Netflow and "srcid"

K K kkadow at gmail.com
Thu May 3 16:12:41 EDT 2007


Now that my netmask question has been solved (thanks!), I've noticed
that the numbers I'm getting are still considerably higher than the
accounting information recorded by the firewall.  I'm pretty sure this
is because I have one 'ra' listener collecting netflows from several
routers, including WAN and Internet routers, so some traffic is seen
and counted twice.

With native argus probes, I could use the probe id  (srcid) to
differentiate between sources, but with Netflow the field is less
useful.  Under "Ra Version 2.0.6", the field was always 0.0.0.0.  Now
that I've upgraded to "Ra Version 3.0.0.rc.43" the field is populated
with "ra" listener's IP address, so all the data from the various
Cisco is logged with the same srcid value.

Is there a need for the "srcid" field, with Netflow, to be the
listener IP of the "ra" instance?   Would it be possible to instead
populate this field with the source IP from the Netflow UDP packet, so
we could have multiple Cisco routers sending to a single listener and
yet differentiate between them in post-processing?


Thanks,

Kevin



More information about the argus mailing list