[PATCH] Re: Using the argus server as a NetFlow listener

Carter Bullard carter at qosient.com
Wed Oct 24 11:19:24 EDT 2007 

Hey Tez,
Thanks for the patches.  I'll take a look and integrated as needed.
The -d option on radium "toggles" the daemon flag, so if the
/etc/radium.conf file has the DAEMON variable set to "on", then
the -d option will turn it off, so check that.

I know you had the -X option, so I'll make sure that the
DAEMON flag setting is cleared when you use the -X option.

If you have any problems, don't hesitate to send to the list.

Carter





On Oct 24, 2007, at 9:18 AM, Terry Burton wrote:

> On 10/22/07, Carter Bullard <carter at qosient.com> wrote:
>> You're not the only one asking for this funciton, but its a bit
>> of a head scratcher.   I think you would like argus() to realize
>> that the packet it just sniffed is a netflow record, and from it
>> spit out the flow records that it contains?  I have a solution for
>> this in the research versions of argus-3.0, but not in the first
>> release.
> <...snip...>
>
> Hi Carter,
>
> That's very clear - understood.
>
>> But, the closest thing in the initial argus-3.0 release to what
>> you're looking for is radium().  I would run radium on the same
>> machine as argus, and have it read the netflow records and
>> collect from the argi, (either v2 or v3) at the same time, and  
>> provide
>> access to the resulting single aggregated stream, just like argus().
>> You have to know the netflow is there for radium() to read it,
>> but you'll at least get the entire contents.
>>
>> Give radium() a run, and if you have any problems, send
>> some email, so I can get your experience into the argus-3.0
>> release notes (or fix some bugs ;o)
>
> Thanks for the advice. Today I found some time to replace the Debian
> packaged binaries from the argus server and clients with the latest
> 3.0rc's from the FTP site.
>
> I have been able to successfully reproduce the previous functionality
> for monitoring the SPAN-attached interfaces. This works great as it
> seems more responsive and places less load on the system than with the
> version 2.0 clients:
>
> argus -d -i eth1 -w core1.arg -P 561
> ratop -S localhost:561
>
> When trying to read NetFlow sources with any ra client I found the
> clients would listen on the wrong port. I have fixed this with the
> attached patch.
>
> Also, I found that radium does not daemonise when invoked as follows:
>
> radium -X -d -C -S 1006 -P562 -w nf.arg
>
> Other than these minor issues, so far so good. I'll keep the list
> informed of progress and will eventually submit for review the
> post-analysis scripts that I'm developing in the hope that they may
> prove useful.
>
>
> Thanks again,
>
> Tez
> <argus_client.c.patch>

More information about the argus mailing list