Hi Chris, Good pointer. From a brief scan of the Aguri homepage, please feel free to correct whether i'm wrong, i see many similarities between pmacct and Aguri.
Aguri is slightly more limited in the fact it has only a set of (4?) traffic aggregation profiles whereas pmacct offers a wider range of primitives. But I guess the point you wanted to make was the dynamic variation of the sampling rate under increased traffic load (ie. DDoS). pmacct actually does have such feature only available to the SQL plugins: it's part of the SQL preprocess infrastructure (look for 'sql_preprocess' in the CONFIG-KEYS document or the wiki) and is called 'fsrc' (Flow Sampling under Resource Constraints). It is an implementation i did years ago loosely based on a paper coming from AT&T Labs. It aims at offering to the SQL database a sort of stream-lined number of aggregates; aggregates are weighted, ranked and sampled based on probability (which gives the dynamic/adaptive part of the approach); the resource constraint is expressed via the number of flows you want to end in the database (which is in turn seen as the constrained resource here). Let me add: years ago i found it working for me, but perhaps it lacks of thorough testing; anybody reading this email actually using this feature (or did in the past) and is able to provide feedback? Thoughts? Cheers, Paolo On Fri, Jun 12, 2009 at 09:42:22AM +0300, Chris Wilson wrote: > Hi all, > > Has anyone heard of Aguri? > > "Aguri is an aggregation-based traffic profiler targeted for near > real-time, long-term, and wide-area traffic monitoring. Aguri adapts > itself to spatial traffic distribution by aggregating small volume flows > into aggregates, and achieves temporal aggregation by creating a summary > of summaries applying the same algorithm to its outputs. A set of scripts > are used for archiving and visualizing summaries in different time scales. > Aguri does not need a predefined rule set and is capable of detecting an > unexpected increase of unknown protocols or DoS attacks, which > considerably simplifies the task of network monitoring." > > [http://www.sonycsl.co.jp/person/kjc/kjc/software.html] > > I think I remember something like this being posted to the list a while > back, so I'm sorry if this is a duplicate. > > Has anyone considered implementing anything like this flexible aggregation > in pmacct? Could the code be taken from Aguri under BSD license? > > Cheers, Chris. > -- > Aptivate | http://www.aptivate.org | Phone: +44 1223 760887 > The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES > > Aptivate is a not-for-profit company registered in England and Wales > with company number 04980791. > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
