Flow Flag Indicator final pass

Carter Bullard carter at qosient.com
Fri Apr 27 14:35:13 EDT 2007 

Gentle people,
I'm doing the final pass on the flags field.  We went through this  
pretty well
in December, and got the man page and the implementation to agree.
Right now I'm going through and getting the functionality down.  If  
anyone
has an opinion about this field, please send some email, so we can get
it "right" for the release!!!!!

The last issue that needs to be discussed, IMHO,  is the sub-IP  
encapsulation
reporting.  Argus now parses a large number of sub-IP encapsulations to
try to find the IP flow information, if it exists.  If there is no IP  
flow, we will
formulate the flow using the last encapsulation that we parsed.  In many
cases, there can be a large number of encapsulations in the flow  
report, such
as multiple MPLS labels, multiple VLAN tags, ethernet headers, PPP, GRE,
ISL and possibly AH, IP and IPv6 encapsulations.  There maybe others
that we could also parse, and if we're missing one of your favorites,  
please
send some email!!!!

The goal of the Flags field is to provide a simple indication of  
specific
issues that may occur in the flow, but in as concise a way as possible.
The idea is to indicate states that would be of interest, such as  
ICMP mapping,
loss, flow control status, options, fragmentation.  The type of  
encapsulation
needs to be available, so that we can know that there is some additional
data that maybe of interest, such as an MPLS label, in the flow record.

To try to get to that goal, we have reserved the second character in  
the flags
field to indicate sub-IP encapsulations.

We currently support reporting on these types of sub-IP encapsulations:

              m       -  MPLS encapsulated flow
              e       -  Ethernet encapsulated flow
              l       -  LLC encapsulated flow
              v       -  802.11Q encapsulations/tags
              p       -  PPP over Enternet encapsulated flow
              i       -  ISL encapsulated flow
              G       -  GRE enscapsulation
              A       -  AH enscapsulation
              P       -  IP tunnel encapsulation
              6       -  IPv6 tunnel encapsulation

The question is what is the best way of reporting them in the
default mode, especially when there are multiple encaps
being used at the same time.

This is what was/is supported in argus-2.x:

              m       -  MPLS encapsulated flow
              q       -  802.1Q encapsulated flow
              p       -  PPP over Enternet encapsulated flow
              E       -  Multiple encapsulations/tags

So we're doing a bit better, but we're also now in a position
where most of the flows will have multiple encapsulations
to report.

In many installations, all packets are ethernet encapsulated,
and then possibly there will be vlans, and maybe GRE tunnels.
In some MPLS networks, you will have MPLS, and Ethernet,
and VLANS, and GRE and then possibly AH and IPnIP.
So what is the best way to indicate that there are a lot of
encapsulations going on?

I have two basic possibilities already implemented.  The first
is that we just put the letter if its the only encapsulation, and
a 'E' as we used in argus-2.x.  The second is we go through
the list of encapsulations and just use the letter of the highest
encapsulation we see, using the explicit order above, which is
in a reasonable hierarchical order.

Both are valid, but neither is as informative as it could be.
Any suggestions?

Carter

More information about the argus mailing list