Radium netflow collection: many records in the future?

Jesse Bowling jessebowling at gmail.com
Tue Jul 23 09:36:44 EDT 2013 

Hi,

I'm collecting neflow records with radium, using argus-clients 3.0.7.9.
I've found that I have quite a few records that list start times in the
future; sometimes two months in the future! I notice that almost all the
records with future dates list a 5 minute boundary as the start time, i.e.:

# ra -r argus.2013.09.10.00.00.00 -N 10 -w - - | ranonymize -r -
                     StartTime      Flgs  Proto            SrcAddr  Sport
Dir            DstAddr  Dport  TotPkts   TotBytes State
      09/10/13 00:00:00.000000 Ne            17
1.0.2.1.54076     ->            1.0.3.1.63008        43      60370   REQ
      09/10/13 00:00:00.000000 Ne             6
100.0.1.1.52469     ?>            1.0.4.1.53624         2       2551   INT
      09/10/13 00:00:00.000000 Ne             6
100.0.1.1.52469     ?>            1.0.4.2.53359         2       2545   INT
      09/10/13 00:00:00.000000 Ne             6
100.0.1.1.52469     ?>            1.0.4.3.53572         1       1275   INT
      09/10/13 00:00:00.000000 Ne             6
100.0.1.1.52469     ?>            1.0.4.4.54880         2       2553   INT
      09/10/13 00:00:00.000000 Ne             6
100.0.2.1.39995     ?>            1.0.5.1.59243         1         45   INT
      09/10/13 00:00:00.000000 Ne             6
1.0.5.1.59243     ?>          100.0.2.1.39995         3       2700   INT
      09/10/13 00:00:00.000000 Ne             6
100.0.3.1.54214     ?>          100.0.4.1.80           17        782   INT
      09/10/13 00:00:00.000000 Ne             6
1.0.6.1.80        ?>          100.0.5.1.42526        36      51113   INT
      09/10/13 00:00:00.000000 Ne             6
100.0.5.1.42526     ?>            1.0.6.1.80            6        349   INT

Can anyone suggest a strategy for determining whether the fault lies within
the argus processing, or the netflow generation?

Thanks,

Jesse

$ grep -Ev '^#|^[ \t]*$' /etc/radium.conf
RADIUM_DAEMON=yes
RADIUM_MAR_STATUS_INTERVAL=60
RADIUM_CISCONETFLOW_PORT=9996
RADIUM_ACCESS_PORT=561

$ grep -Ev '^#|^[ \t]*$' /etc/ra.conf
RA_SET_PID="no"
RA_PID_PATH="/var/run"
RA_RUN_TIME=0
RA_PRINT_MAN_RECORDS=no
RA_PRINT_EVENT_RECORDS=yes
RA_PRINT_LABELS=0
RA_FIELD_SPECIFIER="stime:24 flgs proto saddr sport dir daddr dport pkts
bytes state"
RA_PRINT_NAMES=none
RA_CIDR_ADDRESS_FORMAT="yes"
RA_PRINT_RESPONSE_DATA=no
RA_PRINT_UNIX_TIME=no
RA_TIME_FORMAT="%D %T.%f"
RA_USEC_PRECISION=6
RA_USERDATA_ENCODE=Ascii
RA_DELEGATED_IP="/usr/local/argus/delegated-ipv4-latest"

Started with:

/usr/local/bin/radium -f /etc/radium.conf
/usr/local/bin/rasplit -M time 5m -S 127.0.0.1:561 -w
/argus/netflow/%Y/%m/%d/argus.%Y.%m.%d.%H.%M.%S &

Cheers,

Jesse

-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130723/6e022833/attachment.html>

More information about the argus mailing list