Flow-tools support
Carter Bullard
carter at qosient.com
Fri Dec 17 09:42:36 EST 2010
Hey Rafael,
I was able to read your "test" file converting to wire format "f4" and writing that
to a file, and read using ra.
% flow-export -f4 < test > test.cflowd
% ra -C 561 -r test.cflowd
Does this work for you?
Carter
On Dec 17, 2010, at 5:59 AM, Rafael Barbosa wrote:
> Hi Carter,
> I do not understand well how flow-tools works (one of the reasons I
> wanted to use argus to analyze the data), but I went on doing some
> tests.
> Instead of trying to save the output from flow-gen and read it with ra(), I did:
>
> % ra -C 127.0.0.1:9898
> % flow-gen -V5 | flow-send 0/127.0.0.1/9898 (in another terminal)
>
> The output of ra() is now what I expected:
> 18:01:41.760000 Ne 17 0.0.0.0.0 ->
> 255.255.0.0.65280 1 1 INT
> 18:01:41.761000 Ne 17 0.0.0.1.1 ->
> 255.255.0.1.65281 2 2 INT
> 18:01:41.762000 Ne 17 0.0.0.2.2 ->
> 255.255.0.2.65282 3 3 INT
> 18:01:41.763000 Ne 17 0.0.0.3.3 ->
> 255.255.0.3.65283 4 4 INT
> 18:01:41.764000 Ne 17 0.0.0.4.4 ->
> 255.255.0.4.65284 5 5 INT
> ...
>
> Exactly the same as saving the output from flow-gen (flow-gen -V5 >
> test) and then reading it with flow-print (flow-print < test).
> srcIP dstIP prot srcPort dstPort octets packets
> 0.0.0.0 255.255.0.0 17 0 65280 1 1
> 0.0.0.1 255.255.0.1 17 1 65281 2 2
> 0.0.0.2 255.255.0.2 17 2 65282 3 3
> 0.0.0.3 255.255.0.3 17 3 65283 4 4
> ...
>
> Unfortunately I cannot read the saved "test" file with ra(), and when
> reading the output from flow-export, the "test.cflowd" from my
> previous attempt, I get a different output. As an workaround I can
> replay all my stored data with flow-send and capture it with ra(), but
> it doesn't seem like an optimal solution.
>
> Again, thanks for the promptly replies.
>
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
>
>
>
> On Thu, Dec 16, 2010 at 9:12 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Rafael,
>> With argus-clients-3.0.3.20, if you read the cflowd file that you generated with flow-export,
>> ra* can read them. Looks like a mix of udp and igmp flows.
>>
>> % flow-cat teste | flow-export -f4 > teste.cflowd
>> % ra -r cisco:teste.cflowd
>>
>> But the packet counts don't seem quite right, so there maybe a bug. Give it a try on your
>> system, to see if it does what you think it should do.
>>
>> With 3.0.2, you need to state that the input file is in cisco format, however the option for
>> cisco ('C') requires a parameter, as it expects to be reading them off the wire. By giving
>> it any port number, it will work:
>>
>>
>> % ra -C 561 -r teste.cflowd
>>
>> Not sure that reading the original flow-tools format would be a goal, but I'll look into it.
>>
>> Carter
>>
>> On Dec 16, 2010, at 2:52 PM, Carter Bullard wrote:
>>
>>> Hey Rafael,
>>> I've gone back through all versions of ra, including some 1.x versions, and
>>> none can read the file, so not sure what format 'teste' is in. I'll take a look at
>>> some of the flow-tools to see what they think the format is.
>>>
>>> Carter
>>>
>>> On Dec 16, 2010, at 2:40 PM, Rafael Barbosa wrote:
>>>
>>>> Sorry, I forgot to attach the file.
>>>>
>>>> Rafael Barbosa
>>>> http://www.vf.utwente.nl/~barbosarr/
>>>>
>>>>
>>>>
>>>> On Thu, Dec 16, 2010 at 8:17 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>>>> On Thu, Dec 16, 2010 at 5:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>> Hey Rafael,
>>>>>> flow-tools data should be just netflow data in a file, and we should be
>>>>>> able to read the data no problem. What error messages are you getting?
>>>>>
>>>>> I do not get any error message, ra() simple does returns nothing. I
>>>>> actually do not remember getting any file error from ra(), even if I
>>>>> run it with an nonexistent file.
>>>>>
>>>>>> What version(s) are you using?
>>>>>
>>>>> argus clients: 3.0.2
>>>>> flow-tools: 0.68
>>>>> I am not sure with which versions the netflow files were generated though.
>>>>>
>>>>>> And of course, as usual, send a sample of the data that generates the
>>>>>> error, and I'll see what I can do.
>>>>>
>>>>> Unfortunately this time I am not allowed to share the data. However as
>>>>> I said I cannot even read files generated with 'flow-gen". I tried
>>>>> these commands for example:
>>>>>
>>>>> $>flow-gen -V5 > teste
>>>>> $>ra -r teste (nothing is printed)
>>>>> $>flow-cat teste | flow-print (1000 flows printed)
>>>>> $>flow-cat teste | flow-export -f4 > teste.cflowd
>>>>> $>ra -r teste.cflowd (nothing is printed)
>>>>> $>flow-cat teste | flow-export -f0 > teste.wire
>>>>> $>ra -r teste.wire (nothing is printed)
>>>>>
>>>>> I also tried to pipe the output from different flow-tool applications
>>>>> without luck.
>>>>> Attached I send the "teste" flow file, if it helps.
>>>>>
>>>>> --
>>>>> Rafael
>>>>>
>>>>>> Carter
>>>>>>
>>>>>> On Dec 16, 2010, at 10:36 AM, Rafael Barbosa wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I just got access to a netflow data repository stored in flow-tools
>>>>>>> format and I wanted to use argus clients to analyze it. However I am
>>>>>>> not able to read the files. I also generated a test file with
>>>>>>> "flow-gen" (included in flow-tools package) and read it with argus,
>>>>>>> but no luck. I tried digging in the mailing list history, but could
>>>>>>> not find a solution.
>>>>>>>
>>>>>>> What is the recommended way to read flow-tools data? Is it necessary
>>>>>>> to use flow-export to convert to a specific format?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rafael Barbosa
>>>>>>> http://www.vf.utwente.nl/~barbosarr/
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>> <teste>
>>>
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3681 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101217/b3034d07/attachment.bin>
More information about the argus
mailing list