argus and flow-tools
Peter Van Epp
vanepp at sfu.ca
Thu Jul 8 17:46:36 EDT 2010
On Thu, Jul 08, 2010 at 04:06:50PM +0200, Riccardo Veraldi wrote:
> thank you.
> Ok so let me understand better. If I Want to collect netflow data
> for later ra* analysis
> can I use radium as collector and send the Netlow data from the
> router to the
> machine where radium is running as a collector ?
>
> because if I use directly ra* tools with -S cisco://host:port option
> anyway I can see
> netflow "on the wire" but I cannot have an offline analysis on
> historical data.
>
> Rather I might use ra* tools laer on the Netflow data collected by
> radium, is this correct ?
>
> I ahve always been accostumed to use argus and ra* clients on a
> switch mirror port,
> but now 10Gbps is too much for this model analysis.
>
> thanks
>
I'll just note that assuming you have the money for DAG cards, it is
possible (just not anything like cheap :-)) to run argus at 10 gigs. The
pluses are you get full argus metrics (as Mark noted, netflow typically gets
much less and is statistical rather than full capture in all the routers I'm
familiar with at 10 gigs so you will miss some things). Assuming you run
optical taps your capture can not effect your production network (either span
ports or netflow take router resources I always prefer to leave to do routing
:-)). I've had accidents with span ports affect the production network before.
That said argus used to (some versions since I've tried it though)
be able to accept netflow input and write standard argus data files from them.
Peter Van Epp
More information about the argus
mailing list