argus-clients-3.0.7.1 with full netflow v.9 support

Carter Bullard carter at qosient.com
Fri Aug 3 16:43:04 EDT 2012


Gentle people,
I've uploaded argus-clients-3.0.7.1.tar.gz to the developers site.  This
code has the completed netflow v9 support, all in.

   http://qosient.com/argus/dev/argus-clients-3.0.7.1.tar.gz

Remember, the cisco specific " -C [host:]port " option has been deprecated, and
the preferred method for reading cisco wire line data streams is :

   ra -S cisco://host:port

The host:port values are the address and port that the Cisco netflow source
is writing to.  So in my test environment, I had pmacctd write netflow v9 datagrams
to 127.0.0.1 and port 12345, so I would run ra, ratop, whatever as:

   ra -S cisco://localhost:12345
   ra -S cisco://127.0.0.1:12345

Now, the ra* clients cannot decode the netflow v9 stream until it receives template
descriptions, which on some of my test systems, took up to 60 seconds to get, so you may
have to wait a bit before anything comes out.  If you want to see some debug information,
you can run "-D 5" and get some of the template management debug information and new
flow recognition.

Please give this new feature a run.  If you have any problems at all, consider
doing a packet capture of the netflow v9 stream that we're trying to decode, so I
can debug.


Carter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120803/f5d1e65c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120803/f5d1e65c/attachment.bin>


More information about the argus mailing list