NetFlow (ra -C)

Carter Bullard carter at qosient.com
Thu Feb 20 09:22:43 EST 2003 

Hey Scott,
   The syntax is:

      ra -CP 9999

All the ra clients understand the Cisco netflow file format,
just run "ra -r filename" against one of these files and
it should run fine.  I belive that cflowd uses the same
format, but if you have any problems, just send mail.

Carter


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Scott A.McIntyre
> Sent: Thursday, February 20, 2003 9:14 AM
> To: Yann Berthier
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: NetFlow (ra -C)
> 
> 
> Hi,
> 
> 
> >    Do you try to get data from a Cisco NetFlow _and_ an 
> argus source at
> >    the same time ? If yes I don't think this is possible as 
> stated by
> >    the error message you get (please correct me if i'm wrong)
> >
> >    The way to get netflow and argus data are mutually 
> exclusive: with
> >    neflow source you bind on a udp local port waiting for 
> udp datagrams
> >    sent by you netflow source, with argus source you connect to the
> >    remote tcp socket of the argus server (kind of push vs 
> pull, well 
> > not
> >    really but you get the point)
> 
> Ah, this may indeed explain what it is I'm not seeing that I 
> thought I 
> could see.
> 
> What I was hoping for was one of two things:
> 
> 1)  I am using cflowd from caida; so the ability to use the ra-client 
> to attach to the cflowdmux via tcp and run in a similar 
> fashion as "ra 
> -S argushost" and use various other ra-tools to get at the cflow 
> exported data from our routers.  This would be handy for ratop, and 
> other live-analysis tools where it's not possible to run a real 
> argus(8).
> 
> 2)  The ability to use the ra-tools to parse a cflowd created 
> file and 
> use the plethora of other ra-based scripts and front ends I have to 
> parse the flow files.   This is probably more of a job for argus(8) 
> than ra anyway.  Perahps the ability for argus(8) to connect to the 
> cflowd itself rather than interfaces would be useful; but, 
> yes, I know 
> there are a number of tools already out there for doing this (I just 
> love argus).
> 
> I tried killing off the cflowdmux and attaching to my system on port 
> 9999, which is where the netflow data is being sent with "ra -C 
> localhost:9999" but nothing seemed to arrive; but that does 
> indeed seem 
> to get me further than before.
> 
> Thanks,
> 
> Scott
> 
>

More information about the argus mailing list