Re: Flow Record Data - Beginning and Ending of Flows + Direction?

From: Marc Lavine <mlavine@foundrynet.com>
Date: 03/25/05
Message-ID: <1b5101c5311f$05af2a00$013c3c3c@ds.foundrynet.com>

Hello Clarke,

You are correct that the sFlow version 5 specification does not explicitly
describe a way to provide information to sFlow collectors about when flows
begin and end. As you noted, the sFlow v5 protocol is extensible, which
allows the types of data which can be exported to evolve easily. This
applies both for standard extensions and for ones which are specific to a
given implementation.

Given this, an implementation which was capable of tracking when flows begin
and end could certainly export that information in some form as part of the
sFlow data stream. I would expect that having a device track the lifetimes
of flows would be more resource intensive than not doing so, but that is a
tradeoff that could be made versus getting more detailed information about
flow lifetimes.

Regards,
Marc Lavine

----- Original Message -----
From: "Clarke Morledge" <chmorl@wm.edu>
To: <sflow@sflow.org>
Sent: Tuesday, March 22, 2005 1:23 PM
Subject: [sFlow] Flow Record Data - Beginning and Ending of Flows +
Direction?

> In particular, I need a method to track exactly when a flow is started,
> when a flow ends, and in what direction the flow is moving; i.e. which
> side is the client and which is the server. This is essential for doing
> forensic analysis of network-based intrusions.
>
> The sFlow flow sampling philosophy, while it has definite use in many
> applications, is not entirely helpful in what I want to do. However, my
> understanding is the version 5 might allow an implementor to give me this
> type of functionality and still be compliant to the sFlow specification.
>
> Unfortunately, I am having trouble locating this functionality in the
> version 5 spec document. Have I missed this somehow, or does it require
> an implementation specific extension to the spec?
>
> The approach I am suggesting does require the resources for keeping track
> of current flow table with timers, etc. So I am not sure if this fits in
> with the low-cost, low- resource implementation that sFlow was designed
> around.
Received on Fri Mar 25 01:51:20 2005

This archive was generated by hypermail 2.1.8 : 03/25/05 PST