Export to Netflow

Carter Bullard carter at qosient.com
Fri Oct 28 14:02:23 EDT 2011

Hey el draco,
Because I think argus is the solution to all problems, I'll still suggest that you go:

   netflow -> radium -> argus with a label
   pcap ->  argus -> radium -> argus with a label

since the argus paradigm supports labels already, checkout ralabel() and radium(),
and all the tools allow you to work with the labels, such as filter on their contents,
aggregate, etc….

The flags issue is not really a problem as argus has the binary equivalent of
what netflow tracks for flags already in the argus record.  If you looked at the binary
argus records, you could just pick out the number you want.

Just don't know why anyone would want that data, as it is so difficult to work with.
" Did the 2 packets have SYN and ACK, or SYN_ACK and ACK or SYN and SYN_ACK
  or were they both SYN_ACK? "

Understanding what is presented is really important to tracking.  Netflow is
brain dead when it comes to that kind of information.

So with the new code, use the "-M uni" option, and ra* programs will generate
unidirectional reports.  If you want the binary representation of the netflow or'd
TCP flags, If you can find a name for it, I'll print it out, but I really want you to know that
you will have lots of problems using that crude data.  Argus's TCP state tracking
is really what you want.


On Oct 28, 2011, at 11:41 AM, el draco wrote:

> Hi carter! sorry for the late reply, and thanks for your answer.
> Let me tell something more about what I'm doing, so you can help me
> My program needs to work along with a set of other tools. And they
> should all read plain Netflows too.
> Normally we will have only Netflows as our input, but I'm running some
> experiments to verify my hypothesis that need to convert my captured
> pcaps to netflows.
> When this is over, we will only have Netflows from different sources
> as the input to our programs. I can not change that.
> My program is trying to detect Botnets in a network based on
> behavioral features. Other programs are being tested to on this
> subject. Our network setup is designed to have several routers sending
> data to a collector.
> We read the netflows from that collector.
> Normally:
> Netflows -> Set of programs -> Netflows with a label
> For hypothesis testing:
> Pcaps from controlled experiments -> Netflows -> Set of programs ->
> Netflows with a label
> Argus is the best program to make this pcap->netflow conversion, but
> it is not perfect because of the flag issue I talked previously. Other
> programs 'seems' to work, but they lose too much information.
> Thanks for your help!
> eldraco
> On Fri, Oct 7, 2011 at 12:51 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey eldraco,
>> Just so you'll know, this seems like you're going in the wrong direction.
>> Why not convert your netflows into argus data, and use the argus tools to
>> do what you want to do?
>> Carter
>> On Oct 6, 2011, at 10:23 AM, el draco wrote:
>>> Hi guys! how are you?
>>> I have a problem I hope you can help me with.
>>> I'm trying to read an argus file and export it as NetFlows. Right now
>>> I'm creating them by hand after the output of ra client. Is there any
>>> better way?
>>> Because some information, like the flags, are not easy to convert from
>>> argus to netflow.
>>> All I want is a NetFlow-compatible output file. I need that any
>>> program using NetFlows can read my output without problems.
>>> I know that argus and netflows have differences, like the
>>> bidirectional/directional issue. But I'm only looking for my ra client
>>> output to look as NetFlow as much as possible.
>>> Can you help me here?
>>> Thanks in advance!
>>> eldraco

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111028/398b6d53/attachment.bin>

More information about the argus mailing list