netflow on clients.63?

Thu Dec 13 15:50:37 EST 2007

Hey Peter,
Sorry for the delayed response, I've had a death in the family which  
has really
impacted by ability to get to argus issues, but now I'm back.

So with regard to your netflow problem, maybe we're binding to the
wrong port?  (there are some little endian things you have to do)
Can you do a "netstat -na" to see what port we're really binding to?
On my machines it seems fine.

Carter

On Nov 16, 2007, at 3:49 PM, Peter Van Epp wrote:

> 	I'm trying (so far without success :-)) to get V 5 netflow data in to
> a rc.63 clients ra with this (by the way .threads is on by default  
> in the
> clients, is it supposed to be?):
>
> # ra3 -C -S 192.75.244.195:1025 -n -D8
> ra3[24189]: 07-11-16 12:39:37 main: reading files completed
> ra3[24189]: 07-11-16 12:39:37 ArgusCalloc (1, 16) returning 0x101f5180
> ra3[24189]: 07-11-16 12:39:37 ArgusNewQueue () returning 0x101f5180
> ra3[24189]: 07-11-16 12:39:37 Binding AF_ANY:1025 Expecting Netflow  
> records
> ra3[24189]: 07-11-16 12:39:37 ArgusGetServerSocket (0xf7f48008)  
> returning 3
> ra3[24189]: 07-11-16 12:39:37 ArgusCalloc (1, 1048576) returning  
> 0xf7e47008
> ra3[24189]: 07-11-16 12:39:37 ArgusCalloc (1, 2048) returning  
> 0x101f5638
> ra3[24189]: 07-11-16 12:39:37 ArgusCalloc (1, 2048) returning  
> 0x101f5e40
> ra3[24189]: 07-11-16 12:39:37 ArgusParseInit(0xf7faf008 0xf7f48008
> ra3[24189]: 07-11-16 12:39:37 ArgusReadConnection(0xf7f48008, 2)  
> reading cisco wire format
> ra3[24189]: 07-11-16 12:39:37 ArgusReadConnection(0xf7f48008, 2)  
> returning 0
> ra3[24189]: 07-11-16 12:39:37 ArgusFree (0x101f5180)
> ra3[24189]: 07-11-16 12:39:37 ArgusDeleteQueue (0x101f5180) returning
> ra3[24189]: 07-11-16 12:39:37 ArgusReadStream(0xf7faf008) starting
> ra3[24189]: 07-11-16 12:39:38 ArgusClientTimeout()
> ra3[24189]: 07-11-16 12:39:39 ArgusClientTimeout()
> ra3[24189]: 07-11-16 12:39:40 ArgusClientTimeout()
> ra3[24189]: 07-11-16 12:39:41 ArgusClientTimeout()
> ra3[24189]: 07-11-16 12:39:42 ArgusClientTimeout()
> ra3[24189]: 07-11-16 12:39:43 ArgusClientTimeout()
> ra3[24189]: 07-11-16 12:39:44 ArgusClientTimeout()
> ra3[24189]: 07-11-16 12:39:45 ArgusClientTimeout()
>
> "ra3[24189]: 07-11-16 12:39:37 Binding AF_ANY:1025 Expecting Netflow  
> records"
>
> is a bit worrying because there are something like 5 interfaces on  
> this machine
> and the correct one is eth4 for the netflow data but the source IP  
> seems to
> have been lost somewhere. Netflow data is appearing on the eth4  
> interface:
>
> 12:06:18.501690 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.512062 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.519183 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.527801 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.535299 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.543919 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.551789 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.560409 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.566281 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.574275 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
> 12:06:18.582771 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP,  
> length 1464
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>