Support for Cisco NET Flow
Carter Bullard
carter at qosient.com
Fri Nov 23 10:09:24 EST 2001
Hey Miguel,
Sorry, holiday season came up.
Try this patch, it should fix a lot of issues with the
NetFlow support. There is still one known issue, where
converting from NetFlow to Argus isn't quite right,
but I'll have a fix early next week.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
cvs diff: Diffing .
Index: argus_parse.c
===================================================================
RCS file: /usr/local/cvsroot/argus/common/argus_parse.c,v
retrieving revision 1.129.4.4.2.9
diff -r1.129.4.4.2.9 argus_parse.c
1530a1531,1533
> if (input->ArgusCiscoNetFlowParse == NULL)
> input->ArgusCiscoNetFlowParse =
> ArgusParseCiscoRecord;
>
> -----Original Message-----
> From: miguelangel.fernandez at es.jazztel.com
> [mailto:miguelangel.fernandez at es.jazztel.com]
> Sent: Thursday, November 22, 2001 11:22 AM
> To: carter at qosient.com
> Cc: jose.nazario at jazztel.com
> Subject: RE: Support for Cisco NET Flow
>
>
>
> Hey Carter
>
> What about our problem? Is it fix?
> Can you give me a date?
>
> Thank you very much and Regards.
>
> Miguel
>
>
>
>
>
> "Carter Bullard" <carter at qosient.com> con fecha 19/11/2001 20.21.35
>
> Por favor, responda a <carter at qosient.com>
>
> Destinatarios: <miguelangel.fernandez at es.jazztel.com>
> CC:
>
> Asunto: RE: Support for Cisco NET Flow
>
>
> Hey Miguel,
> Yes that is all that I need to begin the fix.
> The last data element, input->ArgusCiscoNetFlowParse
> is NULL, which is not a good thing.
>
> Thanks, I'll try to have a fix by tomorrow!
>
> Carter
>
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York 10022
>
> carter at qosient.com
> Phone +1 212 588-9133
> Fax +1 212 588-9134
> http://qosient.com
>
> > -----Original Message-----
> > From: miguelangel.fernandez at es.jazztel.com
> > [mailto:miguelangel.fernandez at es.jazztel.com]
> > Sent: Monday, November 19, 2001 11:33 AM
> > To: carter at qosient.com
> > Subject: RE: Support for Cisco NET Flow
> >
> >
> >
> > Your Welcome
> >
> > Miguel
> >
> > (gdb) up
> > #1 0x804d5bb in ArgusReadCiscoStreamSocket (input=0x8149000) at
> > ./argus_parse.c:1588
> > 1588 if (ArgusHandleDatum
> > (input->ArgusCiscoNetFlowParse
> > (input->ArgusReadPtr), &ArgusFilterCode))
> > (gdb) list
> > 1583 ArgusDebug (7,
> > "ArgusReadCiscoStreamSocket (0x%x)
> > read record complete\n", input);
> > 1584 #endif
> > 1585 if (Cflag)
> > 1586 *((unsigned short
> > *)input->ArgusReadPtr) = ntohs
> > (*((unsigned short *)input->ArgusReadPtr));
> > 1587
> > 1588 if (ArgusHandleDatum
> > (input->ArgusCiscoNetFlowParse
> > (input->ArgusReadPtr), &ArgusFilterCode))
> > 1589 return(1);
> > 1590
> > 1591 if (!(input->ArgusReadSocketNum--)) {
> > 1592 input->ArgusReadPtr =
> > input->ArgusReadBuffer;
> > (gdb) print input
> > $1 = (struct ARGUS_INPUT *) 0x8149000
> > (gdb) print *input
> > $2 = {nxt = 0x0, addr = 0, hostname = 0x0, filename = 0x0,
> pipe = 0x0,
> > in = 0x0,
> > out = 0x0, status = 16, portnum = 9995, ArgusInitCon =
> {ahdr = {type
> > = 144 '\220',
> > cause = 1 '\001', length = 128, status = 0, argusid =
> > 3848370891, seqNumber = 0},
> > ar_union = {mar = {startime = {tv_sec = 1005615945,
> tv_usec = 0},
> > now = {
> > tv_sec = 1005615945, tv_usec = 0}, major_version
> = 2 '\002',
> > minor_version = 0 '\000', interfaceType = 0 '\000',
> > interfaceStatus = 0 '\000',
> > reportInterval = 0, argusMrInterval = 0, argusid =
> 0, localnet
> > = 0, netmask = 0,
> > nextMrSequenceNum = 0, pktsRcvd = 0, bytesRcvd = 0,
> pktsDrop =
> > 0, flows = 0,
> > flowsClosed = 0, actIPcons = 0, cloIPcons = 0,
> actICMPcons =
> > 0, cloICMPcons = 0,
> > actIGMPcons = 0, cloIGMPcons = 0, actFRAGcons = 0,
> cloFRAGcons
> > = 0,
> > actSECcons = 0, cloSECcons = 0, record_len = -1},
> far = {type
> > = 73 'I',
> > length = 123 '{', status = 15344, ArgusTransRefNum
