netflow on clients.63?

Carter Bullard carter at qosient.com
Sat Nov 17 09:12:01 EST 2007 

We made some changes in the netflow stuff, so I probably messed something up.  I'll look at this today when I get back to NYC.
Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: Peter Van Epp <vanepp at sfu.ca>

Date: Fri, 16 Nov 2007 12:49:58 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] netflow on clients.63?


	I'm trying (so far without success :-)) to get V 5 netflow data in to
a rc.63 clients ra with this (by the way .threads is on by default in the 
clients, is it supposed to be?):

 # ra3 -C -S 192.75.244.195:1025 -n -D8
ra3[24189]: 07-11-16 12:39:37 main: reading files completed
ra3[24189]: 07-11-16 12:39:37 ArgusCalloc (1, 16) returning 0x101f5180
ra3[24189]: 07-11-16 12:39:37 ArgusNewQueue () returning 0x101f5180
ra3[24189]: 07-11-16 12:39:37 Binding AF_ANY:1025 Expecting Netflow records
ra3[24189]: 07-11-16 12:39:37 ArgusGetServerSocket (0xf7f48008) returning 3
ra3[24189]: 07-11-16 12:39:37 ArgusCalloc (1, 1048576) returning 0xf7e47008
ra3[24189]: 07-11-16 12:39:37 ArgusCalloc (1, 2048) returning 0x101f5638
ra3[24189]: 07-11-16 12:39:37 ArgusCalloc (1, 2048) returning 0x101f5e40
ra3[24189]: 07-11-16 12:39:37 ArgusParseInit(0xf7faf008 0xf7f48008
ra3[24189]: 07-11-16 12:39:37 ArgusReadConnection(0xf7f48008, 2) reading cisco wire format
ra3[24189]: 07-11-16 12:39:37 ArgusReadConnection(0xf7f48008, 2) returning 0
ra3[24189]: 07-11-16 12:39:37 ArgusFree (0x101f5180)
ra3[24189]: 07-11-16 12:39:37 ArgusDeleteQueue (0x101f5180) returning
ra3[24189]: 07-11-16 12:39:37 ArgusReadStream(0xf7faf008) starting
ra3[24189]: 07-11-16 12:39:38 ArgusClientTimeout()
ra3[24189]: 07-11-16 12:39:39 ArgusClientTimeout()
ra3[24189]: 07-11-16 12:39:40 ArgusClientTimeout()
ra3[24189]: 07-11-16 12:39:41 ArgusClientTimeout()
ra3[24189]: 07-11-16 12:39:42 ArgusClientTimeout()
ra3[24189]: 07-11-16 12:39:43 ArgusClientTimeout()
ra3[24189]: 07-11-16 12:39:44 ArgusClientTimeout()
ra3[24189]: 07-11-16 12:39:45 ArgusClientTimeout()

"ra3[24189]: 07-11-16 12:39:37 Binding AF_ANY:1025 Expecting Netflow records"

is a bit worrying because there are something like 5 interfaces on this machine
and the correct one is eth4 for the netflow data but the source IP seems to 
have been lost somewhere. Netflow data is appearing on the eth4 interface:

12:06:18.501690 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.512062 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.519183 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.527801 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.535299 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.543919 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.551789 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.560409 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.566281 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.574275 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464
12:06:18.582771 IP 192.75.244.195.65535 > 142.58.101.253.1025: UDP, length 1464

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list