Argus-info Digest, Vol 19, Issue 14
CS Lee
geek00l at gmail.com
Tue Mar 13 22:14:15 EDT 2007
Hey Carter,
I think the host is not necessary, since it is socket wise for netflow data
to export to, even I need to collect different netflow source from different
network interfaces, the most important things is to export it to different
port. Hopefully my idea is right because currently what I'm doing is that I
export cisco netflow to different udp ports for example 9995, 9996 and so
forth and separate it by using argus client to write the netflow data to
different directory.
However there's one thing -
ra -CS 9995 works
but
ra -CS 1.2.3.4:9995 won't work
Since I get the right idea about it, I think host IP is not necessary but
just to mention here as it is not working for me, how about the others?
Cheers.
On 3/14/07, argus-info-request at lists.andrew.cmu.edu <
argus-info-request at lists.andrew.cmu.edu> wrote:
>
> Send Argus-info mailing list submissions to
> argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
> argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
> argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
> 1. Argus - Cisco Netflow (CS Lee)
> 2. Re: Argus - Cisco Netflow (Carter Bullard)
> 3. Re: Argus - Cisco Netflow (Carter Bullard)
> 4. Packet Inter-Arrivel Times (IATs) (Bjoern Weiland)
> 5. Re: rc41 and sasl (Christoph Badura)
> 6. Re: Argus - Cisco Netflow (Christoph Badura)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 14 Mar 2007 01:29:30 +0800
> From: "CS Lee" <geek00l at gmail.com>
> Subject: [ARGUS] Argus - Cisco Netflow
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID:
> <1bb5dd90703131029p1e00130btf4fb111a0440f673 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Carter,
>
> After some testing, I have Cisco netflow version 5 imported properly, the
> correct syntax to import Cisco Netflow v5 ( I haven't tested on other
> version of netflow ) should be this -
>
> ra -CP 1.2.3.4 -S 9995
>
> Provided that you are exporting your netflow data to 1.2.3.4 and dst port
> 9995, you just need to run this, I haven't tried it on other argus clients
> but since most of ra options are supported, I may think it work but I will
> do further testing to see how it goes. But when I try to check on man
> page,
> and the ra -h, I haven't found anything about -P, but rather confusing
> result -
>
> -C specify Cisco Netflow source
> -S <host[:port]> specify remote argus and optional port number
> <port> specify Cisco datagram port number.
>
> Trying ra -C 1.2.3.4 -S 9995 won't work, so I think -P should be added so
> that people can get it right easily. Cheers :)
>
> About time for me to test radium, later all.
>
>
> Cheers.
>
> -- =
>
> Best Regards,
>
> CS Lee<geekooL[at]gmail.com>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20=
> 070314/a0827661/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Tue, 13 Mar 2007 13:43:06 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Argus - Cisco Netflow
> To: "CS Lee" <geek00l at gmail.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <1C8985BF-6483-44CD-B1C3-B18D9EF28C22 at qosient.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hey CS Lee,
>
> I think the actual syntax is/should be:
> ra -CS 9995
>
> you would think that the host address would be needed, but because its
> a receive only UDP datagram socket, there is no address. I can make it
> so that if you feed it an address:port pair, which is the standard
> syntax
> for the '-S' option, it will handle it fine.
>
> You are using the 'P' option to eat the "1.2.3.4" string. Other than
> that, it
> has no effect in this case.
>
> Carter
>
>
>
>
> On Mar 13, 2007, at 1:29 PM, CS Lee wrote:
>
> > Carter,
> >
> > After some testing, I have Cisco netflow version 5 imported
> > properly, the correct syntax to import Cisco Netflow v5 ( I haven't
> > tested on other version of netflow ) should be this -
> >
> > ra -CP 1.2.3.4 -S 9995
> >
> > Provided that you are exporting your netflow data to 1.2.3.4 and
> > dst port 9995, you just need to run this, I haven't tried it on
> > other argus clients but since most of ra options are supported, I
> > may think it work but I will do further testing to see how it goes.
> > But when I try to check on man page, and the ra -h, I haven't found
> > anything about -P, but rather confusing result -
> >
> > -C specify Cisco Netflow source
> > -S <host[:port]> specify remote argus and optional port number
> > <port> specify Cisco datagram port number.
> >
> > Trying ra -C 1.2.3.4 -S 9995 won't work, so I think -P should be
> > added so that people can get it right easily. Cheers :)
> >
> > About time for me to test radium, later all.
> >
> >
> > Cheers.
> >
> > --
> > Best Regards,
> >
> > CS Lee<geekooL[at]gmail.com>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20070313/3d768285/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Tue, 13 Mar 2007 15:07:57 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Argus - Cisco Netflow
> To: Carter Bullard <carter at qosient.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>, CS Lee
> <geek00l at gmail.com>
> Message-ID: <7BBA1CE6-E461-4B21-8427-09EB4974209A at qosient.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Gentle people,
> OK, so I changed the syntax just a bit to make this a bit more grokable.
> The man page is correct as it stands. This is the working syntax now.
> The -C flag simply indicates to the clients that they should expect
> Cisco
> Netflow records, the version is discovered on the fly. The -S flag
> works
> as documented, and the syntax is:
> -S host[:port]
> -S port
>
> both forms work when the -C flag is used. The host address, however,
> must be a local interface address. If another address is used it
> will generate an
> error. If the host address is not provided, (second form) the
> default "0.0.0.0"
> address is used, ,which means that UDP packets on port "port" on any
> interface will be read.
