netflow question
Carter Bullard
carter at qosient.com
Thu Jan 10 07:12:26 EST 2008
Hey Peter,
There are going to be differences. The switch reports netflow records in a somewhat arbitrary way, in that it can be sampled stats for the flow, and it can hold the records for very long periods of time before flushing them. Be sure and include the "dur" for comparison. The best comparisons are the short duration TCP flows. Long duration streams seem to diverge pretty quickly, with argus reporting generally higher counts.
Regardless, they should be order of magnitude similar, which is what you're seeing, but the two records seem to have src/dst metrics swaped? There is a lot of logic to try to guess the direction for netflow, but because the timestamp precision is poor, we may not be able to tell who transmitted first, which determines the source for the bi-directional merge.
Can you share the original data for debuging?
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: Peter Van Epp <vanepp at sfu.ca>
Date: Wed, 9 Jan 2008 11:28:43
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] netflow question
So having fixed my firewall problem that was breaking netflow
processing now I'm ready to cause trouble with it :-). I have a switch that
is collecting netflow on all interfaces (and it has a lot of interfaces :-))
and a fibre tap on one quite busy interface on the switch. So I'm running
argus reading from the fibre tap and writing to a file and at the same time
using ra to capture the netflow data from the switch. Then I feed both files
through racluster as in
racluster -r infile -w outfile
with a filter that should eliminate most of the traffic that the tap won't
see. Now I'm trying to reconcile the data from both captures (to see if the
switch is failing to report all the flows via netflow). The first thing that
happens is that netflow start times are hours earlier than the capture start
(because netflow records have flow start time in them?) and when I do see
a flow that matches, the counts look to be very different which may suggest
that I don't know what I'm doing or that what I'm trying to do can't be
done :-):
netflow output:
08-01-09 09:30:29 e tcp 142.58.xx.yy.1213 ?> 142.58.aaa.bb.445 33343 40263352
argus output for what seems to be the same flow:
08-01-09 09:30:27 e * tcp 142.58.aaa.bb.445 <?> 142.58.xx.yy.1213 122282 96039533 CON
Should I not be expecting to see the same (or similar anyway) data from
both netflow and argus?
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list