> = 0, time =
> > {start = {
> > tv_sec = 1005615945, tv_usec = 0}, last = {tv_sec = 2,
> > tv_usec = 0}}, flow = {
> > flow_union = {ip = {ip_src = 0, ip_dst = 0, ip_p
> = 0 '\000',
> > tp_p = 0 '\000',
> > sport = 0, dport = 0, ip_id = 0}, icmp = {ip_src = 0,
> > ip_dst = 0,
> > ip_p = 0 '\000', tp_p = 0 '\000', type = 0
> '\000', code
> > = 0 ' \000', id = 0,
> > ip_id = 0}, mac = {ehdr = {ether_dhost = "
> > \000\000\000\000\000",
> > ether_shost = "\000\000\000\000\000",
> ether_type = 0},
> > dsap = 0 '\000',
> > ssap = 0 '\000'}, arp = {arp_spa = 0, arp_tpa = 0,
> > etheraddr = "\000\000\000\000\000", pad = 0}, rarp =
> > {arp_tpa = 0,
> > srceaddr = "\000\000\000\000\000", tareaddr = "
> > \000\000\000\000\000"},
> > esp = {ip_src = 0, ip_dst = 0, ip_p = 0 '\000',
> tp_p = 0 '
> > \000', pad = 0,
> > spi = 0}}}, attr = {attr_union = {ip = {soptions = 0,
> > doptions = 0,
> > sttl = 0 '\000', dttl = 0 '\000', stos = 0
> '\000', dtos
> > = 0 ' \000'}, arp = {
> > response = "\000\000\000\000\000\000\000"}}},
> > src = {count = 0, bytes = 0,
> > appbytes = 0}, dst = {count = 0, bytes = 0, appbytes =
> > 0}}}}, ArgusManStart = {
> > ahdr = {type = 0 '\000', cause = 0 '\000', length = 0,
> status = 0,
> > argusid = 0,
> > seqNumber = 0}, ar_union = {mar = {startime = {tv_sec = 0,
> > tv_usec = 0}, now = {
> > tv_sec = 0, tv_usec = 0}, major_version = 0 '\000',
> > minor_version = 0 '\000',
> > interfaceType = 0 '\000', interfaceStatus = 0 '\000',
> > reportInterval = 0,
> > argusMrInterval = 0, argusid = 0, localnet = 0, netmask = 0,
> > nextMrSequenceNum = 0, pktsRcvd = 0, bytesRcvd = 0,
> pktsDrop =
> > 0, flows = 0,
> > flowsClosed = 0, actIPcons = 0, cloIPcons = 0,
> actICMPcons =
> > 0, cloICMPcons = 0,
> > actIGMPcons = 0, cloIGMPcons = 0, actFRAGcons = 0,
> cloFRAGcons
> > = 0,
> > actSECcons = 0, cloSECcons = 0, record_len = 0},
> far = {type =
> > 0 ' \000',
> > length = 0 '\000', status = 0, ArgusTransRefNum = 0, time =
> > {start = {tv_sec = 0,
> > tv_usec = 0}, last = {tv_sec = 0, tv_usec = 0}}, flow =
> > {flow_union = {ip = {
> > ip_src = 0, ip_dst = 0, ip_p = 0 '\000', tp_p = 0
> > '\000', sport = 0,
> > dport = 0, ip_id = 0}, icmp = {ip_src = 0,
> ip_dst = 0,
> > ip_p = 0 '\000',
> > tp_p = 0 '\000', type = 0 '\000', code = 0
> '\000', id =
> > 0, ip_id = 0},
> > mac = {ehdr = {ether_dhost = "\000\000\000\000\000",
> > ether_shost = "\000\000\000\000\000",
> ether_type = 0},
> > dsap = 0 '\000',
> > ssap = 0 '\000'}, arp = {arp_spa = 0, arp_tpa = 0,
> > etheraddr = "\000\000\000\000\000", pad = 0}, rarp =
> > {arp_tpa = 0,
> > srceaddr = "\000\000\000\000\000", tareaddr = "
> > \000\000\000\000\000"},
> > esp = {ip_src = 0, ip_dst = 0, ip_p = 0 '\000',
> tp_p = 0 '
> > \000', pad = 0,
> > spi = 0}}}, attr = {attr_union = {ip = {soptions = 0,
> > doptions = 0,
> > sttl = 0 '\000', dttl = 0
> > '\000', stos = 0 '\000', dtos = 0 '\000'}, arp = {
> > response = "\000\000\000\000\000\000\000"}}},
> > src = {count = 0, bytes = 0,
> > appbytes = 0}, dst = {count = 0, bytes = 0, appbytes =
> > 0}}}}, fd = 5, m = 0,
> > major_version = 2, minor_version = 0, ArgusLocalNet = 917514,
> > ArgusNetMask = 3238002687, ArgusReadBuffer = 0x815c000 "",
> > ArgusConvBuffer = 0x815d000 "", ArgusReadPtr = 0x815c004 "\005",
> > ArgusConvPtr = 0x815d000 "", ArgusReadBlockPtr = 0x815c004 "\005",
> > ArgusReadSocketCnt = 4, ArgusReadSocketSize = 4,
> > ArgusReadSocketState = 4,
> > ArgusReadCiscoVersion = 5, ArgusReadSocketNum = 5,
> ArgusReadSize =
> > 4,
> > ArgusCiscoNetFlowParse = 0}
> >
> >
> >
> >
> >
> >
> >
> > "Carter Bullard" <carter at qosient.com> con fecha 19/11/2001 16.44.17
> >
> > Por favor, responda a <carter at qosient.com>
> >
> > Destinatarios: <miguelangel.fernandez at es.jazztel.com>
> > CC:
> >
> > Asunto: RE: Support for Cisco NET Flow
> >
> >
> > Hey Miguel,
> > Oops, we are a subroutine too low.
