Using argus-clients for netflow collection and display
Jesse Bowling
jessebowling at gmail.com
Fri Apr 4 17:15:27 EDT 2014
Hi Carter,
Thank you for your clarifications today; I believe my suspicions about an
issue with the exports are correct. I tried capturing the same flow export
with nfcapd and found that it saw the same traffic....Not that I didn't
trust argus-clients to capture correctly, but it's nice to show you tried.
:)
Our network team is looking at this some more; it will likely end up being
something on that end. I'll update the list if appropriate to close this
thread out properly.
Cheers,
Jesse
On Fri, Apr 4, 2014 at 4:36 PM, Jesse Bowling <jessebowling at gmail.com>wrote:
>
> On Fri, Apr 4, 2014 at 3:33 PM, Carter Bullard <carter at qosient.com> wrote:
>
>> racluster -r argus.2014.04.04.14.30.00 -w - | racount
>>
>
> Hi Carter,
>
> Results are:
>
> # racluster -r argus.2014.04.04.14.30.00 -w - | racount
>
> racount records total_pkts src_pkts dst_pkts
> total_bytes src_bytes dst_bytes
> sum 119557 7079867 7079867 0
> 5905682030 5905682030 0
>
> and for filtering to the single address, I did:
>
> | ra -r - -s +spkts +dpkts +sbytes +dbytes - \(host 100.0.1.8 and port
> 53\) and \(host 100.0.1.135 and port 53504\)
>
> I suspect that it's the export that's failing me (only exporting one
> side), rather than an argus-client failure...I'm verifying by trying an
> alternate netflow collector...
>
> Cheers,
>
> Jesse
>
> --
> Jesse Bowling
>
>
--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140404/1be9a705/attachment.html>
More information about the argus
mailing list