new Cisco Netflow conversion capabilities

Carter Bullard carter at qosient.com
Mon May 16 12:02:38 EDT 2011 

Gentle people,
One of the goals of argus-3.0.6 is to have more/better Cisco Netflow record support.

Toward that goal, I have implemented Cisco Netflow packet parsing in argus().
The idea is for argus to generate argus records from the contents of Netflow packets that it sees in packet capture files.
This is fundamentally different from ra* programs reading Netflow from socket interfaces.

In argus-3.0.5.3, which I'll upload this week), we've extended the "-r file" option, so that you can say:

   argus -r cisco:filename -w - | ra
   argus -r pcap:cisco:filename -w - | ra
   argus -r cisco:filename -w - - udp and port 9996  | ra

This sez that you expect that the pcap based file, filename, to contain packets that contain cisco Netflow records.
The assumption is that the packet file has complete packet capture (snaplen > 1500).  Argus should be able to handle
truncated packets, but we'll need more testing to know that this is complete truth.

Argus will track the IP flows that contain the Netflow records and report on those flows, and it will export the Netflow based
flows that it parses out of the packets, as argus records.   As a result, you'll get two populations of flow records, with
differing "srcid"s , and the Netflow based records will be distinguished as Netflow based argus records ('N').

This feature is intended to work off packet capture files that contain only Netflow packets, but there is no reason that
it couldn't run off of any traffic mix.  argus will assume that if there is data above the transport header, it will attempt to
parse it as cisco records, but if it doesn't conform to the format, it should "move along nicely", but I'll have to do a lot
of testing on that one.

We've extended Netflow packet type coverage to Netflow 1, 5, 6, 7 and 8, however the 8 hasn't been tested quite as much
as the 1, 5, 6 and 7.

Next milestone will beb Netflow v9 import, if someone has some packets or flow files that I can test with, that will make the
Netflow v9 port go a lot faster.

Hope all is most excellent,

Carter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110516/adfdf346/attachment.bin>

More information about the argus mailing list