NetFlow (ra -C)

[Scott A.McIntyre]

Hi,


>    Do you try to get data from a Cisco NetFlow _and_ an argus source at
>    the same time ? If yes I don't think this is possible as stated by
>    the error message you get (please correct me if i'm wrong)
>
>    The way to get netflow and argus data are mutually exclusive: with
>    neflow source you bind on a udp local port waiting for udp datagrams
>    sent by you netflow source, with argus source you connect to the
>    remote tcp socket of the argus server (kind of push vs pull, well 
> not
>    really but you get the point)

Ah, this may indeed explain what it is I'm not seeing that I thought I 
could see.

What I was hoping for was one of two things:

1)  I am using cflowd from caida; so the ability to use the ra-client 
to attach to the cflowdmux via tcp and run in a similar fashion as "ra 
-S argushost" and use various other ra-tools to get at the cflow 
exported data from our routers.  This would be handy for ratop, and 
other live-analysis tools where it's not possible to run a real 
argus(8).

2)  The ability to use the ra-tools to parse a cflowd created file and 
use the plethora of other ra-based scripts and front ends I have to 
parse the flow files.   This is probably more of a job for argus(8) 
than ra anyway.  Perahps the ability for argus(8) to connect to the 
cflowd itself rather than interfaces would be useful; but, yes, I know 
there are a number of tools already out there for doing this (I just 
love argus).

I tried killing off the cflowdmux and attaching to my system on port 
9999, which is where the netflow data is being sent with "ra -C 
localhost:9999" but nothing seemed to arrive; but that does indeed seem 
to get me further than before.

Thanks,

Scott