Radium and Netflow Can the traffic flow thorugh

Carter Bullard carter at qosient.com
Thu Mar 22 11:05:03 EDT 2012 

Hey Dave,
Radium doesn't transmit flow records using the Netflow® transport protocol
so the argus-clients aren't going to do it for you.

You can have as many listeners on these ports as you would like, so you
don't need a tee to get two threads on a single machine to read the same
netflow data.  The ra* programs don't open those ports for exclusive read
so ra* and other netflow programs should be able to co-exist.

If you want to transport the raw stream to multiple machines, or machines
across the world, then there are a number of things you could do.

As a networking guy, I would suggest that you get your router to multicast
the netflow stream and then use the routers own multicast distribution
mechanisms to distribute the netflow traffic to where you want it to go.

But if you want to just have a tee like capability, maybe tcpdump is a possibility?
I haven't done this, but doesn't tcpdump have a remote capture capability, and
also the ability to write packets back onto a wire?

Carter


On Mar 21, 2012, at 10:06 PM, Dave Edelman wrote:

> Carter,
> 
> I guess that my paradigm is libpcap in that it sees and captures the network
> traffic but the traffic still manages to arrive at its intended destination
> (or not and that's why you're doing packet captures :) )
> 
> I deal almost exclusively with Netflow data and I feed it to a set of hungry
> radium each listening to different ports and creating appropriate output
> files for subsequent processing by the various clients. I would love to
> maintain that behavior but also allow unaltered Netflow data to continue to
> a non-Argus/Radium consumer. I've thought about some sort of tee like
> arrangement where the Netflow arrives at a designated port and is
> immediately forwarded to two ports on the same host each with the
> appropriate listener in place. The one reference that I found didn't quite
> fit the bill. I looked at IP Tables and that might work but the man page is
> as coherent as a warped Ouija board so I am looking for a bit of guidance.
> 
> Am I missing something obvious in the toolset or available on the Web?
> 
> --Dave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120322/aff083db/attachment.bin>

More information about the argus mailing list