Flow-tools support
Rafael Barbosa
rrbarbosa at gmail.com
Fri Dec 17 11:25:30 EST 2010
Indeed it reports some data, but the output is not what I expected.
For instance if I try:
% ra -C 561 -r teste.cflowd - host 0.0.0.2
No flows are reported, while in the original file the following flow is present:
% ra -C 561 -r teste.cflowd -nn | head
18:01:41.760000 Ne 17 0.0.0.0.0 ->
255.255.0.0.65280 1 1 INT
18:01:41.762000 Ne 255 0.0.0.1 ->
255.255.0.1 130817 0 INT
18:01:41.763000 Ne 17 0.0.0.3.3 ->
255.255.0.3.65283 4 4 INT
18:01:41.765000 Ne 255 0.0.0.4 ->
255.255.0.4 327428 0 INT
% flow-print < test | head
srcIP dstIP prot srcPort dstPort octets packets
0.0.0.0 255.255.0.0 17 0 65280 1 1
0.0.0.1 255.255.0.1 17 1 65281 2 2
0.0.0.2 255.255.0.2 17 2 65282 3 3
0.0.0.3 255.255.0.3 17 3 65283 4 4
In addition all flows in the original file are udp, while reading the
cflowd version, half of the flows are reported as ip proto 255.
As I said, I do not know much about flow-tools to explain what is going on.
Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/
On Fri, Dec 17, 2010 at 3:42 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael,
> I was able to read your "test" file converting to wire format "f4" and writing that
> to a file, and read using ra.
>
> % flow-export -f4 < test > test.cflowd
> % ra -C 561 -r test.cflowd
>
> Does this work for you?
> Carter
>
> On Dec 17, 2010, at 5:59 AM, Rafael Barbosa wrote:
>
>> Hi Carter,
>> I do not understand well how flow-tools works (one of the reasons I
>> wanted to use argus to analyze the data), but I went on doing some
>> tests.
>> Instead of trying to save the output from flow-gen and read it with ra(), I did:
>>
>> % ra -C 127.0.0.1:9898
>> % flow-gen -V5 | flow-send 0/127.0.0.1/9898 (in another terminal)
>>
>> The output of ra() is now what I expected:
>> 18:01:41.760000 Ne 17 0.0.0.0.0 ->
>> 255.255.0.0.65280 1 1 INT
>> 18:01:41.761000 Ne 17 0.0.0.1.1 ->
>> 255.255.0.1.65281 2 2 INT
>> 18:01:41.762000 Ne 17 0.0.0.2.2 ->
>> 255.255.0.2.65282 3 3 INT
>> 18:01:41.763000 Ne 17 0.0.0.3.3 ->
>> 255.255.0.3.65283 4 4 INT
>> 18:01:41.764000 Ne 17 0.0.0.4.4 ->
>> 255.255.0.4.65284 5 5 INT
>> ...
>>
>> Exactly the same as saving the output from flow-gen (flow-gen -V5 >
>> test) and then reading it with flow-print (flow-print < test).
>> srcIP dstIP prot srcPort dstPort octets packets
>> 0.0.0.0 255.255.0.0 17 0 65280 1 1
>> 0.0.0.1 255.255.0.1 17 1 65281 2 2
>> 0.0.0.2 255.255.0.2 17 2 65282 3 3
>> 0.0.0.3 255.255.0.3 17 3 65283 4 4
>> ...
>>
>> Unfortunately I cannot read the saved "test" file with ra(), and when
>> reading the output from flow-export, the "test.cflowd" from my
>> previous attempt, I get a different output. As an workaround I can
>> replay all my stored data with flow-send and capture it with ra(), but
>> it doesn't seem like an optimal solution.
>>
>> Again, thanks for the promptly replies.
>>
>> Rafael Barbosa
>> http://www.vf.utwente.nl/~barbosarr/
>>
>>
>>
>> On Thu, Dec 16, 2010 at 9:12 PM, Carter Bullard <carter at qosient.com> wrote:
>>> Hey Rafael,
>>> With argus-clients-3.0.3.20, if you read the cflowd file that you generated with flow-export,
>>> ra* can read them. Looks like a mix of udp and igmp flows.
