argus and Netflow

jdenton jdenton at itcglobal.com
Mon Nov 26 11:42:47 EST 2012 

Hi Carter,

I agree, argus data beats flow data any time.
I usually use argus and ra and/or racluster to generate a Engineering 
level report for major issues when it escalates to our level.
Basically we are trying to leverage existing reporting tools as a means 
to use argus data.

For nominal usage and trending we use Plixer's Scrutinizer.
They have a decent GUI ( a couple snapshots below) that our operational 
support uses.

Plixer does have a second tool that I am investigating that they claim 
can export 'other' data.  Following up with their white paper
and a discussion with their sales engineer to see how it may fit with 
argus data.

Here's a brief summary of the Scrutinizer screen shots below:
1.) Select a report that shows network traffic based on Network, 
Protocol, IP host or IP Range.
   - From the graphic window I can highlight a section to zoom into the 
traffic at that time period.
   - You can also select items in the table and run reports per item.
   - If I select the first line on the left ( Application ipsec-nat-t, 
Destination 204.8.40.56)  I can generate a new report
   showing the 'Known ports" used for this instance.  The results are in 
snapshot 2.

2.) From the 204.8.40.56 selection, I can see what ports are in use, 
their pkt/s, percent and Kb/s.
   - You can drill down deeper by selecting a time period in the graph 
or from an item in this table as well.

Regards,
Jon



1.)




2.)








On 11/26/12 9:13 AM, Carter Bullard wrote:
> Hey Jon,
> Hmmmm, so what do your other tools do that argus client tools don't do ?
> I have found that even simple racluster() calls against argus data or even
> netflow data can generate better reports than what's out there, but 
> I'm biased,
> of course.
>
> I'd like to work with those other tool developers to get them to use 
> argus data,
> not the other way around.  Can I twist the conversation that way?
>
> Carter
>
>
> On Nov 21, 2012, at 11:58 AM, jdenton <jdenton at itcglobal.com 
> <mailto:jdenton at itcglobal.com>> wrote:
>
>> Carter,
>>
>> Here's a twist, can I use argus to collect data from the network, 
>> log/archive it locally, then send that data as a netflow stream
>> to a netflow analyzer?
>>
>> We have multiple locations that we monitor with netflow tools and are 
>> looking at how to leverage that with argus data collection?
>> The netflow analyzer gives us the GUI and report generation 
>> capabilities to trend by region, networksor per customer.
>> To the flow analyzer argus would look like another flow exporter.
>>
>> The idea is to archive argus data for engineering trending but have a 
>> subset of that data available for other personnel
>> to view in a known tool that is used now.
>>
>> Regards,
>> Jon
>>
>>
>> On 11/18/12 8:29 AM, Carter Bullard wrote:
>>> Hey Ricardo,
>>> Sorry for the delayed response.  Yes, you use argus-client programs to collect the Netflow data, just as you collect argus data.
>>> There is a page on the web site that talks about this, which may be a good start:
>>>
>>>     http://www.qosient.com/argus/argusnetflow.shtml
>>>
>>> The syntax for the support has changed but this should work for you:
>>>     
>>>     ra -Scisco://any:9996
>>>
>>> Should collect whatever netflow data there is on the wire, going to port 9996, which is the default.
>>> Can you describe a bit more why argus isn't working for you?  Not sure that netflow data, is
>>> going to be a good replacement, if you've used argus data in the past.
>>>
>>> Hope all is most excellent,
>>> Carter
>>>
>>> Sent from my iPad
>>>
>>> On Nov 16, 2012, at 4:11 AM, Riccardo Veraldi<Riccardo.Veraldi at cnaf.infn.it>  wrote:
>>>
>>>> Hello,
>>>> I would like to use argus to analyze netflow traffic format, but it is not very clear to me how to do it.
>>>> Do I still need the argus daemon and to redirect netflow traffic to the machine where daemon is running,
>>>> or simply I can run argus client on the target netflow machine ?
>>>> Netflow traffic should be rewritten in argus format on the disk ?
>>>> I Am sorry but I did not understand very much how to do.
>>>> I have been using argus to monitor network traffic on mirror port since many many years, but  the uplink speed
>>>> grew to 10Gbps and this solution is no more efficent and scalable, and I must use Netflow.
>>>> To tell the truth I am using Netflow Analyzer now but it is not so flexible as argus.
>>>> With argus I can use my own perl scripts to search for specific traffic patterns...
>>>>
>>>> thank you
>>>>
>>>> Riccardo
>>>>
>>>>
>>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121126/5527787a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jeeiaefd.png
Type: image/png
Size: 259697 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121126/5527787a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dehjghgc.png
Type: image/png
Size: 153128 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121126/5527787a/attachment-0001.png>

More information about the argus mailing list