[ovs-discuss] OVS NetFlow export - is there passive timeout?
peter.phaal at inmon.com
Thu Nov 6 15:32:08 UTC 2014
One way to understand the difference between sFlow and NetFlow monitoring is to view them as different stages in the measurement pipeline. With NetFlow the flow cache exists on the switch and with sFlow the flow cache is external.
With an external flow cache, you can choose your own flow expiration settings and flow keys, you are not limited by the options implemented by the on switch flow cache:
> On Nov 6, 2014, at 2:26 AM, Motonori Shindo <motonori at shin.do> wrote:
> NetFlow on OVS can potentially generate more flow records than usual router/switch-based exporters because of a relatively short “inactive” timeout (1.5s in my understanding). Depending on the collector of your choice, it may be worth considering to use sFlow instead because it can give information beyond L4 header so more context it can give to the IDS.
> Motonori Shindo
> 2014/11/06 19:04、Martin Vizvary <vizvary at ics.muni.cz <mailto:vizvary at ics.muni.cz>> のメール：
>> On 11/05/2014 05:16 PM, Ben Pfaff wrote:
>>> On Wed, Nov 05, 2014 at 04:59:30PM +0100, Martin Vizvary wrote:
>>>> does anybody know if and how is implemented passive timeout for flow
>>>> I was playing around with it, but you can configure only active timeout.
>>>> (passive timeout is approximately 1s - I guess it is connected with
>>>> next_timeout cycle only...
>>> The passive timeout triggers at the same time that OVS removes a flow
>>> from the datapath. That is managed internally to OVS mainly to ensure a
>>> good balance between performance, CPU usage, and memory usage. It's
>>> probably not a good idea to try to adjust it just to change the NetFlow
>>> passive timeout.
>> Thank you for fast response. Well, I know it will have impact on OVS
>> performance, however it is not a good idea to use network flows with 1s
>> timeout (current netflow probes use 30s/60s). Every request that takes
>> longer than 2s will be divided into two flow records. Every service with
>> keep-alive longer than 1-2s timeout will be divided into several flow
>> records, etc.
>> It will ends with huge amount of network flows in real networks. Also
>> divided flows will be useless for current Intrusion Detection Systems...
>> Did you measure the impact of longer timeouts on OVS performance?
>> Mgr. Martin Vizvary vizvary at ics.muni.cz <mailto:vizvary at ics.muni.cz>
>> Security Department, CSIRT-MU group http://csirt.muni.cz <http://csirt.muni.cz/>
>> Institute of Computer Science, Masaryk University, Brno, Czech Republic
>> PGP Key ID: 0xF2D9925F
>> discuss mailing list
>> discuss at openvswitch.org <mailto:discuss at openvswitch.org>
>> http://openvswitch.org/mailman/listinfo/discuss <http://openvswitch.org/mailman/listinfo/discuss>
> discuss mailing list
> discuss at openvswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss