Netflow problems with 'O'

David Brumley dbrumley at rtfm.stanford.edu
Fri Jan 12 12:00:48 EST 2001 

>    ra -d8 -ncCa

There are several things to make sure of.  First, make sure that the
destination port on the machine is 9995.  Then, running ra you should
get something like:
Cdbrumley at netops-10> ./ra -ncC -P 9992
ra: Binding port 9992 Expecting Netflow records
ra: receiving
25 Apr 79 11:19:20     ip   128.218.98.66        ->     171.66.122.53
     12       0         2225         0           INT
25 Apr 79 11:25:16     ip  171.66.121.100        ->     194.205.123.3
     1        0         160          0           INT
25 Apr 79 14:52:16     ip  136.142.107.18        ->    171.66.122.148
     1        0         40           0           INT

If not, run with -d8 and check that ArgusReadCiscoStreamSocket is
returning bytes, e.g.:
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
starting
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
read 4 bytes
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
returning 0
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
starting
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
read 12 byte
s
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
read record 
header
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
returning 0
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
starting
ra[25749]: 12 Jan 01 08:58:34 ArgusReadCiscoStreamSocket (0x11b988)
read 48 byt

If you're still having a problem, let me know what your output looks
like.

FYI, CISCO netflow formats between the router and collector are
different than the actual stored version.  I think even modestly
current software exports V1 from the router.

signed,
-djb


> > -----Original Message-----
> > From: Torbjorn.Wictorin at its.uu.se [mailto:Torbjorn.Wictorin at its.uu.se]
> > Sent: Friday, January 12, 2001 9:29 AM
> > To: Carter Bullard
> > Subject: RE: argus-2.0.0O.tar.gz
> >
> >
> > hello again,
> >
> > No, I have verified that there is UDP data coming to port 9995
> > on my host and that ra is listening on the same port.
> > Could it be the version (1) of netflow data? I understand that it
> > exists other, but the IOS release is to old to produce anything else.
> >
> > /torbjörn
> >
> > On Fri, 12 Jan 2001, Carter Bullard wrote:
> >
> > > Hey Torbjorn,
> > > There could still be bugs, so I'm sure it is not
> > > an understanding issue.  So, tcpdump indicates that
> > > the netflow data is indeed going to the ra() host
> > > and port 9995?
> > >
> > > If the router is sending to a different port, then
> > > you may have to use the -P option.  Is this possibly
> > > a problem?
> > ..
> > > > perhaps it is something that I dont understand...
> > > >
> > > > I have configured a cisco router to send netflow records (type 1).
> > > > Can see with tcpdump that data arrives.
> > > > Compiled argus-2.0.0O.
> > > > ra -C -a
> > > >
> > > > bin/ra -C -a
> > > > ra: Binding port 9995 Expecting Netflow records
> > > > ra: receiving
> > > > (waited a while, ^C)
> > > > No data seen.
> > > >
> > > > netstat -a shows that ra is listening on udp port 9995 while
> > > > running ra.
> > > >
> > > > Any ideas?
> > > >
> > > > btw, tried bin/ra -C -S xxx.xxx.xxx.xxx
> > > > this tries to connect to an argus server on xxx.xxx.xxx.xxx
> > > > should perhaps be clarified...
> >
> >

-- 
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -   dbrumley at Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121  PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Fact: you can burn 150 caloria per hour banging your head against a wall

More information about the argus mailing list