netflow on clients.63?

Peter Van Epp vanepp at sfu.ca
Fri Dec 14 17:03:05 EST 2007 

On Thu, Dec 13, 2007 at 03:50:37PM -0500, Carter Bullard wrote:
> Hey Peter,
> Sorry for the delayed response, I've had a death in the family which  
> has really
> impacted by ability to get to argus issues, but now I'm back.
> 
> So with regard to your netflow problem, maybe we're binding to the
> wrong port?  (there are some little endian things you have to do)
> Can you do a "netstat -na" to see what port we're really binding to?
> On my machines it seems fine.
> 
> Carter
> 
> 

	Not a problem, I haven't had any time to do anything on argus in months
for the same reason. However I just installed rc.65 and it works even less :-):

records coming in:

tcpdump -i eth4 -n port 1025
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes
13:58:17.311966 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1128
13:58:17.351942 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
13:58:17.459253 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
13:58:17.636526 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
13:58:17.650016 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
13:58:17.678499 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464

and the default route is eth4:

sniffer1:/home/vanepp # netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth3
142.58.101.0    0.0.0.0         255.255.255.0   U         0 0          0 eth4
206.12.24.0     0.0.0.0         255.255.252.0   U         0 0          0 eth5
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         142.58.101.254  0.0.0.0         UG        0 0          0 eth4

but argus doesn't like us:

sniffer1:/home/vanepp # ra3 -C -S 192.75.244.195:1025 -n -D18
ra3[4394.f7fa9000]: 07-12-14 14:00:37 main: reading files completed
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusCalloc (1, 40) returning 0x101f6250
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusNewQueue () returning 0x101f6250
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x101f6108) returning 0xf7f48008
ra3[4394]: 07-12-14 14:00:37 Binding AF_ANY:1025 Expecting Netflow records
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusGetServerSocket (0xf7f48008) returning 3
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusCalloc (1, 1048576) returning 0xf7e47008
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusCalloc (1, 2048) returning 0x101f6708
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusCalloc (1, 2048) returning 0x101f6f10
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusParseInit(0xf7faf008 0xf7f48008
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusReadConnection(0xf7f48008, 2) reading cisco wire format
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusReadConnection(0xf7f48008, 2) returning 0
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusAddToQueue (0x101f6138, 0xf7f48008) returning 1
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x101f6108) returning 0x0
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x101f6250) returning 0x0
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x101f6250) returning 0x0
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusFree (0x101f6250)
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusDeleteQueue (0x101f6250) returning
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusShutDown (0)
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x101f6108) returning 0x0
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusFree (0x101f6108)
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusDeleteQueue (0x101f6108) returning
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x101f6138) returning 0xf7f48008
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusFree (0xf7f48008)
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x101f6138) returning 0x0
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x101f6138) returning 0x0
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusFree (0x101f6138)
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusDeleteQueue (0x101f6138) returning
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusWindowClose () returning
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusPopQueue (0x0) returning 0x0
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusFree (0x101f6028)
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusDeleteList (0x101f6028, 4) returning
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusFree (0x101f6098)
ra3[4394.f7fa9000]: 07-12-14 14:00:37 ArgusDeleteList (0x101f6098, 4) returning

	except now instead of timing out it terminates. I'll try recompiling 
without threads and run gdb and see if I can figure out whats happening 
(assuming I haven't got the command line wrong which is also possible).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list