Hi James,
Thanks for your thoughts. Yes - this is not yet available, but should become an
option to select another channel as a
source for profiling. This has some internal implications and
need some work on nfprofile as well as on nfsen itself.
As a "poor man's channel profiling" you may add the source channel filter in
the profile
filter box as:
@include /data/profile-stat/myprofile/mychannel/filter.txt
this simply inserts the channel filter as part of the whole channel filter.
It's a standard filter item of nfdump.
Hope, this helps as a work around till it's implemented.
Cheers
- Peter
On 14/11/12 1:34 AM, James Stahr wrote:
>
> I know this isn't possible today, but are there plans to make nfsen
> capable of using something other a nfcapd processes data for profiles?
> I'm still getting used to nfsen and the use of profiles, but it seems to
> me that it would be nice to be able to use a profiles as a channel
> source for other profiles, rather than parsing the same 'live' data each
> time. This is coming not just from the extra/duplicate processing
> overhead, but also to simplify the complexity of the filters when you
> have lots of data sources with the same filters in each case.
>
> For example, a simple use case would be profiles which capture and store
> transit and wan flows based upon (router ip and if number). Then I
> could see wanting to further filter out and graph data for a few of my
> top transit ASes. Pretty simple to do if you only have a couple of
> transit links, but it becomes increasingly more difficult the more links
> and routers you have, and increasingly more flow data as well. It would
> be nice to simply be able to select the transit flow files as the
> channel rather than the live data and then just adding the "and AS xyz"
> to the filter.
>
> Another reason I'd like to do this is to eliminate "duplicate" flow
> data. Like lots of folks, I'm collecting flows on multiple interfaces
> and if I simply track all port traffic, I see the same flows if the
> traffic traverses my wan rather than arriving and leaving via the
> "nearest" interface. So I want to only keeping the "live" raw flows to a
> minimum and keeping just "transit" and "wan" real profiles for a much
> longer period of time. Ideally then, I'd have port tracker examine
> these profiles rather than the 'live' data, but that's a secondary concern.
>
> Now, at this point I haven't looked into the code yet to see if this
> would be difficult to implement or not. It would seem that one would
> need to establish two work queues so all 'live' channel processing would
> happen first, then process profiles which rely on profile-channel data
> (the queue would have to be orderly processed as well or some other
> restrictions applied to avoid nesting cases) . Is something like this
> on the development roadmap? If it is not, do you have any
> recommendations on how one would implement this or is this an unwise idea?
>
> The other aspect I could see this being useful would be in an attempt to
> separate nfdump management from nfsen. I'm attracted to this idea
> because we already have flow-tools and plan to move to nfdump. That
> move is pretty simple and straightforward. But every hour, we copy the
> flow files to a central location for processing, which is also fine for
> nfdump. But if we want to use nfsen as well, then what (I believe) we'd
> have to do is to instead relay/replay the flows to a central host - or
> is there a feature of nfsen that I've missed which allows for using flow
> files managed outside of nfsen?
>
> -James
>
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
