Tristan RHODES wrote: > Will using a database backend to store flowdata help improve query > times? Has anyone experimented with this? >
Not to discourage you but there's a lot of papers available that have experimented with this and I've yet to find a case where netflow is stored in SQL on a 1:1 ratio with great performance without powerful hardware. (See [1]) There are folks that still do this, however in some instances they say running a query might take 3 or 4 hours. Depends on how much data you collect and store I suppose. If your not doing so already, you might try using a SQL backend to store the result of numerous periodic analysis on the netflow data.. and then run further analysis on larger time series via the SQL data. The R language can be helpful in building statistical profiles. You'll still have the data in binary format if you need further details. With regard to fast binary formats... I myself like to use the SiLK [2] suite of tools and recommend reading \ attending FloCon [3] presentations. The 2008 CFP [4] is open another two days; if anyone is doing something cool with NfDump they'd like to show off. :) [1] http://www.usenix.org/event/lisa2000/full_papers/navarro/navarro_html/index.html [2] http://tools.netsa.cert.org/silk/ [3] http://www.cert.org/flocon/ [4] http://www.cert.org/flocon/2008/index.html --Jason ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
