Re: [sip-clf] draft-salgueiro-sipclf-indexed-ascii /draft-niccolini-sipclf-ipfix Tuning for Implementation
Peter Musgrave <peter.musgrave@magorcorp.com> Wed, 20 October 2010 10:58 UTC
Return-Path: <peter.musgrave@magorcorp.com>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B353D3A63C9 for <sip-clf@core3.amsl.com>; Wed, 20 Oct 2010 03:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.864
X-Spam-Level:
X-Spam-Status: No, score=-102.864 tagged_above=-999 required=5 tests=[AWL=1.112, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2FBbtAO-1WWo for <sip-clf@core3.amsl.com>; Wed, 20 Oct 2010 03:58:56 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id BFAD33A63D3 for <sip-clf@ietf.org>; Wed, 20 Oct 2010 03:58:55 -0700 (PDT)
Received: by qyk36 with SMTP id 36so1472269qyk.10 for <sip-clf@ietf.org>; Wed, 20 Oct 2010 04:00:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.217.149 with SMTP id hm21mr6317780qcb.121.1287572427990; Wed, 20 Oct 2010 04:00:27 -0700 (PDT)
Received: by 10.229.42.196 with HTTP; Wed, 20 Oct 2010 04:00:27 -0700 (PDT)
In-Reply-To: <4CBC5A66.3090802@bell-labs.com>
References: <AANLkTimW+RNgTonsURmgALMHnCJ=GFMnL7T9kmPtPF2b@mail.gmail.com> <4CBC5A66.3090802@bell-labs.com>
Date: Wed, 20 Oct 2010 07:00:27 -0400
Message-ID: <AANLkTik5MOt7o8Otzhk6hVnbfptr2-3t9F_P7tKds7wL@mail.gmail.com>
From: Peter Musgrave <peter.musgrave@magorcorp.com>
To: "Vijay K. Gurbani" <vkg@bell-labs.com>
Content-Type: multipart/alternative; boundary="00163628455e31687804930a510d"
Cc: sip-clf@ietf.org
Subject: Re: [sip-clf] draft-salgueiro-sipclf-indexed-ascii /draft-niccolini-sipclf-ipfix Tuning for Implementation
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2010 10:58:57 -0000
Hi Vijay, I will log a simple example (INV, OK, ACK, BYE, OK) through a B2BUA and then provide that as an example in indexed ascii/IPFIX. I can also include the 'large' data set I ran through. I'm not keen to add it to the mailing list as an attachment - so I'll set up something on the WG WIki page. I'll include the Java source for those who are interested. Should be be up by the end of the week. Regards, Peter Musgrave (as individual) On Mon, Oct 18, 2010 at 10:32 AM, Vijay K. Gurbani <vkg@bell-labs.com>wrote: > On 10/17/2010 09:54 AM, Peter Musgrave wrote: > >> Hi all, >> >> I have running ipfix and indexed ascii logging for 1000's of >> messages. >> >> Before I start to measure and summarize I want to make sure I have >> tuned each properly. >> > > Peter: Thanks for your initiative. More inline. > > > ASCII ===== >> >> I have made some assumptions about indexed ASCII (and I may have >> exceeded the groups intent here): - the length fields will be >> dropped. Pointers only - src/dest do not have protocol - to/from and >> to_tag/from_tag >> > > OK. > > > I would suggest we re-add protocol in the sent/received flags field. >> How about u, t, l for received udp, tcp, tls and U, T, L for sent? >> > > I am not sure I follow (but that is due to loosing context on the above; > I need to catch up on what we decided on the list.) In any case, I note > that Gonzalo Salgueiro responded in the affirmative to this, so I will > defer to his recollection. Although, given that TLS can ride on top > of UDP or TCP, we may want to think of a second letter added to "L" to > denote TLS-over-TCP and TLS-over-UDP (I doubt any implementations are > using TLS-over-UDP for signaling only, but given that SCTP is starting > to appear in kernels, maybe our flags ought to be "u, t, s, lu, lt, ls, > U, T, S, LU, LT, LS"). > > > In looking at the output I think it would aid manual examination to >> put the response code immediately after the CSeq. This makes it very >> easy to see which lines are requests responses (especially for those >> who crush out the pointer line and want the more "apache-like" view >> of the info. >> > > Interesting ... is it possible to share your indexed-ASCII corpus to > see how these fields line up? This may help determine an answer to your > next question: > > > It might be worth discussing whether a user which nukes every pointer >> line can still make sense enough of the activity...I think they might >> need a few of the fields in the Flags. Could this be moved to the >> next "line" ? >> > > Thanks, > > - vijay > -- > Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent > 1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA) > Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org} > Web: http://ect.bell-labs.com/who/vkg/ > > _______________________________________________ > sip-clf mailing list > sip-clf@ietf.org > https://www.ietf.org/mailman/listinfo/sip-clf >
- Re: [sip-clf] draft-salgueiro-sipclf-indexed-asci… Peter Musgrave
- Re: [sip-clf] draft-salgueiro-sipclf-indexed-asci… Gonzalo Salgueiro
- Re: [sip-clf] draft-salgueiro-sipclf-indexed-asci… Vijay K. Gurbani
- Re: [sip-clf] draft-salgueiro-sipclf-indexed-asci… Peter Musgrave