>>>
>>> % flow-cat teste | flow-export -f4 > teste.cflowd
>>> % ra -r cisco:teste.cflowd
>>>
>>> But the packet counts don't seem quite right, so there maybe a bug. Give it a try on your
>>> system, to see if it does what you think it should do.
>>>
>>> With 3.0.2, you need to state that the input file is in cisco format, however the option for
>>> cisco ('C') requires a parameter, as it expects to be reading them off the wire. By giving
>>> it any port number, it will work:
>>>
>>>
>>> % ra -C 561 -r teste.cflowd
>>>
>>> Not sure that reading the original flow-tools format would be a goal, but I'll look into it.
>>>
>>> Carter
>>>
>>> On Dec 16, 2010, at 2:52 PM, Carter Bullard wrote:
>>>
>>>> Hey Rafael,
>>>> I've gone back through all versions of ra, including some 1.x versions, and
>>>> none can read the file, so not sure what format 'teste' is in. I'll take a look at
>>>> some of the flow-tools to see what they think the format is.
>>>>
>>>> Carter
>>>>
>>>> On Dec 16, 2010, at 2:40 PM, Rafael Barbosa wrote:
>>>>
>>>>> Sorry, I forgot to attach the file.
>>>>>
>>>>> Rafael Barbosa
>>>>> http://www.vf.utwente.nl/~barbosarr/
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Dec 16, 2010 at 8:17 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>>>>> On Thu, Dec 16, 2010 at 5:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>> Hey Rafael,
>>>>>>> flow-tools data should be just netflow data in a file, and we should be
>>>>>>> able to read the data no problem. What error messages are you getting?
>>>>>>
>>>>>> I do not get any error message, ra() simple does returns nothing. I
>>>>>> actually do not remember getting any file error from ra(), even if I
>>>>>> run it with an nonexistent file.
>>>>>>
>>>>>>> What version(s) are you using?
>>>>>>
>>>>>> argus clients: 3.0.2
>>>>>> flow-tools: 0.68
>>>>>> I am not sure with which versions the netflow files were generated though.
>>>>>>
>>>>>>> And of course, as usual, send a sample of the data that generates the
>>>>>>> error, and I'll see what I can do.
>>>>>>
>>>>>> Unfortunately this time I am not allowed to share the data. However as
>>>>>> I said I cannot even read files generated with 'flow-gen". I tried
>>>>>> these commands for example:
>>>>>>
>>>>>> $>flow-gen -V5 > teste
>>>>>> $>ra -r teste (nothing is printed)
>>>>>> $>flow-cat teste | flow-print (1000 flows printed)
>>>>>> $>flow-cat teste | flow-export -f4 > teste.cflowd
>>>>>> $>ra -r teste.cflowd (nothing is printed)
>>>>>> $>flow-cat teste | flow-export -f0 > teste.wire
>>>>>> $>ra -r teste.wire (nothing is printed)
>>>>>>
>>>>>> I also tried to pipe the output from different flow-tool applications
>>>>>> without luck.
>>>>>> Attached I send the "teste" flow file, if it helps.
>>>>>>
>>>>>> --
>>>>>> Rafael
>>>>>>
>>>>>>> Carter
>>>>>>>
>>>>>>> On Dec 16, 2010, at 10:36 AM, Rafael Barbosa wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I just got access to a netflow data repository stored in flow-tools
>>>>>>>> format and I wanted to use argus clients to analyze it. However I am
>>>>>>>> not able to read the files. I also generated a test file with
>>>>>>>> "flow-gen" (included in flow-tools package) and read it with argus,
>>>>>>>> but no luck. I tried digging in the mailing list history, but could
>>>>>>>> not find a solution.
>>>>>>>>
>>>>>>>> What is the recommended way to read flow-tools data? Is it necessary
>>>>>>>> to use flow-export to convert to a specific format?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Rafael Barbosa
>>>>>>>> http://www.vf.utwente.nl/~barbosarr/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>> <teste>
>>>>
>>>
>>>
>>
>
>
More information about the argus
mailing list