FlowScan w/argus?

Dave Plonka plonka at doit.wisc.edu
Wed Jan 9 11:38:08 EST 2002 

Carter, et al.

I've been playing with argus for a few hours, and I'm somewhat
enthusiastic about the possibility of getting FlowScan working with
it.  It might not be much work, which is always a bonus.

Current FlowScan users all use cflowd, lfapd, or flow-tools as their
flow collector. BTW, FlowScan is here for those that don't know:

   http://net.doit.wisc.edu/~plonka/FlowScan/

and sample output is here:

      http://wwwstats.net.wisc.edu/

Basically, FlowScan would have two primary requirements of argus as the
"collector":

 1) The collector must produce time-stamped raw flow files at five
    minute intervals.  I've got that bit working.

 2) My Cflow perl module needs to be able to read the "raw flow files"
    produced by the collecotr, i.e. the same files that argus' ra(1)
    reads.  Cflow is here:
       http://net.doit.wisc.edu/~plonka/Cflow/

So, I have a few probing questions at this point:

 * Has anyone already written a perl API to access records in argus'
   output files, like ra(1)?  (The perl stuff in argus-2.0.4
   distribution doesn't seem to do that, unless I'm mistaken.)

 * If not, is anyone really familiar with the Argus API and interested
   in using FlowScan w/argus?  I thought I'd ask in case someone wants
   to help writing or review/test a patch to Cflow.

   I've poked around in argus source a bit...
   It looks like most of what I want is in "common/argus_parse.c".
   This looks like the important bit for reading from files:

                  if (((ArgusReadConnection (addr, addr->filename)) >= 0)) {
                     ArgusRemoteFDs[0] = addr;
                     ArgusReadStream();
                     close(addr->fd);
                  }

   The Cflow perl API calls a perl function as the read-loop visits
   each flow in the file.  Maybe I can just call ArgusReadStream
   directly (from the perl code) and have each of the
   "process_whatever" callbacks callout to my perl subroutine.

 * What kind of throughput can argus typically handle?  Like on a
   500MHz or 1GHz PIII?  Tens, hundreds of megabits/flows/pkts per
   second?

 * What happens when argus tries to produce flows for DoS floods that
   use forged IP address or random port numbers?  We sometimes see
   these at rates of 5,000-20,000 packets per second.  (I'm not
   expecting it necessarily to handle this gracefully (other flow
   systems don't), I could just use some info from real experience to
   set expectations.

So, I'm evaluating whether or not I should do the work to make FlowScan
compatible with argus.  It certainly would be a boon to FlowScan since
no router flow-export features would be required.  Also, would increase
the user-base since there's a lot of SAs out there who don't do the
router stuff, but like colorful graphs.

Thanks for any info,
Dave

-- 
plonka at doit.wisc.edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI

More information about the argus mailing list