argus and Netflow

Dave Edelman dedelman at iname.com
Fri Nov 16 20:51:29 EST 2012


I think the easiest way to do this would be to run radium (one of the
argus-client programs) configured to receive netflow traffic from the
current source (routers or switches.)

The radium instance can do several things with the data and if you already
have a set of tools that you use to process the argus records, you might
want to have radium emulate argus by creating files that can be processed
using your scripts. If your current tools collect their input directly from
argus, then they can do the same from radium. 

You can tailor /etc/radium.config to meet your requirements, you can use
command line options, or a combination of the two. A very simple example of
radium running as a daemon reading netflow data that is sent to port 9996
from any source(s) and writing it to /var/log/argus.argus.out giving the
records a srcid of the radium host would be:
  radium -d -e `hostname`  -C 9996 -w /var/log/argus/argus.out 

You could use a script of your own or  argusarchive (found in the argus
distribution in support/Archive) to process the argus.out file.

If you add an option to the command you can also have any of the argus
clients (or several at the same time) read and process argus records
directly from radium over port 561.
  radium -d -e `hostname`  -C 9996 -P 561 -w /var/log/argus/argus.out
  racluster -m saddr sport daddr dport proto -S localhost:561 -w
/var/log/argus/clusteroutput
  ratop -S localhost:561

If you use rastream along with the sample rastream.sh in the client
distribution's support/Config directory you can drop the -w to
/var/log/argus/argus.out from the radium options and not bother with
argusarchive  and end up with something like this doing the work. You can
still have argus clients reading records from port 561 while this is going
on

  radium -d -e `hostname`  -C 9996 -P 561 
  rastream -S localhost:561 \
        -f  ~/rastream.sh \
        -M time 1h \
        -B 15 \
        -w /archive/%Y/%m/%d/radium.%Y.%m.%d.%H
  ratop -S localhost:561

There is no requirement for the clients to be on the same host as radium. If
the clients are remote, replace -S  localhost with -S hostname or address of
the host running radium and be sure that you don't have a firewall blocking
the port.

There is much more that you can do, but this should get you going.

--Dave



> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
> On Behalf Of Riccardo Veraldi
> Sent: Friday, November 16, 2012 4:11 AM
> To: argus-info
> Subject: [ARGUS] argus and Netflow
> 
> Hello,
> I would like to use argus to analyze netflow traffic format, but it is not
very 
> clear to me how to do it.
> Do I still need the argus daemon and to redirect netflow traffic to the
> machine where daemon is running, or simply I can run argus client on the
> target netflow machine ?
> Netflow traffic should be rewritten in argus format on the disk ?
> I Am sorry but I did not understand very much how to do.
> I have been using argus to monitor network traffic on mirror port since
many
> many years, but  the uplink speed grew to 10Gbps and this solution is no
> more efficent and scalable, and I must use Netflow.
> To tell the truth I am using Netflow Analyzer now but it is not so
flexible as
> argus.
> With argus I can use my own perl scripts to search for specific traffic
> patterns...
> 
> thank you
> 
> Riccardo
> 





More information about the argus mailing list