using flow-tools for ad hoc flow reports (was "Re: toptalkers over a longer timespan")
Carter Bullard
carter at qosient.com
Fri Feb 21 14:29:59 EST 2003
Hey Alexander,
The ra* tools want to see Cisco binary F2 output,
which should start with "SOURCE" as the first 6 bytes.
This was the "official" cisco netflow file format
a few years ago, when I did the netflow parsing code.
Any other file format is going to be new for us.
We can parse any netflow record format that is/was
published, so it's a matter of understanding the file
format.
Any ideas what cflowd wants to do?
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Alexander Bochmann
> Sent: Friday, February 21, 2003 12:20 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: using flow-tools for ad hoc flow reports (was
> "Re: toptalkers over a longer timespan")
>
>
> Hi,
>
> ...on Fri, Feb 21, 2003 at 11:05:17AM -0500, Mark Fullmer wrote:
>
> > > Would it also be possible to convert flowtools capture
> > > files to cflowd format, so that argus can understand them?
> > Yes. Use flow-export -f0.
>
> Hm, it seems argus doesn't understand the output:
>
> flow-export -f0 < ft-v05.2003-02-21.000000+0100 |
> ~bochmann/src/argus-clients-2.0.6.beta.38/bin/ra -r -
> ArgusAlert: ra[15221]: ArgusReadConnection: not Argus-2.0 data stream.
>
> The ArgusAlert message is the one from line 1954 of argus_parse.c,
> after argus has finished it's check for netflow data (added a tag
> to be shure).
>
> flow-tools version on that machine is 0.62...
>
> Alex.
>
>
More information about the argus
mailing list