Netflow question
Peter Van Epp
vanepp at sfu.ca
Fri Jan 18 12:27:25 EST 2008
What netflow field does argus use to decide that two flows are part
of the same flow (as this one should be)?
08-01-11 11:38:58 e tcp 142.58.101.50.25 ?>
71.90.234.102.1254 7 1035
08-01-11 11:38:59 e tcp 71.90.234.102.1254 ?>
142.58.101.50.25 9 682
neither ra nor racluster will combine this flow as they should be. I expect
that means the netflow implementation on our switches (Enterasys) isn't
including some field that argus needs to decide this is the same flow. If
I know what field is needed I can see about getting it added to the firmware
in the switch.
If I can figure out how (or possibly if :-)) wireshark filtering works
I can probably get an example of the netflow that created this (the entire
file is several hundred megs unfortunatly).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list