Netflow v9 ipv6

Eric Camirand techr at nexweb.ca
Thu Apr 9 12:08:37 EDT 2015 

Hello Carter,

I’m replaying netflow v9 from a file and feed it to ra. How do you feed the pcap file to ra ? with argus ?


On Apr 9, 2015, at 10:49 AM, Carter Bullard <carter at qosient.com> wrote:

Hey Eric,
Is this coming from one of your pcap files ??  Do I have, or can I get that file ??
Carter



On Apr 9, 2015, at 12:12 AM, Eric Camirand <techr at nexweb.ca> wrote:

> Hello Carter,
> 
> ra output look like this ->
> 
> argus-client-3.0.8 (with the new argus_import.c) :
> 10:34:33.576000 N tcp 98.137.204.89.256 ?> 192.168.100.162.50443 1 1492   INT
> 10:39:54.568000 N tcp 69.164.37.139 ?> 192.168.10.213.19350 1 1440   INT
> 10:39:23.560000 N tcp 192.168.100.221 ?> 66.87.83.69.27267 1 1500   INT
> 
> argus-client-3.0.8 :
> 10:34:33.576000 N tcp 98.137.204.89.https ?> 192.168.100.162.50443 1 1492   INT
> 10:39:54.568000 N tcp 69.164.37.139.http ?> 192.168.10.213.19350 1 1440   INT
> 10:39:23.560000 N tcp 192.168.100.221.http ?> 66.87.83.69.27267 1 1500   INT
> 
> Eric
> 
> 
>> On Apr 7, 2015, at 9:15 PM, Carter Bullard <carter at qosient.com> wrote:
>> 
>> Hey Eric,
>> Hmmmm, do you have any NetFlow data that demonstrates that ???
>> I don’t have any examples here that have missing ports.
>> Could you print out some output so I can see what you think is missing ???
>> 
>> Carter
>> 
>> 
>>> On Apr 7, 2015, at 2:14 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>> 
>>> Hello Carter,
>>> 
>>> Ipv4 address are ok now but some source port are still missing.
>>> 
>>> 
>>> Eric
>>> 
>>>> On Apr 7, 2015, at 12:13 AM, Carter Bullard <carter at qosient.com> wrote:
>>>> 
>>>> Hey Eric,
>>>> Any luck on our attempt to fix Netflow v9 parsing of ipv6 flows ???
>>>> Carter
>>>> 
>>>>> On Apr 3, 2015, at 3:37 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>> 
>>>>> Hey Eric,
>>>>> Lets change k_CiscoV9IPv6SrcMask to k_CiscoV9IPV6SrcMask (for consistency), and try out this argus_output.c file.
>>>>> I’m getting good results with this attempt.
>>>>> Carter
>>>>> 
>>>>> <argus_import.c>
>>>>> 
>>>>>> On Apr 2, 2015, at 5:17 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>> 
>>>>>> 
>>>>>> Or for consistency, change include/argus/CflowdFlowPdu.h
>>>>>> 
>>>>>> 475c475
>>>>>> < #define k_CiscoV9IPv6SrcMask        29
>>>>>> ---
>>>>>>> #define k_CiscoV9IPV6SrcMask        29
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Eric
>>>>>> 
>>>>>>> On Apr 2, 2015, at 3:56 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>>> 
>>>>>>> Carter,
>>>>>>> 
>>>>>>> Please replace k_CiscoV9IPV6SrcMask by k_CiscoV9IPv6SrcMask in your file.
>>>>>>> 
>>>>>>> I will get back to you soon with a test result.
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> 
>>>>>>> 
>>>>>>> Eric
>>>>>>> 
>>>>>>>> On Apr 2, 2015, at 3:39 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>> 
>>>>>>>> Gentle people,
>>>>>>>> I think I have a fix for netflow v9 ipv6 import. If you could test the mods, replace your clients ./common/argus_import.c with the included one, recompile, that then check out ra.1 to see if you can now read some IPv6 Netflow v9 data, that would be great !!!
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> 
>>>>>>>> Carter
>>>>>>>> 
>>>>>>>> <argus_import.c>
>>>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>> 
>>> 
>>> 
>> 
> 
>

More information about the argus mailing list