Argus - Cisco Netflow

Carter Bullard carter at qosient.com
Tue Mar 13 15:07:57 EDT 2007 

Gentle people,
OK, so I changed the syntax just a bit to make this a bit more grokable.
The man page is correct as it stands.  This is the working syntax now.
The -C flag simply indicates to the clients that they should expect  
Cisco
Netflow records, the version is discovered on the fly.   The -S flag  
works
as documented, and the syntax is:
    -S host[:port]
    -S port

both forms work when the -C flag is used.  The host address, however,
must be a local interface address.  If another address is used it  
will generate an
error.  If the host address is not provided, (second form) the  
default "0.0.0.0"
address is used, ,which means that UDP packets on port "port"  on any
interface will be read.

So for CS Lee, these forms will work:
    ra -CS 1.2.3.4:9995
    ra -CS 9995

For future reference, argus's design supports transporting records  
over any
transport strategy, TCP, UDP, named sockets, whatever.  So, as an  
example,
we could transport argus records to a mulitcast address using UDP.   
But these
features are not turned on for argus-3.0.  When we turn these  
features on,
the ra* programs will be extended to support this type of syntax:

    -S "host:proto:portnum"

where the strategy is dervied from the proto field.  Supported protos  
will be
'tcp', 'udp', 'pipe', whatever.  Right now it is implied.

Carter


On Mar 13, 2007, at 1:43 PM, Carter Bullard wrote:

> Hey CS Lee,
>
> I think the actual syntax is/should be:
>    ra -CS 9995
>
> you would think that the host address would be needed, but because its
> a receive only UDP datagram socket, there is no address.  I can  
> make it
> so that if you feed it an address:port pair, which is the standard  
> syntax
> for the '-S' option, it will handle it fine.
>
> You are using the 'P' option to eat the "1.2.3.4" string.  Other  
> than that, it
> has no effect in this case.
>
> Carter
>
>
>
>
> On Mar 13, 2007, at 1:29 PM, CS Lee wrote:
>
>> Carter,
>>
>> After some testing, I have Cisco netflow version 5 imported  
>> properly, the correct syntax to import Cisco Netflow v5 ( I  
>> haven't tested on other version of netflow ) should be this -
>>
>> ra -CP 1.2.3.4 -S 9995
>>
>> Provided that you are exporting your netflow data to 1.2.3.4 and  
>> dst port 9995, you just need to run this, I haven't tried it on  
>> other argus clients but since most of ra options are supported, I  
>> may think it work but I will do further testing to see how it  
>> goes. But when I try to check on man page, and the ra -h, I  
>> haven't found anything about -P, but rather confusing result -
>>
>> -C                    specify Cisco Netflow source
>> -S <host[:port]>      specify remote argus and optional port number
>>             <port>             specify Cisco datagram port number.
>>
>> Trying ra -C 1.2.3.4 -S 9995 won't work, so I think -P should be  
>> added so that people can get it right easily. Cheers :)
>>
>> About time for me to test radium, later all.
>>
>>
>> Cheers.
>>
>> -- 
>> Best Regards,
>>
>> CS Lee<geekooL[at]gmail.com>
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070313/5e53d489/attachment.html>

More information about the argus mailing list