Netflow question

Carter Bullard carter at qosient.com
Fri Jan 18 16:28:42 EST 2008 

Hey Peter,
If you can just grab the records with "ra -r pobox.netflow -w test.out  
- host 71.90.234.102 and port 1254"
that should get me the data I need to see if I get the same behavior.

This should give you the same results?
    "ra -r pobox.netflow -w - - host 71.90.234.102 and port 1254 |  
racluster -f racluster.conf"

Carter

On Jan 18, 2008, at 4:19 PM, Peter Van Epp wrote:

> On Fri, Jan 18, 2008 at 03:55:23PM -0500, Carter Bullard wrote:
>> Hey Peter,
>> The aggregators, racluster(), rabins() or ratop() should match them
>> up.  The RACLUSTER_AUTO_CORRECTION variable in the racluster.conf
>> file controls it, and I thought it was on by default.  It may have  
>> been
>> flipped.  Could you test this with racluster -f racluster.conf, with
>> this in
>> the file?
>>
>> RACLUSTER_AUTO_CORRECTION=yes
>>
>> Carter
>>
>
> 	Doesn't seem to:
>
> vanepp at sniffer1:/spare> racluster -r pobox.netflow -f racluster.conf  
> -n host 71.90.234.102 and port 1254
> 08-01-11 11:38:58  e         tcp      142.58.101.50.25        ? 
> >      71.90.234.102.1254          7       1035
> 08-01-11 11:38:59  e         tcp      71.90.234.102.1254      ? 
> >      142.58.101.50.25            9        682
> vanepp at sniffer1:/spare> cat racluster.conf
> RACLUSTER_AUTO_CORRECTION=yes
>
> this being rc.68. I think I have convinced wireshark to sort of  
> filter the
> netflow data (its still picking up more than it should) so I should  
> be able
> to pick out a small number of frames (less than the 207 megs of the  
> complete
> capture :-)) in the tcpdump file that contain these particular  
> records and
> send them along if you have a way of getting them in. The file above  
> came
> from ra reading the netflow data (it is around 39 megs) I can write  
> out
> just this flow and send it if you like as well if that would help. I'm
> suspecting a netflow issue because DSCC (Qradar under the covers) is  
> having
> the same problem with recombining the flow from netflow when it  
> works correctly
> on the capture from a DAG based sensor (as does argus looking at the  
> same flow
> on the wire).
> 	Threads still doesn't seem to disable correctly on SUSE on rc.68  
> either.
> I think it may be necessary to remove the -lpthreads too to make it  
> actually
> not use threads.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>

More information about the argus mailing list