>
> So for CS Lee, these forms will work:
> ra -CS 1.2.3.4:9995
> ra -CS 9995
>
> For future reference, argus's design supports transporting records
> over any
> transport strategy, TCP, UDP, named sockets, whatever. So, as an
> example,
> we could transport argus records to a mulitcast address using UDP.
> But these
> features are not turned on for argus-3.0. When we turn these
> features on,
> the ra* programs will be extended to support this type of syntax:
>
> -S "host:proto:portnum"
>
> where the strategy is dervied from the proto field. Supported protos
> will be
> 'tcp', 'udp', 'pipe', whatever. Right now it is implied.
>
> Carter
>
>
> On Mar 13, 2007, at 1:43 PM, Carter Bullard wrote:
>
> > Hey CS Lee,
> >
> > I think the actual syntax is/should be:
> > ra -CS 9995
> >
> > you would think that the host address would be needed, but because its
> > a receive only UDP datagram socket, there is no address. I can
> > make it
> > so that if you feed it an address:port pair, which is the standard
> > syntax
> > for the '-S' option, it will handle it fine.
> >
> > You are using the 'P' option to eat the "1.2.3.4" string. Other
> > than that, it
> > has no effect in this case.
> >
> > Carter
> >
> >
> >
> >
> > On Mar 13, 2007, at 1:29 PM, CS Lee wrote:
> >
> >> Carter,
> >>
> >> After some testing, I have Cisco netflow version 5 imported
> >> properly, the correct syntax to import Cisco Netflow v5 ( I
> >> haven't tested on other version of netflow ) should be this -
> >>
> >> ra -CP 1.2.3.4 -S 9995
> >>
> >> Provided that you are exporting your netflow data to 1.2.3.4 and
> >> dst port 9995, you just need to run this, I haven't tried it on
> >> other argus clients but since most of ra options are supported, I
> >> may think it work but I will do further testing to see how it
> >> goes. But when I try to check on man page, and the ra -h, I
> >> haven't found anything about -P, but rather confusing result -
> >>
> >> -C specify Cisco Netflow source
> >> -S <host[:port]> specify remote argus and optional port number
> >> <port> specify Cisco datagram port number.
> >>
> >> Trying ra -C 1.2.3.4 -S 9995 won't work, so I think -P should be
> >> added so that people can get it right easily. Cheers :)
> >>
> >> About time for me to test radium, later all.
> >>
> >>
> >> Cheers.
> >>
> >> --
> >> Best Regards,
> >>
> >> CS Lee<geekooL[at]gmail.com>
> >
> >
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20070313/5e53d489/attachment-0001.html
>
> ------------------------------
>
> Message: 4
> Date: Tue, 13 Mar 2007 20:53:58 +0100
> From: Bjoern Weiland <bjoern.weiland at web.de>
> Subject: [ARGUS] Packet Inter-Arrivel Times (IATs)
> To: argus-info <argus-info at lists.andrew.cmu.edu>
> Message-ID: <45F70156.1080900 at web.de>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi, I am new to argus and looking for a way to analyze packet inter
> arrival times from a given pcap capture file for investigating traffic.
> Anyone with a hint on that?
>
>
> -best regards, bjoern
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 13 Mar 2007 21:33:31 +0100
> From: Christoph Badura <bad at bsd.de>
> Subject: Re: [ARGUS] rc41 and sasl
> To: argus-info at lists.andrew.cmu.edu
> Message-ID: <20070313203331.GZ5432 at irregular-apocalypse.k.bsd.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hey Micheal,
>
> On Tue, Mar 13, 2007 at 09:25:23AM -0700, Michael Hornung wrote:
> > and they put headers in /usr/include/sasl/ and the library is
> > libsasl2.a. The rc41 client and server configuration does not allow one
> > to specify "/usr/include/sasl/" as the includedir since it appends
> > "include" to whatever you supply with "--with-sasl". And the test for
> > libsasl does not look for -lsasl2!
>
> my understanding is that argus expects to build against SASL1 not SASL2.
> You would need to convert it to the SASL2 conventions. Losing SASL1
> support along that way shouldn't hurt much. I get the impression that
> nobody uses it these days.
>
> --chris
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 13 Mar 2007 21:37:11 +0100
> From: Christoph Badura <bad at bsd.de>
> Subject: Re: [ARGUS] Argus - Cisco Netflow
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <20070313203711.GA5432 at irregular-apocalypse.k.bsd.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hey Carter,
>
> On Tue, Mar 13, 2007 at 03:07:57PM -0400, Carter Bullard wrote:
> > the ra* programs will be extended to support this type of syntax:
> >
> > -S "host:proto:portnum"
> >
> > where the strategy is dervied from the proto field. Supported protos
> > will be
> > 'tcp', 'udp', 'pipe', whatever. Right now it is implied.
>
> What do you use for host and portnum in the 'pipe' case?
>
> Putting the protocol first looks more "natural" to me. E.g.:
>
> tcp:host:portnum
> udp:host:portnum
> pipe:/path/to/pipe
> local:/path/to/socket # or maybe unix:...
>
> --chris
>
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 19, Issue 14
> ******************************************
>
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070314/8fdc66e0/attachment.html>
More information about the argus
mailing list