Collecting Cisco netflow logs in argus format

Carter Bullard carter at qosient.com
Thu Aug 1 08:38:01 EDT 2013 

Hey Desmond,
In your case why not just use radium to collect the nf data ???
If your on the " nfHostAddr " and the nf is going to " nfPort ", this
works:

   radium -S cisco://nfHostAddr:nfport -P 561

And any ra() program can now read that nf stream at localhost:561

If your looking for both the general flow data from the interface as
well as the nf stream, you can run argus on the same interface,
to get the general flow information, and radium can collect that
argus data, as well as the netflow data.

   argus -i interface -P 562 -d
   radium -S localhost:562 -S cisco://nfHostAddr:nfPort -P 561 -d

Then ra() can read them both

   ra -S localhost:561

You'll see multiple argus record srcid's, and some records will have
the pomiinent 'N' in the flgs fields, for netflow.

You can set all this up in the various /etc/[argus | radium].conf files....

The use case to use argus to parse netflow from packet contents
is when you can't be on the netflow target host, and you have to
grab the netflow stream say from a port mirror.

Holler if this doesn't work or if something else is bothering you !!!!
We can still turn on the netflow support, if this isn't working for you.

Carter


On Aug 1, 2013, at 6:12 AM, Desmond Irvine <desmond.irvine at sheridancollege.ca> wrote:

> Hi Carter,
>  
> I would be happy to help out with testing.  As the netflow packets are being directed at a port on the host that I’m running argus on would it be cleaner to listen to only udp traffic on that port?
>  
> Desmond
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: July-31-13 7:29 PM
> To: Desmond Irvine
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Collecting Cisco netflow logs in argus format
>  
> Hey Desmond,
> We don't currently support parsing netflow records from packets directly off the wire.
> You can parse netflow records from packets in a file, using this
> type of command line call:
>  
>    argus -r cisco:file.name -w - | ra
>  
> We can change this, but there are some practical issues with incomplete
> packet capture (snaplen < 1500) and parsing netflow, as well as taking
> arbitrary udp packets and looking to see if you can find netflow 
> contents.
>  
> If this is something you would like to test out, and don't mind being
> the quinea pig, we can provide an argus.conf option or something like:
>  
>    argus -S localhost -M parseCisco 
>  
> To direct argus to attempt to find cisco records in udp packets.
>  
> Is this helpful ?
>  
> Carter
>  
>  
> On Jul 31, 2013, at 5:12 PM, Desmond Irvine <desmond.irvine at sheridancollege.ca> wrote:
> 
> 
> Hi all,
>  
> I been trying to get argus to collect Cisco netflow logs in argus format and I’m not having much luck.  I’ve seen lots of examples of using the various argus clients to read the netflow data and have been able to do that successfully, but I haven’t been to use argus itself to collect and record the data.  I could swear that I’ve been able to do this in the past, but can’t figure out what parameters I would use with argus to do this.  What is the official way to have argus listen and collect Cisco netflow logs?
>  
> Thanks, Desmond
>  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130801/ad817c63/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130801/ad817c63/attachment.bin>

More information about the argus mailing list