netflow question

[Peter Van Epp]

	So having fixed my firewall problem that was breaking netflow 
processing now I'm ready to cause trouble with it :-). I have a switch that 
is collecting netflow on all interfaces (and it has a lot of interfaces :-))
and a fibre tap on one quite busy interface on the switch. So I'm running
argus reading from the fibre tap and writing to a file and at the same time
using ra to capture the netflow data from the switch. Then I feed both files
through racluster as in 

racluster -r infile -w outfile

with a filter that should eliminate most of the traffic that the tap won't
see. Now I'm trying to reconcile the data from both captures (to see if the
switch is failing to report all the flows via netflow). The first thing that
happens is that netflow start times are hours earlier than the capture start
(because netflow records have flow start time in them?) and when I do see 
a flow that matches, the counts look to be very different which may suggest 
that I don't know what I'm doing or that what I'm trying to do can't be 
done :-):

netflow output:

 08-01-09 09:30:29  e         tcp       142.58.xx.yy.1213      ?>      142.58.aaa.bb.445       33343   40263352

argus output for what seems to be the same flow:

 08-01-09 09:30:27  e *       tcp      142.58.aaa.bb.445      <?>       142.58.xx.yy.1213     122282   96039533   CON

	Should I not be expecting to see the same (or similar anyway) data from
both netflow and argus?

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada