Netflow question

[Peter Van Epp]

On Fri, Jan 18, 2008 at 03:55:23PM -0500, Carter Bullard wrote:
> Hey Peter,
> The aggregators, racluster(), rabins() or ratop() should match them
> up.  The RACLUSTER_AUTO_CORRECTION variable in the racluster.conf
> file controls it, and I thought it was on by default.  It may have been
> flipped.  Could you test this with racluster -f racluster.conf, with  
> this in
> the file?
> 
> RACLUSTER_AUTO_CORRECTION=yes
> 
> Carter
> 

	Doesn't seem to:

vanepp at sniffer1:/spare> racluster -r pobox.netflow -f racluster.conf -n host 71.90.234.102 and port 1254
 08-01-11 11:38:58  e         tcp      142.58.101.50.25        ?>      71.90.234.102.1254          7       1035
 08-01-11 11:38:59  e         tcp      71.90.234.102.1254      ?>      142.58.101.50.25            9        682
vanepp at sniffer1:/spare> cat racluster.conf
RACLUSTER_AUTO_CORRECTION=yes

this being rc.68. I think I have convinced wireshark to sort of filter the 
netflow data (its still picking up more than it should) so I should be able
to pick out a small number of frames (less than the 207 megs of the complete
capture :-)) in the tcpdump file that contain these particular records and 
send them along if you have a way of getting them in. The file above came
from ra reading the netflow data (it is around 39 megs) I can write out 
just this flow and send it if you like as well if that would help. I'm 
suspecting a netflow issue because DSCC (Qradar under the covers) is having
the same problem with recombining the flow from netflow when it works correctly
on the capture from a DAG based sensor (as does argus looking at the same flow
on the wire).
	Threads still doesn't seem to disable correctly on SUSE on rc.68 either.
I think it may be necessary to remove the -lpthreads too to make it actually
not use threads.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada