argus and Netflow

Riccardo Veraldi Riccardo.Veraldi at cnaf.infn.it
Thu Nov 29 16:15:38 EST 2012


Yes Carter I Agree with you, I am not here to tell this is not a good 
approach,
but every time I try to convince people to do this here, they keep 
telling me internet2 is using netflow
as well as Dante... so... not easy for me  :)
thank you for your support

Riccardo


On 11/29/12 8:08 PM, Carter Bullard wrote:
> Hey Riccardo,
> Just for completeness, while Internet2 is doing netflow, Gloriad, the other NSF
> funded international network, is doing argus at 10Gbps.  And many of
> Internet2's  customers are doing argus on their links to Internet2.
>
> Really all depends on if you have the money to do the dedicated probe
> strategy, or have the engineering desire to build your own.
>
> Carter
>
>
> On Nov 29, 2012, at 1:36 PM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it> wrote:
>
>> frankly mirroring on multiple 10Gbit ports at full speed is not scalable...
>> internet2 is monitored with netflow and LHCONE too, but argus tools are very good
>> for this I was lookign for a solution to reuse my argus clients filter over netflow data.
>>
>>
>> cheers
>>
>> Riccardo
>>
>>
>> On 11/28/12 9:19 PM, Peter Van Epp wrote:
>>> 	In addition you need to consider that it used to be (and I expect still
>>> is) that netflow at 10 gigs was statistical rather than all flows (or at least
>>> all flows the hardware can process :-)) with argus. This may or may not affect
>>> your output. At my former employer we were running Enterasys's DSCC product
>>> (which is based on argus like qradar data). When we fed it netflow data from
>>> flow based (i.e. argus like) switches it was happy, when we fed it netflow
>>> from our 10 gig router (statstistical) the correlation engine tossed up so
>>> many false positives (presumably because of missing flow data from the
>>> sampling) that it was unusable. In addition netflow collection is adding load
>>> to your router that I think culd be better used for routing. Argus on a network
>>> tap causes no impact on your production network. Just a couple of points to
>>> consider ...
>>>
>>> Peter Van Epp
>>>
>>>
>>> On Mon, Nov 26, 2012 at 04:14:16PM -0800, Chas DiFatta wrote:
>>>> Hey Riccardo,
>>>>
>>>> Simple question.  What's the problem you're having with auditing 3x 10Gb/s links and using Argus?
>>>>
>>>> You could generate Argus records directly from a host with some fast packet capture cards.
>>>>
>>>> Thoughts?
>>>>
>>>> Best,
>>>>
>>>> 	...cd
>>>>
>>>> On Nov 26, 2012, at 1:45 PM, Riccardo Veraldi wrote:
>>>>
>>>>> dear Carter,
>>>>> thanks for your reply.
>>>>>
>>>>> The problem is that we have 3x 10Gbps links and it's kind of impossible to monitor that huge amount of traffic
>>>>> with argus directly.
>>>>> So we are doing it with netflow and netflow analyzer.
>>>>> But in this way I am unable to run my custom perl scripts which analyze argus data, and tell me if someone is probably
>>>>> doing peer to peer or other nasty things.
>>>>> can I collect netflow data, save it in argus format and analyze it with my scripts ?
>>>>>
>>>>> thank you
>>>>>
>>>>> Riccardo
>>>>>
>>>>>
>>>>> On 11/18/12 3:29 PM, Carter Bullard wrote:
>>>>>> Hey Ricardo,
>>>>>> Sorry for the delayed response.  Yes, you use argus-client programs to collect the Netflow data, just as you collect argus data.
>>>>>> There is a page on the web site that talks about this, which may be a good start:
>>>>>>
>>>>>>     http://www.qosient.com/argus/argusnetflow.shtml
>>>>>>
>>>>>> The syntax for the support has changed but this should work for you:
>>>>>>         ra -S cisco://any:9996
>>>>>>
>>>>>> Should collect whatever netflow data there is on the wire, going to port 9996, which is the default.
>>>>>> Can you describe a bit more why argus isn't working for you?  Not sure that netflow data, is
>>>>>> going to be a good replacement, if you've used argus data in the past.
>>>>>>
>>>>>> Hope all is most excellent,
>>>>>> Carter
>>>>>>
>>>>>> Sent from my iPad
>>>>>>
>>>>>> On Nov 16, 2012, at 4:11 AM, Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>> I would like to use argus to analyze netflow traffic format, but it is not very clear to me how to do it.
>>>>>>> Do I still need the argus daemon and to redirect netflow traffic to the machine where daemon is running,
>>>>>>> or simply I can run argus client on the target netflow machine ?
>>>>>>> Netflow traffic should be rewritten in argus format on the disk ?
>>>>>>> I Am sorry but I did not understand very much how to do.
>>>>>>> I have been using argus to monitor network traffic on mirror port since many many years, but  the uplink speed
>>>>>>> grew to 10Gbps and this solution is no more efficent and scalable, and I must use Netflow.
>>>>>>> To tell the truth I am using Netflow Analyzer now but it is not so flexible as argus.
>>>>>>> With argus I can use my own perl scripts to search for specific traffic patterns...
>>>>>>>
>>>>>>> thank you
>>>>>>>
>>>>>>> Riccardo
>>>>>>>
>>>>>>>
>>>>>>>
>>




More information about the argus mailing list