Flow-tools support
Carter Bullard
carter at qosient.com
Fri Dec 17 11:40:48 EST 2010
Well, I suspect that there is a bug in parsing the wire data formats.
I'll look at this this weekend, and try to figure it out.
Carter
On Dec 17, 2010, at 11:25 AM, Rafael Barbosa wrote:
> Indeed it reports some data, but the output is not what I expected.
> For instance if I try:
> % ra -C 561 -r teste.cflowd - host 0.0.0.2
> No flows are reported, while in the original file the following flow is present:
>
> % ra -C 561 -r teste.cflowd -nn | head
> 18:01:41.760000 Ne 17 0.0.0.0.0 ->
> 255.255.0.0.65280 1 1 INT
> 18:01:41.762000 Ne 255 0.0.0.1 ->
> 255.255.0.1 130817 0 INT
> 18:01:41.763000 Ne 17 0.0.0.3.3 ->
> 255.255.0.3.65283 4 4 INT
> 18:01:41.765000 Ne 255 0.0.0.4 ->
> 255.255.0.4 327428 0 INT
>
>
> % flow-print < test | head
> srcIP dstIP prot srcPort dstPort octets packets
> 0.0.0.0 255.255.0.0 17 0 65280 1 1
> 0.0.0.1 255.255.0.1 17 1 65281 2 2
> 0.0.0.2 255.255.0.2 17 2 65282 3 3
> 0.0.0.3 255.255.0.3 17 3 65283 4 4
>
> In addition all flows in the original file are udp, while reading the
> cflowd version, half of the flows are reported as ip proto 255.
> As I said, I do not know much about flow-tools to explain what is going on.
>
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
>
>
>
> On Fri, Dec 17, 2010 at 3:42 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Rafael,
>> I was able to read your "test" file converting to wire format "f4" and writing that
>> to a file, and read using ra.
>>
>> % flow-export -f4 < test > test.cflowd
>> % ra -C 561 -r test.cflowd
>>
>> Does this work for you?
>> Carter
>>
>> On Dec 17, 2010, at 5:59 AM, Rafael Barbosa wrote:
>>
>>> Hi Carter,
>>> I do not understand well how flow-tools works (one of the reasons I
>>> wanted to use argus to analyze the data), but I went on doing some
>>> tests.
>>> Instead of trying to save the output from flow-gen and read it with ra(), I did:
>>>
>>> % ra -C 127.0.0.1:9898
>>> % flow-gen -V5 | flow-send 0/127.0.0.1/9898 (in another terminal)
>>>
>>> The output of ra() is now what I expected:
>>> 18:01:41.760000 Ne 17 0.0.0.0.0 ->
>>> 255.255.0.0.65280 1 1 INT
>>> 18:01:41.761000 Ne 17 0.0.0.1.1 ->
>>> 255.255.0.1.65281 2 2 INT
>>> 18:01:41.762000 Ne 17 0.0.0.2.2 ->
>>> 255.255.0.2.65282 3 3 INT
>>> 18:01:41.763000 Ne 17 0.0.0.3.3 ->
>>> 255.255.0.3.65283 4 4 INT
>>> 18:01:41.764000 Ne 17 0.0.0.4.4 ->
>>> 255.255.0.4.65284 5 5 INT
>>> ...
>>>
>>> Exactly the same as saving the output from flow-gen (flow-gen -V5 >
>>> test) and then reading it with flow-print (flow-print < test).
>>> srcIP dstIP prot srcPort dstPort octets packets
>>> 0.0.0.0 255.255.0.0 17 0 65280 1 1
>>> 0.0.0.1 255.255.0.1 17 1 65281 2 2
>>> 0.0.0.2 255.255.0.2 17 2 65282 3 3
>>> 0.0.0.3 255.255.0.3 17 3 65283 4 4
>>> ...
>>>
>>> Unfortunately I cannot read the saved "test" file with ra(), and when
>>> reading the output from flow-export, the "test.cflowd" from my
>>> previous attempt, I get a different output. As an workaround I can
>>> replay all my stored data with flow-send and capture it with ra(), but
>>> it doesn't seem like an optimal solution.
>>>
>>> Again, thanks for the promptly replies.
>>>
>>> Rafael Barbosa
>>> http://www.vf.utwente.nl/~barbosarr/
>>>
>>>
>>>
>>> On Thu, Dec 16, 2010 at 9:12 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> Hey Rafael,
>>>> With argus-clients-3.0.3.20, if you read the cflowd file that you generated with flow-export,
>>>> ra* can read them. Looks like a mix of udp and igmp flows.
