Netflow question
Carter Bullard
carter at qosient.com
Fri Jan 18 16:22:18 EST 2008
Hey Peter,
So ratop() will match the records by default, racluster() will not, so
I suspect
that I should make them consistent. I'll modify racluster() to
"correct" records
by default. For now, though, give the racluster.conf workaround a try.
Carter
On Jan 18, 2008, at 3:55 PM, Carter Bullard wrote:
> Hey Peter,
> The aggregators, racluster(), rabins() or ratop() should match them
> up. The RACLUSTER_AUTO_CORRECTION variable in the racluster.conf
> file controls it, and I thought it was on by default. It may have
> been
> flipped. Could you test this with racluster -f racluster.conf, with
> this in
> the file?
>
> RACLUSTER_AUTO_CORRECTION=yes
>
> Carter
>
>
> On Jan 18, 2008, at 12:27 PM, Peter Van Epp wrote:
>
>> What netflow field does argus use to decide that two flows are part
>> of the same flow (as this one should be)?
>>
>> 08-01-11 11:38:58 e tcp 142.58.101.50.25 ?>
>> 71.90.234.102.1254 7 1035
>> 08-01-11 11:38:59 e tcp 71.90.234.102.1254 ?>
>> 142.58.101.50.25 9 682
>>
>> neither ra nor racluster will combine this flow as they should be.
>> I expect
>> that means the netflow implementation on our switches (Enterasys)
>> isn't
>> including some field that argus needs to decide this is the same
>> flow. If
>> I know what field is needed I can see about getting it added to the
>> firmware
>> in the switch.
>> If I can figure out how (or possibly if :-)) wireshark filtering
>> works
>> I can probably get an example of the netflow that created this (the
>> entire
>> file is several hundred megs unfortunatly).
>>
>> Peter Van Epp / Operations and Technical Support
>> Simon Fraser University, Burnaby, B.C. Canada
>>
>
More information about the argus
mailing list