[ovs-discuss] OVS NetFlow export - is there passive timeout?
blp at nicira.com
Thu Nov 6 16:18:05 UTC 2014
On Thu, Nov 06, 2014 at 11:04:35AM +0100, Martin Vizvary wrote:
> On 11/05/2014 05:16 PM, Ben Pfaff wrote:
> > On Wed, Nov 05, 2014 at 04:59:30PM +0100, Martin Vizvary wrote:
> >> does anybody know if and how is implemented passive timeout for flow
> >> expiration?
> >> I was playing around with it, but you can configure only active timeout.
> >> (passive timeout is approximately 1s - I guess it is connected with
> >> next_timeout cycle only...
> > The passive timeout triggers at the same time that OVS removes a flow
> > from the datapath. That is managed internally to OVS mainly to ensure a
> > good balance between performance, CPU usage, and memory usage. It's
> > probably not a good idea to try to adjust it just to change the NetFlow
> > passive timeout.
> Thank you for fast response. Well, I know it will have impact on OVS
> performance, however it is not a good idea to use network flows with 1s
> timeout (current netflow probes use 30s/60s). Every request that takes
> longer than 2s will be divided into two flow records. Every service with
> keep-alive longer than 1-2s timeout will be divided into several flow
> records, etc.
> It will ends with huge amount of network flows in real networks. Also
> divided flows will be useless for current Intrusion Detection Systems...
> Did you measure the impact of longer timeouts on OVS performance?
Currently the passive timeout is tied to the datapath flow expiration
interval. It's not a good idea to adjust the timeout interval just to
change the NetFlow passive timeout. You could experiment with
implementing a NetFlow-specific cache to hold records for a while.
More information about the discuss