 2010 08:02:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.186.207 with SMTP id ct15mr2064728qab.316.1287327270688; Sun, 17 Oct 2010 07:54:30 -0700 (PDT)
Received: by 10.229.42.196 with HTTP; Sun, 17 Oct 2010 07:54:30 -0700 (PDT)
Date: Sun, 17 Oct 2010 10:54:30 -0400
Message-ID: <AANLkTimW+RNgTonsURmgALMHnCJ=GFMnL7T9kmPtPF2b@mail.gmail.com>
From: Peter Musgrave <peter.musgrave@magorcorp.com>
To: List SIP-CLF Mailing <sip-clf@ietf.org>
Content-Type: multipart/alternative; boundary="485b397dd233add9430492d13cda"
Subject: Re: [sip-clf] draft-salgueiro-sipclf-indexed-ascii /draft-niccolini-sipclf-ipfix Tuning for Implementation
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Oct 2010 15:01:20 -0000

Hi all,

I have running ipfix and indexed ascii logging for 1000's of messages.

Before I start to measure and summarize I want to make sure I have tuned
each properly.

ASCII
=====

I have made some assumptions about indexed ASCII (and I may have exceeded
the groups intent here):
- the length fields will be dropped. Pointers only
- src/dest do not have protocol
- to/from and to_tag/from_tag

I would suggest we re-add protocol in the sent/received flags field. How
about u, t, l for received udp, tcp, tls and U, T, L for sent?

In looking at the output I think it would aid manual examination to put the
response code immediately after the CSeq. This makes it very easy to see
which lines are requests responses (especially for those who crush out the
pointer line and want the more "apache-like" view of the info.

It might be worth discussing whether a user which nukes every pointer line
can still make sense enough of the activity...I think they might need a few
of the fields in the Flags. Could this be moved to the next "line" ?

IPFIX
=====

The recommended templates provided have IPv4 addresses. I'll assume this is
ok for comparison purposes (as my sample logs are all IP4).

I will double-check my output against Hadriel's wireshark plugin. He did
find that I can't count bytes - but I think I have corrected the output.

Are there any other changes I should include?

Cheers,

Peter Musgrave
(as individual)

v2.23.0 | Report a Bug | By Email