argus-clients 3.0.7.1 Cisco V9 flows

Jon Denton jdenton at itcglobal.com
Wed Sep 26 21:07:14 EDT 2012 

Carter,

I'll give it a try and send the results.
I have a system sending v9 flows as a test.
Will check the pcap for template packets.

Regards,

Jon Denton
Director - Technology
ITC Global

----- Reply message -----
From: "Carter Bullard" <carter at qosient.com>
To: "Jon Denton" <jdenton at itcglobal.com>
Cc: "<argus-info at lists.andrew.cmu.edu>" <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] argus-clients 3.0.7.1 Cisco V9 flows
Date: Wed, Sep 26, 2012 18:25



Hey jdenton,
The netflow v9 support in argus-clients-3.0.7.2 , should work fine, but there is one report that indicated failure.  However, we never got a packet file that could replicate the problems that were reported.

What we need is more testing, and if there are problems, getting a good packet capture of netflow v9 traffic, including the template packets, will help us fix the bugs.

This should work with the newest clients:
   ra -S cisco://host:port

Once ra() gets some templates, then it should decode the flows.  The host:port would be the same that were used to configure the router to send the flows data.

Prior reports had bad timestamps, and core dumping, so it should be pretty obvious if you get the same results.

Any help in this area would be greatly appreciated.

Carter

On Sep 26, 2012, at 1:26 PM, "jdenton at itcglobal.com" <jdenton at itcglobal.com> wrote:

> To All,
>
> Working on Cisco V9 flows with Argus capture and decoding.
> Saw a thread on trying to decode, I have a network that is generating
> Cisco V9 flows and sending to a local server port 9996.
> I can grab the raw stream with tshark to verify receipt but was
> looking for direction on tracking down the decoding issue.
>
> Is anyone working on a debug of this?  What is needed to recompile
> the argus clients in debug mode so  I can use gdb?
>
> May be able to provide raw pcaps of the traffic after scrubbing the
> public IP addresses.
>
> Our goal is the use argus to capture flows from various networks across a
> geographically diverse area, filter and if possible use radium to send
> the filtered streams
>  to a centralized Scrutinizer flow collector.
>
> Regards,
> jdenton
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120926/7f9bd417/attachment.html>

More information about the argus mailing list