Netflow question
Carter Bullard
carter at qosient.com
Fri Jan 18 15:55:23 EST 2008
Hey Peter,
The aggregators, racluster(), rabins() or ratop() should match them
up. The RACLUSTER_AUTO_CORRECTION variable in the racluster.conf
file controls it, and I thought it was on by default. It may have been
flipped. Could you test this with racluster -f racluster.conf, with
this in
the file?
RACLUSTER_AUTO_CORRECTION=yes
Carter
On Jan 18, 2008, at 12:27 PM, Peter Van Epp wrote:
> What netflow field does argus use to decide that two flows are part
> of the same flow (as this one should be)?
>
> 08-01-11 11:38:58 e tcp 142.58.101.50.25 ?>
> 71.90.234.102.1254 7 1035
> 08-01-11 11:38:59 e tcp 71.90.234.102.1254 ?>
> 142.58.101.50.25 9 682
>
> neither ra nor racluster will combine this flow as they should be. I
> expect
> that means the netflow implementation on our switches (Enterasys)
> isn't
> including some field that argus needs to decide this is the same
> flow. If
> I know what field is needed I can see about getting it added to the
> firmware
> in the switch.
> If I can figure out how (or possibly if :-)) wireshark filtering
> works
> I can probably get an example of the netflow that created this (the
> entire
> file is several hundred megs unfortunatly).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
More information about the argus
mailing list