Flow-tools support

Carter Bullard carter at qosient.com
Thu Dec 16 15:12:18 EST 2010


Hey Rafael,
With argus-clients-3.0.3.20, if you read the cflowd file that you generated with flow-export,
ra* can read them.   Looks like a mix of udp and igmp flows.

   % flow-cat teste | flow-export -f4 > teste.cflowd
   % ra -r cisco:teste.cflowd

But the packet counts don't seem quite right, so there maybe a bug.  Give it a try on your
system, to see if it does what you think it should do.

With 3.0.2, you need to state that the input file is in cisco format, however the option for
cisco ('C') requires a parameter, as it expects to be reading them off the wire.  By giving
it any port number, it will work:


   % ra -C 561 -r teste.cflowd

Not sure that reading the original flow-tools format would be a goal, but I'll look into it.

Carter

On Dec 16, 2010, at 2:52 PM, Carter Bullard wrote:

> Hey Rafael,
> I've gone back through all versions of ra, including some 1.x versions, and
> none can read the file, so not sure what format 'teste' is in.  I'll take a look at
> some of the flow-tools to see what they think the format is.
> 
> Carter
> 
> On Dec 16, 2010, at 2:40 PM, Rafael Barbosa wrote:
> 
>> Sorry, I forgot to attach the file.
>> 
>> Rafael Barbosa
>> http://www.vf.utwente.nl/~barbosarr/
>> 
>> 
>> 
>> On Thu, Dec 16, 2010 at 8:17 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>> On Thu, Dec 16, 2010 at 5:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> Hey Rafael,
>>>> flow-tools data should be just netflow data in a file, and we should be
>>>> able to read the data no problem.  What error messages are you getting?
>>> 
>>> I do not get any error message, ra() simple does returns nothing. I
>>> actually do not remember getting any file error from ra(), even if I
>>> run it with an nonexistent file.
>>> 
>>>> What version(s) are you using?
>>> 
>>> argus clients: 3.0.2
>>> flow-tools: 0.68
>>> I am not sure with which versions the netflow files were generated though.
>>> 
>>>> And of course, as usual, send a sample of the data that generates the
>>>> error, and I'll see what I can do.
>>> 
>>> Unfortunately this time I am not allowed to share the data. However as
>>> I said I cannot even read files generated with 'flow-gen". I tried
>>> these commands for example:
>>> 
>>> $>flow-gen -V5 > teste
>>> $>ra -r teste (nothing is printed)
>>> $>flow-cat teste | flow-print (1000 flows printed)
>>> $>flow-cat teste | flow-export -f4 > teste.cflowd
>>> $>ra -r teste.cflowd (nothing is printed)
>>> $>flow-cat teste | flow-export -f0 > teste.wire
>>> $>ra -r teste.wire (nothing is printed)
>>> 
>>> I also tried to pipe the output from different flow-tool applications
>>> without luck.
>>> Attached I send the "teste" flow file, if it helps.
>>> 
>>> --
>>> Rafael
>>> 
>>>> Carter
>>>> 
>>>> On Dec 16, 2010, at 10:36 AM, Rafael Barbosa wrote:
>>>> 
>>>>> Hi all,
>>>>> 
>>>>> I just got access to a netflow data repository stored in flow-tools
>>>>> format and I wanted to use argus clients to analyze it. However I am
>>>>> not able to read the files. I also generated a test file with
>>>>> "flow-gen" (included in flow-tools package) and read it with argus,
>>>>> but no luck. I tried digging in the mailing list history, but could
>>>>> not find a solution.
>>>>> 
>>>>> What is the recommended way to read flow-tools data? Is it necessary
>>>>> to use flow-export to convert to a specific format?
>>>>> 
>>>>> Thanks,
>>>>> Rafael Barbosa
>>>>> http://www.vf.utwente.nl/~barbosarr/
>>>>> 
>>>> 
>>>> 
>>> 
>> <teste>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101216/5092717b/attachment.bin>


More information about the argus mailing list