argus and Netflow

Carter Bullard carter at qosient.com
Thu Nov 29 14:03:50 EST 2012


Hey Riccardo,
Argus runs on a number of dedicated sensors, that do the 10G thing,
without mirroring.  Platforms such as Bivio are popular, and some on the
list are using them successfully.  Others use optical taps to deliver packets
to their own 10Gbps probes,  built using Endace, Intel, Myricom or Napatech
packet capture cards.  There are a number of vendors in the US that will
build argus probes for you to do the 10G thing, like nPulse.

So, we're all about reading whatever there is, so hopefully you will use
argus-clients to read the netflow data.  

Carter


On Nov 29, 2012, at 1:36 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it> wrote:

> 
> frankly mirroring on multiple 10Gbit ports at full speed is not scalable...
> internet2 is monitored with netflow and LHCONE too, but argus tools are very good
> for this I was lookign for a solution to reuse my argus clients filter over netflow data.
> 
> 
> cheers
> 
> Riccardo
> 
> 
> On 11/28/12 9:19 PM, Peter Van Epp wrote:
>> 	In addition you need to consider that it used to be (and I expect still
>> is) that netflow at 10 gigs was statistical rather than all flows (or at least
>> all flows the hardware can process :-)) with argus. This may or may not affect
>> your output. At my former employer we were running Enterasys's DSCC product
>> (which is based on argus like qradar data). When we fed it netflow data from
>> flow based (i.e. argus like) switches it was happy, when we fed it netflow
>> from our 10 gig router (statstistical) the correlation engine tossed up so
>> many false positives (presumably because of missing flow data from the
>> sampling) that it was unusable. In addition netflow collection is adding load
>> to your router that I think culd be better used for routing. Argus on a network
>> tap causes no impact on your production network. Just a couple of points to
>> consider ...
>> 
>> Peter Van Epp
>> 
>> 
>> On Mon, Nov 26, 2012 at 04:14:16PM -0800, Chas DiFatta wrote:
>>> Hey Riccardo,
>>> 
>>> Simple question.  What's the problem you're having with auditing 3x 10Gb/s links and using Argus?
>>> 
>>> You could generate Argus records directly from a host with some fast packet capture cards.
>>> 
>>> Thoughts?
>>> 
>>> Best,
>>> 
>>> 	...cd
>>> 
>>> On Nov 26, 2012, at 1:45 PM, Riccardo Veraldi wrote:
>>> 
>>>> dear Carter,
>>>> thanks for your reply.
>>>> 
>>>> The problem is that we have 3x 10Gbps links and it's kind of impossible to monitor that huge amount of traffic
>>>> with argus directly.
>>>> So we are doing it with netflow and netflow analyzer.
>>>> But in this way I am unable to run my custom perl scripts which analyze argus data, and tell me if someone is probably
>>>> doing peer to peer or other nasty things.
>>>> can I collect netflow data, save it in argus format and analyze it with my scripts ?
>>>> 
>>>> thank you
>>>> 
>>>> Riccardo
>>>> 
>>>> 
>>>> On 11/18/12 3:29 PM, Carter Bullard wrote:
>>>>> Hey Ricardo,
>>>>> Sorry for the delayed response.  Yes, you use argus-client programs to collect the Netflow data, just as you collect argus data.
>>>>> There is a page on the web site that talks about this, which may be a good start:
>>>>> 
>>>>>    http://www.qosient.com/argus/argusnetflow.shtml
>>>>> 
>>>>> The syntax for the support has changed but this should work for you:
>>>>>        ra -S cisco://any:9996
>>>>> 
>>>>> Should collect whatever netflow data there is on the wire, going to port 9996, which is the default.
>>>>> Can you describe a bit more why argus isn't working for you?  Not sure that netflow data, is
>>>>> going to be a good replacement, if you've used argus data in the past.
>>>>> 
>>>>> Hope all is most excellent,
>>>>> Carter
>>>>> 
>>>>> Sent from my iPad
>>>>> 
>>>>> On Nov 16, 2012, at 4:11 AM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it> wrote:
>>>>> 
>>>>>> Hello,
>>>>>> I would like to use argus to analyze netflow traffic format, but it is not very clear to me how to do it.
>>>>>> Do I still need the argus daemon and to redirect netflow traffic to the machine where daemon is running,
>>>>>> or simply I can run argus client on the target netflow machine ?
>>>>>> Netflow traffic should be rewritten in argus format on the disk ?
>>>>>> I Am sorry but I did not understand very much how to do.
>>>>>> I have been using argus to monitor network traffic on mirror port since many many years, but  the uplink speed
>>>>>> grew to 10Gbps and this solution is no more efficent and scalable, and I must use Netflow.
>>>>>> To tell the truth I am using Netflow Analyzer now but it is not so flexible as argus.
>>>>>> With argus I can use my own perl scripts to search for specific traffic patterns...
>>>>>> 
>>>>>> thank you
>>>>>> 
>>>>>> Riccardo
>>>>>> 
>>>>>> 
>>>>>> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121129/2d317110/attachment.bin>


More information about the argus mailing list