Netflow and "srcid"

[Carter Bullard]

Hey Kevin,
I have implemented your suggestion, of putting the netflow originating
address into the argus record , but I really don't have a way
of testing it completely, so when I upload rc.44 clients sometime
today (probably late) if you could give it a run on your data sets,
that would be great.

Two things to watch.  The srcid for the management record will be zero
until we figure out what it should be (probably the value provided in
either the radium.conf file or some thing like a "-e addr" option) and
the order of the resulting srcid, which maybe swapped due to little
endian issues.

Hope this is helpful,

Carter


On May 3, 2007, at 7:46 PM, K K wrote:

> On 5/3/07, carter at qosient.com <carter at qosient.com> wrote:
>> Yes, that should be pretty easy, depending on how you are send the  
>> netflow records.  Are they all going to the same daddr and port?   
>> If so we'll have to get/use the src address as the srcid, or we'd  
>> have to have a translation table to look up the srcid.
>
> All the routers are configured identically, going to the same daddr
> and port, so the listener would need to extract the src address from
> each packet to use as the srcid for the flow.
>
>
>> Any suggestions how you would want to configure this?
>
> Since prior to V3 the srcid field was just zeros for Netflow records,
> and assuming the overhead to retrieve the remote address per UDP
> packet is minimal, using the packet raddr could just be the default
> for Cisco Netflow sources?
>
> Another option would be to extend the existing radium "-e" flag (to
> specify your own source  identifier), and add this flag and code to ra
> to match radium's behavior?
>
> Kevin
>