Using argus-clients for netflow collection and display

Carter Bullard carter at qosient.com
Fri Apr 4 18:10:48 EDT 2014 

Hey Jesse,
Do me a favor, and try this incantation as well:

   racluster -r argus.2014.0404.14.30.00 -M correct -w - | racount

Depending on which racluster() you’re working with, you may
need to use the mode specifier to force bi-directional correction.
The default will be to correct when we release, but not sure which
version you may be using.

Carter

On Apr 4, 2014, at 5:15 PM, Jesse Bowling <jessebowling at gmail.com> wrote:

> Hi Carter,
> 
> Thank you for your clarifications today; I believe my suspicions about an issue with the exports are correct. I tried capturing the same flow export with nfcapd and found that it saw the same traffic....Not that I didn't trust argus-clients to capture correctly, but it's nice to show you tried. :)
> 
> Our network team is looking at this some more; it will likely end up being something on that end. I'll update the list if appropriate to close this thread out properly.
> 
> Cheers,
> 
> Jesse
> 
> 
> On Fri, Apr 4, 2014 at 4:36 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> 
> On Fri, Apr 4, 2014 at 3:33 PM, Carter Bullard <carter at qosient.com> wrote:
> racluster -r argus.2014.04.04.14.30.00 -w - | racount
> 
> Hi Carter,
> 
> Results are:
> 
> # racluster -r argus.2014.04.04.14.30.00 -w - | racount
> 
> racount   records     total_pkts     src_pkts       dst_pkts       total_bytes        src_bytes          dst_bytes
>     sum   119557      7079867        7079867        0              5905682030         5905682030         0    
> 
> and for filtering to the single address, I did:
> 
> | ra -r - -s +spkts +dpkts +sbytes +dbytes - \(host 100.0.1.8 and port 53\) and \(host 100.0.1.135 and port 53504\)
> 
> I suspect that it's the export that's failing me (only exporting one side), rather than an argus-client failure...I'm verifying by trying an alternate netflow collector...
> 
> Cheers,
> 
> Jesse
> 
> -- 
> Jesse Bowling
> 
> 
> 
> 
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140404/d9d7c66e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140404/d9d7c66e/attachment.bin>

More information about the argus mailing list