Export to Netflow
el draco
eldraco at gmail.com
Fri Oct 28 11:41:18 EDT 2011
Hi carter! sorry for the late reply, and thanks for your answer.
Let me tell something more about what I'm doing, so you can help me
My program needs to work along with a set of other tools. And they
should all read plain Netflows too.
Normally we will have only Netflows as our input, but I'm running some
experiments to verify my hypothesis that need to convert my captured
pcaps to netflows.
When this is over, we will only have Netflows from different sources
as the input to our programs. I can not change that.
My program is trying to detect Botnets in a network based on
behavioral features. Other programs are being tested to on this
subject. Our network setup is designed to have several routers sending
data to a collector.
We read the netflows from that collector.
Normally:
Netflows -> Set of programs -> Netflows with a label
For hypothesis testing:
Pcaps from controlled experiments -> Netflows -> Set of programs ->
Netflows with a label
Argus is the best program to make this pcap->netflow conversion, but
it is not perfect because of the flag issue I talked previously. Other
programs 'seems' to work, but they lose too much information.
Thanks for your help!
eldraco
On Fri, Oct 7, 2011 at 12:51 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey eldraco,
> Just so you'll know, this seems like you're going in the wrong direction.
> Why not convert your netflows into argus data, and use the argus tools to
> do what you want to do?
>
> Carter
>
> On Oct 6, 2011, at 10:23 AM, el draco wrote:
>
>> Hi guys! how are you?
>>
>> I have a problem I hope you can help me with.
>>
>> I'm trying to read an argus file and export it as NetFlows. Right now
>> I'm creating them by hand after the output of ra client. Is there any
>> better way?
>> Because some information, like the flags, are not easy to convert from
>> argus to netflow.
>>
>> All I want is a NetFlow-compatible output file. I need that any
>> program using NetFlows can read my output without problems.
>>
>> I know that argus and netflows have differences, like the
>> bidirectional/directional issue. But I'm only looking for my ra client
>> output to look as NetFlow as much as possible.
>>
>> Can you help me here?
>>
>> Thanks in advance!
>>
>> eldraco
>>
>
>
More information about the argus
mailing list