[ovs-discuss] OVS NetFlow export - is there passive timeout?

Martin Vizvary vizvary at ics.muni.cz
Thu Nov 6 10:04:35 UTC 2014

On 11/05/2014 05:16 PM, Ben Pfaff wrote:
> On Wed, Nov 05, 2014 at 04:59:30PM +0100, Martin Vizvary wrote:
>> does anybody know if and how is implemented passive timeout for flow
>> expiration?
>> I was playing around with it, but you can configure only active timeout.
>> (passive timeout is approximately 1s - I guess it is connected with
>> next_timeout cycle only...
> The passive timeout triggers at the same time that OVS removes a flow
> from the datapath.  That is managed internally to OVS mainly to ensure a
> good balance between performance, CPU usage, and memory usage.  It's
> probably not a good idea to try to adjust it just to change the NetFlow
> passive timeout.

Thank you for fast response. Well, I know it will have impact on OVS
performance, however it is not a good idea to use network flows with 1s
timeout (current netflow probes use 30s/60s). Every request that takes
longer than 2s will be divided into two flow records. Every service with
keep-alive longer than 1-2s timeout will be divided into several flow
records, etc.

It will ends with huge amount of network flows in real networks. Also
divided flows will be useless for current Intrusion Detection Systems...

Did you measure the impact of longer timeouts on OVS performance?


Mgr. Martin Vizvary                                 vizvary at ics.muni.cz
Security Department, CSIRT-MU group                http://csirt.muni.cz
Institute of Computer Science, Masaryk University, Brno, Czech Republic
PGP Key ID: 0xF2D9925F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3240 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20141106/79d22667/attachment.p7s>

More information about the discuss mailing list