argus and Netflow

Chas DiFatta chas at difatta.org
Mon Nov 26 19:14:16 EST 2012 

Hey Riccardo,

Simple question.  What's the problem you're having with auditing 3x 10Gb/s links and using Argus?

You could generate Argus records directly from a host with some fast packet capture cards.  

Thoughts?

Best,

	...cd

On Nov 26, 2012, at 1:45 PM, Riccardo Veraldi wrote:

> 
> dear Carter,
> thanks for your reply.
> 
> The problem is that we have 3x 10Gbps links and it's kind of impossible to monitor that huge amount of traffic
> with argus directly.
> So we are doing it with netflow and netflow analyzer.
> But in this way I am unable to run my custom perl scripts which analyze argus data, and tell me if someone is probably
> doing peer to peer or other nasty things.
> can I collect netflow data, save it in argus format and analyze it with my scripts ?
> 
> thank you
> 
> Riccardo
> 
> 
> On 11/18/12 3:29 PM, Carter Bullard wrote:
>> Hey Ricardo,
>> Sorry for the delayed response.  Yes, you use argus-client programs to collect the Netflow data, just as you collect argus data.
>> There is a page on the web site that talks about this, which may be a good start:
>> 
>>    http://www.qosient.com/argus/argusnetflow.shtml
>> 
>> The syntax for the support has changed but this should work for you:
>>        ra -S cisco://any:9996
>> 
>> Should collect whatever netflow data there is on the wire, going to port 9996, which is the default.
>> Can you describe a bit more why argus isn't working for you?  Not sure that netflow data, is
>> going to be a good replacement, if you've used argus data in the past.
>> 
>> Hope all is most excellent,
>> Carter
>> 
>> Sent from my iPad
>> 
>> On Nov 16, 2012, at 4:11 AM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it> wrote:
>> 
>>> Hello,
>>> I would like to use argus to analyze netflow traffic format, but it is not very clear to me how to do it.
>>> Do I still need the argus daemon and to redirect netflow traffic to the machine where daemon is running,
>>> or simply I can run argus client on the target netflow machine ?
>>> Netflow traffic should be rewritten in argus format on the disk ?
>>> I Am sorry but I did not understand very much how to do.
>>> I have been using argus to monitor network traffic on mirror port since many many years, but  the uplink speed
>>> grew to 10Gbps and this solution is no more efficent and scalable, and I must use Netflow.
>>> To tell the truth I am using Netflow Analyzer now but it is not so flexible as argus.
>>> With argus I can use my own perl scripts to search for specific traffic patterns...
>>> 
>>> thank you
>>> 
>>> Riccardo
>>> 
>>> 
>>> 
>

More information about the argus mailing list