On Thu, Jan 21, 2016 at 11:00:46PM +0900, Randy Bush wrote:
We know the GPS coordinates for each BGP next-hop in the network, and traffic is sampled on ingress at the edge of the network and reported to pmacct (*flow), which also receives a RR-style BGP feed for correlation.
We can know where (geographically) a packet enters the network, where it leaves the network and to what address family it belongs.
i have only seen pmacct used for aggregated flow/traffic. you actually know where each packet enters and leaves?
No, not each individual packet. That's too much data. (Taking into consideration that anything reported through flowbased telemetry to the pmacct instances is heavily sampled) You can configure pmacct to specify on which properties of the received flow data it should aggregate its output data, one could configure pmacct to store data using the following primitives: ($timeperiod, $entrypoint_router_id, $bgp_nexthop, $packet_count) Where $timeperiod is something like 5 minute ranges, and the post processing software calculates the distance between the entrypoint router and where the flow would leave the network ($bgp_nexthop). See 'aggregate' on http://wiki.pmacct.net/OfficialConfigKeys In short: you configure pmacct to throw away everything you don't need (maybe after some light pre-processing), and hope that what remains is small enough to fit in your cluster and at the same time offers enough insight to answer the question you set out to resolve. Kind regards, Job