Flow-tools support

Rafael Barbosa rrbarbosa at gmail.com
Fri Dec 17 05:59:46 EST 2010 

Hi Carter,

I do not understand well how flow-tools works (one of the reasons I
wanted to use argus to analyze the data), but I went on doing some
tests.
Instead of trying to save the output from flow-gen and read it with ra(), I did:

% ra -C 127.0.0.1:9898
% flow-gen -V5 | flow-send 0/127.0.0.1/9898 (in another terminal)

The output of ra() is now what I expected:
18:01:41.760000 Ne          17            0.0.0.0.0         ->
255.255.0.0.65280         1          1   INT
18:01:41.761000 Ne          17            0.0.0.1.1         ->
255.255.0.1.65281         2          2   INT
18:01:41.762000 Ne          17            0.0.0.2.2         ->
255.255.0.2.65282         3          3   INT
18:01:41.763000 Ne          17            0.0.0.3.3         ->
255.255.0.3.65283         4          4   INT
18:01:41.764000 Ne          17            0.0.0.4.4         ->
255.255.0.4.65284         5          5   INT
...

Exactly the same as saving the output from flow-gen (flow-gen -V5 >
test) and then reading it with flow-print (flow-print < test).
srcIP            dstIP            prot  srcPort  dstPort  octets      packets
0.0.0.0          255.255.0.0      17    0        65280    1           1
0.0.0.1          255.255.0.1      17    1        65281    2           2
0.0.0.2          255.255.0.2      17    2        65282    3           3
0.0.0.3          255.255.0.3      17    3        65283    4           4
...

Unfortunately I cannot read the saved "test" file with ra(), and when
reading the output from flow-export, the "test.cflowd" from my
previous attempt, I get a different output. As an workaround I can
replay all my stored data with flow-send and capture it with ra(), but
it doesn't seem like an optimal solution.

Again, thanks for the promptly replies.

Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/



On Thu, Dec 16, 2010 at 9:12 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael,
> With argus-clients-3.0.3.20, if you read the cflowd file that you generated with flow-export,
> ra* can read them.   Looks like a mix of udp and igmp flows.
>
>   % flow-cat teste | flow-export -f4 > teste.cflowd
>   % ra -r cisco:teste.cflowd
>
> But the packet counts don't seem quite right, so there maybe a bug.  Give it a try on your
> system, to see if it does what you think it should do.
>
> With 3.0.2, you need to state that the input file is in cisco format, however the option for
> cisco ('C') requires a parameter, as it expects to be reading them off the wire.  By giving
> it any port number, it will work:
>
>
>   % ra -C 561 -r teste.cflowd
>
> Not sure that reading the original flow-tools format would be a goal, but I'll look into it.
>
> Carter
>
> On Dec 16, 2010, at 2:52 PM, Carter Bullard wrote:
>
>> Hey Rafael,
>> I've gone back through all versions of ra, including some 1.x versions, and
>> none can read the file, so not sure what format 'teste' is in.  I'll take a look at
>> some of the flow-tools to see what they think the format is.
>>
>> Carter
>>
>> On Dec 16, 2010, at 2:40 PM, Rafael Barbosa wrote:
>>
>>> Sorry, I forgot to attach the file.
>>>
>>> Rafael Barbosa
>>> http://www.vf.utwente.nl/~barbosarr/
>>>
>>>
>>>
>>> On Thu, Dec 16, 2010 at 8:17 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>>> On Thu, Dec 16, 2010 at 5:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>> Hey Rafael,
>>>>> flow-tools data should be just netflow data in a file, and we should be
>>>>> able to read the data no problem.  What error messages are you getting?
>>>>
>>>> I do not get any error message, ra() simple does returns nothing. I
>>>> actually do not remember getting any file error from ra(), even if I
>>>> run it with an nonexistent file.
>>>>
>>>>> What version(s) are you using?
>>>>
>>>> argus clients: 3.0.2
>>>> flow-tools: 0.68
>>>> I am not sure with which versions the netflow files were generated though.
>>>>
>>>>> And of course, as usual, send a sample of the data that generates the
>>>>> error, and I'll see what I can do.
>>>>
>>>> Unfortunately this time I am not allowed to share the data. However as
>>>> I said I cannot even read files generated with 'flow-gen". I tried
>>>> these commands for example:
>>>>
>>>> $>flow-gen -V5 > teste
>>>> $>ra -r teste (nothing is printed)
>>>> $>flow-cat teste | flow-print (1000 flows printed)
>>>> $>flow-cat teste | flow-export -f4 > teste.cflowd
>>>> $>ra -r teste.cflowd (nothing is printed)
>>>> $>flow-cat teste | flow-export -f0 > teste.wire
>>>> $>ra -r teste.wire (nothing is printed)
>>>>
>>>> I also tried to pipe the output from different flow-tool applications
>>>> without luck.
>>>> Attached I send the "teste" flow file, if it helps.
>>>>
>>>> --
>>>> Rafael
>>>>
>>>>> Carter
>>>>>
>>>>> On Dec 16, 2010, at 10:36 AM, Rafael Barbosa wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I just got access to a netflow data repository stored in flow-tools
>>>>>> format and I wanted to use argus clients to analyze it. However I am
>>>>>> not able to read the files. I also generated a test file with
>>>>>> "flow-gen" (included in flow-tools package) and read it with argus,
>>>>>> but no luck. I tried digging in the mailing list history, but could
>>>>>> not find a solution.
>>>>>>
>>>>>> What is the recommended way to read flow-tools data? Is it necessary
>>>>>> to use flow-export to convert to a specific format?
>>>>>>
>>>>>> Thanks,
>>>>>> Rafael Barbosa
>>>>>> http://www.vf.utwente.nl/~barbosarr/
>>>>>>
>>>>>
>>>>>
>>>>
>>> <teste>
>>
>
>

More information about the argus mailing list