>>>>
>>>> % flow-cat teste | flow-export -f4 > teste.cflowd
>>>> % ra -r cisco:teste.cflowd
>>>>
>>>> But the packet counts don't seem quite right, so there maybe a bug. Give it a try on your
>>>> system, to see if it does what you think it should do.
>>>>
>>>> With 3.0.2, you need to state that the input file is in cisco format, however the option for
>>>> cisco ('C') requires a parameter, as it expects to be reading them off the wire. By giving
>>>> it any port number, it will work:
>>>>
>>>>
>>>> % ra -C 561 -r teste.cflowd
>>>>
>>>> Not sure that reading the original flow-tools format would be a goal, but I'll look into it.
>>>>
>>>> Carter
>>>>
>>>> On Dec 16, 2010, at 2:52 PM, Carter Bullard wrote:
>>>>
>>>>> Hey Rafael,
>>>>> I've gone back through all versions of ra, including some 1.x versions, and
>>>>> none can read the file, so not sure what format 'teste' is in. I'll take a look at
>>>>> some of the flow-tools to see what they think the format is.
>>>>>
>>>>> Carter
>>>>>
>>>>> On Dec 16, 2010, at 2:40 PM, Rafael Barbosa wrote:
>>>>>
>>>>>> Sorry, I forgot to attach the file.
>>>>>>
>>>>>> Rafael Barbosa
>>>>>> http://www.vf.utwente.nl/~barbosarr/
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Dec 16, 2010 at 8:17 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>>>>>> On Thu, Dec 16, 2010 at 5:59 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>> Hey Rafael,
>>>>>>>> flow-tools data should be just netflow data in a file, and we should be
>>>>>>>> able to read the data no problem. What error messages are you getting?
>>>>>>>
>>>>>>> I do not get any error message, ra() simple does returns nothing. I
>>>>>>> actually do not remember getting any file error from ra(), even if I
>>>>>>> run it with an nonexistent file.
>>>>>>>
>>>>>>>> What version(s) are you using?
>>>>>>>
>>>>>>> argus clients: 3.0.2
>>>>>>> flow-tools: 0.68
>>>>>>> I am not sure with which versions the netflow files were generated though.
>>>>>>>
>>>>>>>> And of course, as usual, send a sample of the data that generates the
>>>>>>>> error, and I'll see what I can do.
>>>>>>>
>>>>>>> Unfortunately this time I am not allowed to share the data. However as
>>>>>>> I said I cannot even read files generated with 'flow-gen". I tried
>>>>>>> these commands for example:
>>>>>>>
>>>>>>> $>flow-gen -V5 > teste
>>>>>>> $>ra -r teste (nothing is printed)
>>>>>>> $>flow-cat teste | flow-print (1000 flows printed)
>>>>>>> $>flow-cat teste | flow-export -f4 > teste.cflowd
>>>>>>> $>ra -r teste.cflowd (nothing is printed)
>>>>>>> $>flow-cat teste | flow-export -f0 > teste.wire
>>>>>>> $>ra -r teste.wire (nothing is printed)
>>>>>>>
>>>>>>> I also tried to pipe the output from different flow-tool applications
>>>>>>> without luck.
>>>>>>> Attached I send the "teste" flow file, if it helps.
>>>>>>>
>>>>>>> --
>>>>>>> Rafael
>>>>>>>
>>>>>>>> Carter
>>>>>>>>
>>>>>>>> On Dec 16, 2010, at 10:36 AM, Rafael Barbosa wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> I just got access to a netflow data repository stored in flow-tools
>>>>>>>>> format and I wanted to use argus clients to analyze it. However I am
>>>>>>>>> not able to read the files. I also generated a test file with
>>>>>>>>> "flow-gen" (included in flow-tools package) and read it with argus,
>>>>>>>>> but no luck. I tried digging in the mailing list history, but could
>>>>>>>>> not find a solution.
>>>>>>>>>
>>>>>>>>> What is the recommended way to read flow-tools data? Is it necessary
>>>>>>>>> to use flow-export to convert to a specific format?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Rafael Barbosa
>>>>>>>>> http://www.vf.utwente.nl/~barbosarr/
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> <teste>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101217/f85027f3/attachment.bin>
More information about the argus
mailing list