Collecting Cisco netflow logs in argus format
Desmond Irvine
desmond.irvine at sheridancollege.ca
Thu Aug 1 06:12:57 EDT 2013
Hi Carter,
I would be happy to help out with testing. As the netflow packets are being directed at a port on the host that I'm running argus on would it be cleaner to listen to only udp traffic on that port?
Desmond
From: Carter Bullard [mailto:carter at qosient.com]
Sent: July-31-13 7:29 PM
To: Desmond Irvine
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Collecting Cisco netflow logs in argus format
Hey Desmond,
We don't currently support parsing netflow records from packets directly off the wire.
You can parse netflow records from packets in a file, using this
type of command line call:
argus -r cisco:file.name -w - | ra
We can change this, but there are some practical issues with incomplete
packet capture (snaplen < 1500) and parsing netflow, as well as taking
arbitrary udp packets and looking to see if you can find netflow
contents.
If this is something you would like to test out, and don't mind being
the quinea pig, we can provide an argus.conf option or something like:
argus -S localhost -M parseCisco
To direct argus to attempt to find cisco records in udp packets.
Is this helpful ?
Carter
On Jul 31, 2013, at 5:12 PM, Desmond Irvine <desmond.irvine at sheridancollege.ca<mailto:desmond.irvine at sheridancollege.ca>> wrote:
Hi all,
I been trying to get argus to collect Cisco netflow logs in argus format and I'm not having much luck. I've seen lots of examples of using the various argus clients to read the netflow data and have been able to do that successfully, but I haven't been to use argus itself to collect and record the data. I could swear that I've been able to do this in the past, but can't figure out what parameters I would use with argus to do this. What is the official way to have argus listen and collect Cisco netflow logs?
Thanks, Desmond
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130801/5277344b/attachment.html>
More information about the argus
mailing list