Netflow and "srcid"
Russell Fulton
r.fulton at auckland.ac.nz
Thu May 3 18:38:32 EDT 2007
another possibility for getting higher byte counts than expected is that
some things count application bytes and others count everything. Argus
can do both ( -A switch).
Russell
K K wrote:
> Now that my netmask question has been solved (thanks!), I've noticed
> that the numbers I'm getting are still considerably higher than the
> accounting information recorded by the firewall. I'm pretty sure this
> is because I have one 'ra' listener collecting netflows from several
> routers, including WAN and Internet routers, so some traffic is seen
> and counted twice.
>
> With native argus probes, I could use the probe id (srcid) to
> differentiate between sources, but with Netflow the field is less
> useful. Under "Ra Version 2.0.6", the field was always 0.0.0.0. Now
> that I've upgraded to "Ra Version 3.0.0.rc.43" the field is populated
> with "ra" listener's IP address, so all the data from the various
> Cisco is logged with the same srcid value.
>
> Is there a need for the "srcid" field, with Netflow, to be the
> listener IP of the "ra" instance? Would it be possible to instead
> populate this field with the source IP from the Netflow UDP packet, so
> we could have multiple Cisco routers sending to a single listener and
> yet differentiate between them in post-processing?
>
>
> Thanks,
>
> Kevin
More information about the argus
mailing list