Netflow and "srcid"

carter at qosient.com carter at qosient.com
Thu May 3 19:36:36 EDT 2007


Yes, that should be pretty easy, depending on how you are send the netflow records.  Are they all going to the same daddr and port?  If so we'll have to get/use the src address as the srcid, or we'd have to have a translation table to look up the srcid.

Any suggestions how you would want to configure this?

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: "K K" <kkadow at gmail.com>
Date: Thu, 3 May 2007 15:12:41 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Netflow and "srcid"

Now that my netmask question has been solved (thanks!), I've noticed
that the numbers I'm getting are still considerably higher than the
accounting information recorded by the firewall.  I'm pretty sure this
is because I have one 'ra' listener collecting netflows from several
routers, including WAN and Internet routers, so some traffic is seen
and counted twice.

With native argus probes, I could use the probe id  (srcid) to
differentiate between sources, but with Netflow the field is less
useful.  Under "Ra Version 2.0.6", the field was always 0.0.0.0.  Now
that I've upgraded to "Ra Version 3.0.0.rc.43" the field is populated
with "ra" listener's IP address, so all the data from the various
Cisco is logged with the same srcid value.

Is there a need for the "srcid" field, with Netflow, to be the
listener IP of the "ra" instance?   Would it be possible to instead
populate this field with the source IP from the Netflow UDP packet, so
we could have multiple Cisco routers sending to a single listener and
yet differentiate between them in post-processing?


Thanks,

Kevin



More information about the argus mailing list