netflow question

Carter Bullard carter at qosient.com
Thu Jan 10 07:12:26 EST 2008


Hey Peter,
There are going to be differences. The switch reports netflow records in a somewhat arbitrary way, in that it can be sampled stats for the flow, and it can hold the records for very long periods of time before flushing them.  Be sure and include the "dur" for comparison.  The best comparisons are the short duration TCP flows.  Long duration streams seem to diverge pretty quickly, with argus reporting generally higher counts.

Regardless, they should be order of magnitude  similar, which is what you're seeing, but the two records seem to have src/dst metrics swaped?  There is a lot of logic to try to guess the direction for netflow, but because the timestamp precision is poor, we may not be able to tell who transmitted first, which determines the source for the bi-directional merge.

Can you share the original data for debuging?

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: Peter Van Epp <vanepp at sfu.ca>

Date: Wed, 9 Jan 2008 11:28:43 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] netflow question


	So having fixed my firewall problem that was breaking netflow 
processing now I'm ready to cause trouble with it :-). I have a switch that 
is collecting netflow on all interfaces (and it has a lot of interfaces :-))
and a fibre tap on one quite busy interface on the switch. So I'm running
argus reading from the fibre tap and writing to a file and at the same time
using ra to capture the netflow data from the switch. Then I feed both files
through racluster as in 

racluster -r infile -w outfile

with a filter that should eliminate most of the traffic that the tap won't
see. Now I'm trying to reconcile the data from both captures (to see if the
switch is failing to report all the flows via netflow). The first thing that
happens is that netflow start times are hours earlier than the capture start
(because netflow records have flow start time in them?) and when I do see 
a flow that matches, the counts look to be very different which may suggest 
that I don't know what I'm doing or that what I'm trying to do can't be 
done :-):

netflow output:

 08-01-09 09:30:29  e         tcp       142.58.xx.yy.1213      ?>      142.58.aaa.bb.445       33343   40263352

argus output for what seems to be the same flow:

 08-01-09 09:30:27  e *       tcp      142.58.aaa.bb.445      <?>       142.58.xx.yy.1213     122282   96039533   CON

	Should I not be expecting to see the same (or similar anyway) data from
both netflow and argus?

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the argus mailing list