netflow v9 implementation
Carter Bullard
carter at qosient.com
Tue Jun 12 23:04:56 EDT 2012
Gentle people,
Forgot to mention that we'll need complete packet capture of the netflow v9
packet stream in order to process all the data, so, if needed, set the
tcpdump snaplen to be > 1500.
Thanks !!!!!!
Carter
On Jun 12, 2012, at 10:59 PM, Carter Bullard wrote:
> Gentle people,
> I currently have netflow v9 processing in argus, almost finished. If you call argus with
> the " -r cisco://address:port " or " -r cisco:/path/to/a/pcap/file " options, argus will convert
> the contents of netflow PDU's to argus records. This same logic will be put in ra* programs
> after we get it working. I've found that working with pcap files is a bit easier for testing.
>
> Now I need some netflow v9 packets for testing. Currently I only have NAT
> reporting netflow records, which we are successfully processing. Argus has a
> correlation DSR, where we will squirrel away the NAT address and port mappings.
> I'm very surprised that these records don't have any packet or byte metrics in them.
>
> A pcap captuer of some plain ole v9 flow records, would be ideal.
>
> If you have some pcap files that have some netflow v9 PDU's in them, including
> the templates, that you can share, that would be very helpful. Please, upload to
> ftp.qosient.com/incoming, or email to my qosient.com email if sending to the argus
> mailing list is toooo public.
>
> Hope all is most excellent, and thanks for all the assistance !!!!!
>
> Carter
More information about the argus
mailing list