argus configuration with upstream router

Carter Bullard carter at qosient.com
Thu May 9 16:56:01 EDT 2013 

Hey Michael,
So, this is one of the challenges for carriers, some enterprise
networks and definitely SDN's, where a single packet maybe on the
sane wire multiple times, but in different tunnels, or going
in different directions, whatever.

I've been working with a few sites to disambiguate these packets so
we can do the accounting correctly, but ...,  its not easy when there
aren't any identifiers in the packets to tell us how to do the flows.

You can currently add the VLAN tags to the flow key definitions, if your
traffic is separated with vlans.

Try this in your argus.conf file;

   ARGUS_FLOW_TYPE="Bidirectional"
   ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+VLAN"

As long as both flow directions share the same VLAN tag, all will work
correctly.  I've got other mechanisms on the way....

Now, racluster() will put them back together, but I'm working this in
argus-3.0.7.x so lets get this fixed in argus, then I'll propagate the key
modifications to the client processing.

What is there in your packets that can be used to discriminate
how the flows are tracked?  Ethernet addresses ?  Vlan tags ?
MPLS labels ? ?????

Carter

On May 7, 2013, at 2:11 PM, Michael Sanderson <sanders at cs.ubc.ca> wrote:

> I'm looking for suggestions of how to configure argus to accurately report traffic in a network configuration where my argus sensor is on my side of an upstream router.  I'm in a University department with multiple subnets on virtual LANs switched internally, but with a tapped link to the University's router.  Something like this, with taps on TX and RX to the argus sensor box.
> 
> 
> SW <-> +-------------------+           +---------------+
> SW <-> |aggregrator switch |  -> TX -> |router/firewall| -> Internet
> SW <-> +-------------------+  <- RX <- +---------------+
> 
> 
> My current configuration of argus with ARGUS_INTERFACE=dup:eth0,eth1/uplink results in double counting of local, routed traffic (once on TX and once on RX).  Using bond results in the same thing.
> 
> To correct this, I've been thinking of moving to independent interfaces, capturing all traffic on RX to get both local routed traffic and inbound Internet traffic, and capturing only Internet bound TX traffic.  However, I'm not 100% positive this will work.  Is this the right path, and what are the gotchas I should be aware of with respect to ensuring my Internet flows see both src and dst packets?  Is there a better direction to be looking at?
> 
> Thanks,
>     Michael Sanderson
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130509/b13d8fdf/attachment.bin>

More information about the argus mailing list