[PATCH] Re: Using the argus server as a NetFlow listener

Terry Burton tez at terryburton.co.uk
Wed Oct 24 09:18:15 EDT 2007 

On 10/22/07, Carter Bullard <carter at qosient.com> wrote:
> You're not the only one asking for this funciton, but its a bit
> of a head scratcher.   I think you would like argus() to realize
> that the packet it just sniffed is a netflow record, and from it
> spit out the flow records that it contains?  I have a solution for
> this in the research versions of argus-3.0, but not in the first
> release.
<...snip...>

Hi Carter,

That's very clear - understood.

> But, the closest thing in the initial argus-3.0 release to what
> you're looking for is radium().  I would run radium on the same
> machine as argus, and have it read the netflow records and
> collect from the argi, (either v2 or v3) at the same time, and provide
> access to the resulting single aggregated stream, just like argus().
> You have to know the netflow is there for radium() to read it,
> but you'll at least get the entire contents.
>
> Give radium() a run, and if you have any problems, send
> some email, so I can get your experience into the argus-3.0
> release notes (or fix some bugs ;o)

Thanks for the advice. Today I found some time to replace the Debian
packaged binaries from the argus server and clients with the latest
3.0rc's from the FTP site.

I have been able to successfully reproduce the previous functionality
for monitoring the SPAN-attached interfaces. This works great as it
seems more responsive and places less load on the system than with the
version 2.0 clients:

argus -d -i eth1 -w core1.arg -P 561
ratop -S localhost:561

When trying to read NetFlow sources with any ra client I found the
clients would listen on the wrong port. I have fixed this with the
attached patch.

Also, I found that radium does not daemonise when invoked as follows:

radium -X -d -C -S 1006 -P562 -w nf.arg

Other than these minor issues, so far so good. I'll keep the list
informed of progress and will eventually submit for review the
post-analysis scripts that I'm developing in the hope that they may
prove useful.


Thanks again,

Tez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus_client.c.patch
Type: text/x-patch
Size: 1391 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071024/0105419f/attachment.bin>

More information about the argus mailing list