argus-clients-3.0.7.4 on the server - Netflow -V9
Carter Bullard
carter at qosient.com
Thu Dec 13 10:28:03 EST 2012
Hey John,
We extract the time from the netflow v9 flow records themselves, which can be minutes ( I've seen hours ) behind. The router that generates the nfv9 records, provides the timestamps, so it must be sync'd somehow to real time. Netflow doesn't deliver records timely, so there are situations where you could get a flow record from days earlier.
Racluster doesn't modify time, it choses the min and max times for each direction, from the records its aggregating, to report the time bounding values.
Your png doesn't look bad. Looks like racluster() is sorting based on the key, saddr, daddr, so it all looks pretty ok ?
Carter
On Dec 12, 2012, at 6:07 PM, jdenton <jdenton at itcglobal.com> wrote:
> Hi Carter,
>
> We have the 3.0.7.4 "ra" client running with a V9 netflow.
> - so far so good, no seg faults.
>
> We are seeing a time differential in the stime versus server time.
>
> Server time ~ 15:00 CST is when the command "ra -S cisco://any:9996 -w netflow-ra-2012Dec12.arg"
> is issued with the racluster cmd tested 30-45 minutes after. ( 1530 ~ 1545 )
>
> Shouldn't we expect a 1500 ~ 1600 range for the StartTime from the racluster output?
>
> How is a 'timestamp' for stime or ltime defined/extracted for the V9 flow??
>
> Regards,
> Jon
>
>
>
>
> <fgecgjeg.png>
>
> On 12/7/12 9:49 AM, Carter Bullard wrote:
>> Gentle people,
>> I've uploaded the new development image of the argus clients. This fixes
>> all the issues that have been presented on the email list, that I am aware of,
>> and adds color support for ratop().
>>
>> http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>> http://qosient.com/argus/dev/argus-clients-3.0.7.4.tar.gz
>>
>> This version has significant bug fixes for netflow v9. At this point, I believe that
>> ra* reading of netflow v9 is fully functional and working well. But we still need
>> more testing, use, so If you have any problems, please send email, as this
>> support is important to more than a few.
>>
>> ratop() is a complete rewrite, with more threads, better curses library support,
>> better use of editline or readline, and better functionality when neither are
>> available. AND, of course, COLOR !!!! The ./support/Config/rarc has all the
>> variables needed to use color, and there is a sample racolor.conf file provided.
>> Paths to this file is important, so when you decide to use color, play with the
>> rarc and racolor.conf, to see what works for you.
>>
>> Documentation is not complete, but as you guys point out problems, I'll fix
>> as I can. After we get the documentation developed a bit, I'll work toward
>> releasing argus[-clients]-3.0.8.
>>
>> Many, many small bug fixes, PCRE support, better readline library discovery
>> and use, so lots to digest, but like all releases, this should be completely
>> backward compatible with prior versions of argus data, etc….
>>
>> Please take a look, and send any comments, reactions, opinions and of course
>> results !!!! If your bug, or issue, has not be resolved, please send a note to
>> either me, or the list, and I'll address it.
>>
>> Hope all is most excellent,
>>
>> Carter
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121213/93059af5/attachment.html>
More information about the argus
mailing list