using flow-tools for ad hoc flow reports (was "Re: toptalkers over a longer timespan")

Mark Fullmer maf at splintered.net
Sun Feb 23 20:40:44 EST 2003 

cflowd format is records with the following format

  32 bit field indicating which fields follow
  The fields

The fields are included below.  flow-tools -> cflowd -> argus will be
a lossy conversion because cflowd does not support sub second timestamps

One other option to get flow-tools files into argus would be to use
flow-send which will encode the data back into the Cisco NetFlow protocol
format on a UDP socket.

I'm not sure if argus can support this, but flow-export -f4 is the 'wire'
NetFlow format (like flow-send, but on stdout).

#define CF_ROUTERMASK         0x00000001
#define CF_SRCIPADDRMASK      0x00000002
#define CF_DSTIPADDRMASK      0x00000004
#define CF_INPUTIFINDEXMASK   0x00000008
#define CF_OUTPUTIFINDEXMASK  0x00000010
#define CF_SRCPORTMASK        0x00000020
#define CF_DSTPORTMASK        0x00000040
#define CF_PKTSMASK           0x00000080
#define CF_BYTESMASK          0x00000100
#define CF_IPNEXTHOPMASK      0x00000200
#define CF_STARTTIMEMASK      0x00000400
#define CF_ENDTIMEMASK        0x00000800
#define CF_PROTOCOLMASK       0x00001000
#define CF_TOSMASK            0x00002000
#define CF_SRCASMASK          0x00004000
#define CF_DSTASMASK          0x00008000
#define CF_SRCMASKLENMASK     0x00010000
#define CF_DSTMASKLENMASK     0x00020000
#define CF_TCPFLAGSMASK       0x00040000
#define CF_INPUTENCAPMASK     0x00080000
#define CF_OUTPUTENCAPMASK    0x00100000
#define CF_PEERNEXTHOPMASK    0x00200000
#define CF_ENGINETYPEMASK     0x00400000
#define CF_ENGINEIDMASK       0x00800000

mark


On Fri, Feb 21, 2003 at 02:29:59PM -0500, Carter Bullard wrote:
> Hey Alexander,
>    The ra* tools want to see Cisco binary F2 output,
> which should start with "SOURCE" as the first 6 bytes.
> This was the "official" cisco netflow file format
> a few years ago, when I did the netflow parsing code.
> 
> Any other file format is going to be new for us.  
> We can parse any netflow record format that is/was
> published, so it's a matter of understanding the file
> format.
> 
> Any ideas what cflowd wants to do?
> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street
> Suite 18K
> New York, New York 10022
> 
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu 
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > Alexander Bochmann
> > Sent: Friday, February 21, 2003 12:20 PM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: Re: using flow-tools for ad hoc flow reports (was 
> > "Re: toptalkers over a longer timespan")
> > 
> > 
> > Hi,
> > 
> > ...on Fri, Feb 21, 2003 at 11:05:17AM -0500, Mark Fullmer wrote:
> > 
> >  > > Would it also be possible to convert flowtools capture 
> >  > > files to cflowd format, so that argus can understand them?
> >  > Yes.  Use flow-export -f0.
> > 
> > Hm, it seems argus doesn't understand the output:
> > 
> > flow-export -f0 < ft-v05.2003-02-21.000000+0100 | 
> > ~bochmann/src/argus-clients-2.0.6.beta.38/bin/ra -r -
> > ArgusAlert: ra[15221]: ArgusReadConnection: not Argus-2.0 data stream.
> > 
> > The ArgusAlert message is the one from line 1954 of argus_parse.c, 
> > after argus has finished it's check for netflow data (added a tag 
> > to be shure).
> > 
> > flow-tools version on that machine is 0.62...
> > 
> > Alex.
> > 
> > 
> 
>

More information about the argus mailing list