> > If you could do this after you start gdb?
> >
> > (gdb) up
> >
> > This should take you to a routine that has
> > source code listings and variables.
> >
> > (gdb) list
> > (gdb) print input
> > (gdb) print *input
> >
> > This should print out the values of the input
> > pointer at or near line 1591. The "up" will
> > cause gdb to move up the calling stack to the
> > call at 1591 and then the variable scope should
> > allow you to print the local variables in that
> > routine.
> >
> > Thanks!!!!!!!!
> >
> > Carter
> >
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street, Suite 18K
> > New York, New York 10022
> >
> > carter at qosient.com
> > Phone +1 212 588-9133
> > Fax +1 212 588-9134
> > http://qosient.com
> >
> > > -----Original Message-----
> > > From: miguelangel.fernandez at es.jazztel.com
> > > [mailto:miguelangel.fernandez at es.jazztel.com]
> > > Sent: Monday, November 19, 2001 9:13 AM
> > > To: carter at qosient.com
> > > Subject: RE: Support for Cisco NET Flow
> > >
> > >
> > >
> > >
> > > I hope it will be usefull to you. Here you are.
> > >
> > > Thank you and Regards
> > >
> > > Miguel
> > >
> > > collector-2# gdb ./ra ./ra.core
> > > GNU gdb 4.18
> > > Copyright 1998 Free Software Foundation, Inc.
> > > GDB is free software, covered by the GNU General Public
> > License, and
> > > you are welcome to change it and/or distribute copies of it under
> > > certain conditions. Type "show copying" to see the
> > conditions. There
> > > is absolutely no warranty for GDB. Type "show warranty" for
> > details.
> > > This GDB was configured as "i386-unknown-freebsd"... Core was
> > > generated by `ra'. Program terminated with signal 11,
> Segmentation
> > > fault. Reading symbols from /usr/lib/libc_r.so.4...done. Reading
> > > symbols from /usr/libexec/ld-elf.so.1...done. #0 0x0 in ?? ()
> > > (gdb) where
> > > #0 0x0 in ?? ()
> > > #1 0x804d5bb in ArgusReadCiscoStreamSocket (input=0x8149000) at
> > > ./argus_parse.c:1588 #2 0x804d859 in ArgusReadStream () at
> > > ./argus_parse.c:1678 #3 0x804bb47 in main (argc=4,
> > > argv=0xbfbffc34) at ./argus_parse.c:520 #4 0x80496fd in _start ()
> > > (gdb) list
> > > 213
> > > 214 char *RaResourceEnvStr [] = {
> > > 215 "HOME",
> > > 216 "ARGUSHOME",
> > > 217 };
> > > 218
> > > 219
> > > 220 int
> > > 221 main (int argc, char **argv)
> > > 222 {
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > "Carter Bullard" <carter at qosient.com> con fecha
> 19/11/2001 13.51.16
> > >
> > > Por favor, responda a <carter at qosient.com>
> > >
> > > Destinatarios: <miguelangel.fernandez at es.jazztel.com>
> > > CC:
> > >
> > > Asunto: RE: Support for Cisco NET Flow
> > >
> > >
> > > Hey Miguel,
> > > There is one more thing that you can do to
> > > help in solving this problem. Because the program
> > > is exiting due to a fatal error, if we could
> > > debug the corefile, that would help a great deal.
