Using argus-clients for netflow collection and display

Jesse Bowling jessebowling at gmail.com
Fri Apr 4 13:57:26 EDT 2014 

I've been experimenting with using argus-clients to collect netflow
records, and ran into some confusion. I believe I've worked out some of the
issue, but wanted to confirm some items.

I believe that argus is writing out netflow records as bi-directional
records, rather than as the unidirectional records that netflow is
generated in. For example, I see something like this:

ra -r - - \(host 100.0.1.103 and port 53\) and \(host 100.0.1.30 and port
10239\)
                     StartTime      Flgs  Proto            SrcAddr  Sport
Dir            DstAddr  Dport  TotPkts   TotBytes State
      03/31/14 22:57:47.865000 Ne            17
100.0.1.103.53        ->         100.0.1.30.10239         1         78   REQ

In this case 100.0.1.103 is the DNS server, and 100.0.1.30 is the client. I
found it odd that only a single packet was sent. However when I look at it
this way:

ra -r - -M rmon - \(host 100.0.1.103 and port 53\) and \(host 100.0.1.30
and port 10239\)
                     StartTime      Flgs  Proto               Host  Sport
Dir            DstAddr  Dport  TotPkts   TotBytes State
      03/31/14 22:57:47.865000 Ne            17
100.0.1.103.53        ->         100.0.1.30.10239         1         78   REQ
      03/31/14 22:57:47.865000 Ne            17         100.0.1.30.10239
<-         100.0.1.103.53            1         78   REQ

It would seem to make more sense as I can see both sides. My confusion is
in the count for total bytes/packets...I find it unlikely that the exact
same size packets were sent in query and answer (given how often this
happens in the data), and if this is an aggregated record, why is the
packet count not two? I don't believe the timestamps are granular enough to
reveal timing differences, since we're relying on the router to generate
the records, so I can understand the confusion for which server originated
the traffic.

So...Are argus-clients automatically creating bi-directional records from
the netflow collected? How accurate can I expect those records to be? Is
there an option to write netflow collected records as unidirectional? Would
that even be a good idea?

I fully appreciate some of the reasons that argus was created (to deal with
just this sort of reliance on router implementations), but what pitfalls do
I need to look out for if I'm using argus to collect those records?

Thanks,

Jesse

-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140404/c0c8a7a9/attachment.html>

More information about the argus mailing list