Hello Amos,
The Purpose of implementing IPFIX in Squid would be a logging
mechanism similar to using syslog to collect log data on remote
machines.
I think that the way you are seeing IPFIX is presented in a way that
looks like it is limited to Layer4 data. The reason for this is that
IPFIX has evolved from Cisco's NetFlow which was limited to layer 4
data.
IPFIX is a protocol that allows any type of data to be packaged and
sent to a collector. A template is sent along side the packaged data
that tells the collector what to do with it.
For instance, a very basic data export template out of squid would
+-----------------+-----------+----------------+------------------------------+
|source addr | bytes | code + HTTP URL |
+-----------------+-----------+-----------------+-----------------------------+
Each IPFIX packet can contain about 25 "flow" records as opposed to
Syslog's limit of 1 per packet.
The template system has big advantage over syslog because any IPFIX
compliant collector should be able to collect, properly parse and
store this data immediately for reporting purposes. This completely
eliminates the need to parse a logfile to generate reports.
There are several vendors that are implementing IPFIX to export.
-One such product is nProbe http://www.ntop.org/nProbe.html . As you
can see, this product generates records and export things like VOIP,
SMTP, latency, jitter and (soon) HTTP information.
-A major firewall vendor we are working with will also be implementing
the export of this higher level data via IPFIX.
Anything that can be logged by squid can be exported as IPFIX data and
in turn be available for reporting in near realtime. This seems to be
a real advantage over how reporting needs to occur now.
I hope I have explained this properly. Please let me know if you have
any questions about IPFIX.
Warm regards,
Mike Krygeris