> > >
> > > This is what we would need after the Segmenation
> > > fault (core dumped):
> > >
> > > % gdb ./ra core
> > > (gdb) where
> > > (gdb) list
> > >
> > > If you could send a copy of the output of these
> > > commands that would be great!!
> > >
> > > Thanks and sorry for the inconvenience,
> > >
> > > Carter
> > >
> > > Carter Bullard
> > > QoSient, LLC
> > > 300 E. 56th Street, Suite 18K
> > > New York, New York 10022
> > >
> > > carter at qosient.com
> > > Phone +1 212 588-9133
> > > Fax +1 212 588-9134
> > > http://qosient.com
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: miguelangel.fernandez at es.jazztel.com
> > > > [mailto:miguelangel.fernandez at es.jazztel.com]
> > > > Sent: Monday, November 19, 2001 5:10 AM
> > > > To: carter at qosient.com
> > > > Subject: RE: Support for Cisco NET Flow
> > > >
> > > >
> > > >
> > > > This is de out of the command ra after doing you told me.
> > > >
> > > > collector-2# ./ra -C -D 5
> > > > ra: Binding port 9995 Expecting Netflow records
> > > > ra: receiving
> > > > ra[9259]: 12 Nov 01 21:44:24 ArgusGetServerSocket (0x8149000)
> > > > returning 5
> > > > ra[9259]: 12 Nov 01 21:44:24
> > ArgusReadConnection(0x8149000) reading
> > > > from Cisco Router.
> > > > ra[9259]: 12 Nov 01 21:44:24 ArgusParseInit (0x8149000)
> returning
> > > > ra[9259]: 12 Nov 01 21:44:24 ArgusReadConnection() returning 5
> > > > ra[9259]: 12 Nov 01 21:44:24 ArgusReadStream() starting
> > > > ra[9259]: 12 Nov 01 21:44:24 ArgusReadCiscoStreamSocket
> > > > (0x8149000) returning 0
> > > > ra[9259]: 12 Nov 01 21:44:24 ArgusReadCiscoStreamSocket
> > > > (0x8149000) returning 0 Segmentation fault (core dumped)
> > > >
> > > > We have a router Cisco 2621 with Net Flow Version 5.
> > > >
> > > > Thank you and Regards.
> > > >
> > > > Miguel
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > "Carter Bullard" <carter at qosient.com> con fecha
> > 15/11/2001 14.21.53
> > > >
> > > > Por favor, responda a <carter at qosient.com>
> > > >
> > > > Destinatarios: <miguelangel.fernandez at es.jazztel.com>
> > > > CC:
> > > >
> > > > Asunto: RE: Support for Cisco NET Flow
> > > >
> > > >
> > > > Hey Miguel,
> > > > Argus is up to 2.0.3, and we are currently testing
> > > 2.0.4.beta.3, so
> > > > please download the newer code as it does fix some
> important bugs.
> > > >
> > > > http://qosient.com/argus/downloads.htm
> > > >
> > > > How do you have Netflow configured? What version
> > > > of records are being generated and to what port?
> > > > How are you running ra()?
> > > >
> > > > To debug ra(), rebuild the release after creating
> > > > a ".debug" and a ".devel" file in the argus root directory.
> > > >
> > > > % make clobber
> > > > % touch .devel .debug
> > > > % ./configure
> > > > % make
> > > >
> > > > With the new ra(), run it with the "-D 5" option to
> > > > see whether records are being received and processed.
> > > >
> > > > That should get you started. Please do send mail if
> > > > you continue to have problems.
> > > >
> > > > Carter
> > > >
> > > > Carter Bullard
> > > > QoSient, LLC
> > > > 300 E. 56th Street, Suite 18K
> > > > New York, New York 10022
> > > >
> > > > carter at qosient.com
> > > > Phone +1 212 588-9133
> > > > Fax +1 212 588-9134
> > > > http://qosient.com
> > > >
> > > > > -----Original Message-----
> > > > > From: miguelangel.fernandez at es.jazztel.com
> > > > > [mailto:miguelangel.fernandez at es.jazztel.com]
> > > > > Sent: Thursday, November 15, 2001 5:27 AM
> > > > > To: carter at qosient.com
> > > > > Subject: Support for Cisco NET Flow
> > > > >
> > > > >
> > > > > Hello, My Name is Miguel Angel Fernandez and I work for
> > > > Jazz Telecom
> > > > > in Spain.
> > > > >
> > > > > I´m using Argus 2.0.1 over Free BSD realease 4.3.
> > > > >
> > > > > I not get the instrucction "ra -C" read NET-FLOW records.
> > > > Can you send
> > > > > me documentation about this trouble?
> > > > >
> > > > > Thank you very much and Regards
> > > > >
> > > > >
> > > > > Miguel Angel Fernandez Sanchez
> > > > > tf:34-912917580
> > > > > Jazz Telecom
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>
>
>
>
>
>
More information about the argus
mailing list