ra clients Netflow

Carter Bullard carter at qosient.com
Mon Oct 15 14:36:29 EDT 2007 

Hey Jean Michel,
Thanks for the comments!!!

OK back to our problem.  I have an fprobe running on my local  
machiine that
is writing v5 netflow records to localhost:9090, and I'm running the  
newest
ra() from the server with debug set to 9, and here is what I get.

isis:/home/carter/argus/clients/clients carter$ ../bin/ra -D9 -CS 9090
ra[10555]: 2007/10/15.14:33:03.960126 ArgusCalloc (1, 394576)  
returning 0x479000
ra[10555]: 2007/10/15.14:33:03.960281 ArgusAddHostList (0x299000,  
9090, 16) returning 1
ra[10555]: 2007/10/15.14:33:03.960349 main: reading files completed
ra[10555]: 2007/10/15.14:33:03.960381 ArgusCalloc (1, 16) returning  
0x11002b0
ra[10555]: 2007/10/15.14:33:03.960550 ArgusNewQueue () returning  
0x11002b0
ra[10555]: 2007/10/15.14:33:03.960726 Binding AF_ANY:9090 Expecting  
Netflow records
ra[10555]: 2007/10/15.14:33:03.961839 ArgusGetServerSocket (0x479000)  
returning 4
ra[10555]: 2007/10/15.14:33:03.962646 ArgusCalloc (1, 1048576)  
returning 0x605000
ra[10555]: 2007/10/15.14:33:03.962742 ArgusCalloc (1, 2048) returning  
0x2804000
ra[10555]: 2007/10/15.14:33:03.962777 ArgusCalloc (1, 2048) returning  
0x2804800
ra[10555]: 2007/10/15.14:33:04.342682 ArgusParseInit(0x299000 0x479000
ra[10555]: 2007/10/15.14:33:04.342749 ArgusReadConnection(0x479000,  
2) reading cisco wire format
ra[10555]: 2007/10/15.14:33:04.342765 ArgusReadConnection(0x479000,  
2) returning 0
ra[10555]: 2007/10/15.14:33:04.342796 ArgusFree (0x11002b0)
ra[10555]: 2007/10/15.14:33:04.342814 ArgusDeleteQueue (0x11002b0)  
returning
ra[10555]: 2007/10/15.14:33:04.342850 ArgusReadStream(0x299000) starting
ra[10555]: 2007/10/15.14:33:05.393215 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:06.393748 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:07.394220 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:08.394729 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:09.395268 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:10.395754 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:11.396230 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:12.396754 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:13.397243 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:14.397800 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:15.398254 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:16.398865 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:17.399519 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:18.400047 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:19.400806 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:20.401408 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:21.401882 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:22.402488 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:23.403022 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:24.403422 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:25.403769 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:25.999850 ArgusReadCiscoDatagramSocket  
(0x479000) starting
ra[10555]: 2007/10/15.14:33:25.999919 ArgusReadCiscoDatagramSocket  
(0x479000) read 72 bytes, capacity 72
ra[10555]: 2007/10/15.14:33:26.000013 ArgusParseCiscoRecordV5  
(0x2804048) returning 0x1dd420
                  StartTime      Flgs  Proto            SrcAddr   
Sport   Dir            DstAddr  Dport  SrcPkts  DstPkts      
SrcBytes     DstBytes State
2007/10/15.14:30:12.474000  e           tcp        
192.168.0.66.57704     ?>     216.92.197.167.imap          8         
0          416            0   FIN
ra[10555]: 2007/10/15.14:33:26.000611 RaScheduleRecord (0x299000,  
0x479234) schedule 0x0
ra[10555]: 2007/10/15.14:33:26.000627 ArgusHandleDatum (0x1dd420,  
0x2a9704) returning 0
ra[10555]: 2007/10/15.14:33:26.000666 ArgusReadCiscoDatagramSocket  
(0x479000) returning 0
ra[10555]: 2007/10/15.14:33:26.450805 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:27.451142 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:28.451573 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:29.454030 ArgusClientTimeout()
ra[10555]: 2007/10/15.14:33:30.454519 ArgusClientTimeout()

Do you get anything that looks like this?

Carter


On Oct 15, 2007, at 2:14 PM, Jean Michel RIZZARDI wrote:

> Hi Carter,
>
> still no luck in capturing (with strace on linux ra keeps on doing  
> this:
>
> gettimeofday({1192471704, 823268}, NULL) = 0
> select(4, [3], NULL, NULL, {0, 50000})  = 0 (Timeout)
>
> I read your post about the doc; I can tell that having the tool up  
> and running
> is pretty straight forward, but analysis is a little bit more  
> complicated.
> I love your tool because you can do "current" reporting and go  
> deeper if
> something happens.
> Some subjects of interests are "basic" reports: top 10  
> applications, top
> talkers, rtt variation. A lot of things are in the man pages I  
> know ...
> Also dealing with large amount of data, advices on how to split  / 
> archive would
> be welcome.
> I guess for you it's basic but for someone just coming to Argus  
> this may help.
>
> Again, thanks a lot for this tremendous work.
>
> Jean Michel
>
>
>
>        
> ______________________________________________________________________ 
> _______
> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers  
> Yahoo! Mail
>

More information about the argus mailing list