Netflow v9 ipv6

Carter Bullard carter at qosient.com
Tue Apr 14 13:25:12 EDT 2015 

Hey Eric,
So the error that we’re getting is an internal sanity check  for pkt count and duration.
Your netflow records are reporting significant pkt counts but with a duration of 0.0.
We generate the error when we see > 1000 pkts and no duration, as that is
not suppose to be physically possible.

I need to put in some form of exception to let these flow records through.  Possibly
we can generate a default duration for these flows ????  The netflow timestamp
granularity is really atrocious, so maybe we can do something like 1 mSec ???

Carter   

> On Apr 13, 2015, at 4:13 PM, Eric Camirand <techr at nexweb.ca> wrote:
> 
> Hello Carter,
> 
> I’m still having a small issue with some flows giving ERR.
> 
> I attached a new pcap file with these errors.
> 
> Thanks !
> 
> 
> Eric
> 
> 
> On Apr 10, 2015, at 4:35 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> 
> Hey Eric,
> Thanks for the debug data !!!!    So how about this ./common/argus_import.c ??? 
> Carter
> 
> <argus_import.c>
> 
>> On Apr 9, 2015, at 2:16 PM, Carter Bullard <carter at qosient.com> wrote:
>> 
>> Hey Eric,
>> Can I get a copy of the file that demonstrates the problem so I can fix it ???
>> Carter
>> 
>> 
>> 
>> On Apr 9, 2015, at 12:08 PM, Eric Camirand <techr at nexweb.ca> wrote:
>> 
>>> Hello Carter,
>>> 
>>> I’m replaying netflow v9 from a file and feed it to ra. How do you feed the pcap file to ra ? with argus ?
>>> 
>>> 
>>> On Apr 9, 2015, at 10:49 AM, Carter Bullard <carter at qosient.com> wrote:
>>> 
>>> Hey Eric,
>>> Is this coming from one of your pcap files ??  Do I have, or can I get that file ??
>>> Carter
>>> 
>>> 
>>> 
>>> On Apr 9, 2015, at 12:12 AM, Eric Camirand <techr at nexweb.ca> wrote:
>>> 
>>>> Hello Carter,
>>>> 
>>>> ra output look like this ->
>>>> 
>>>> argus-client-3.0.8 (with the new argus_import.c) :
>>>> 10:34:33.576000 N tcp 98.137.204.89.256 ?> 192.168.100.162.50443 1 1492   INT
>>>> 10:39:54.568000 N tcp 69.164.37.139 ?> 192.168.10.213.19350 1 1440   INT
>>>> 10:39:23.560000 N tcp 192.168.100.221 ?> 66.87.83.69.27267 1 1500   INT
>>>> 
>>>> argus-client-3.0.8 :
>>>> 10:34:33.576000 N tcp 98.137.204.89.https ?> 192.168.100.162.50443 1 1492   INT
>>>> 10:39:54.568000 N tcp 69.164.37.139.http ?> 192.168.10.213.19350 1 1440   INT
>>>> 10:39:23.560000 N tcp 192.168.100.221.http ?> 66.87.83.69.27267 1 1500   INT
>>>> 
>>>> Eric
>>>> 
>>>> 
>>>>> On Apr 7, 2015, at 9:15 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>> 
>>>>> Hey Eric,
>>>>> Hmmmm, do you have any NetFlow data that demonstrates that ???
>>>>> I don’t have any examples here that have missing ports.
>>>>> Could you print out some output so I can see what you think is missing ???
>>>>> 
>>>>> Carter
>>>>> 
>>>>> 
>>>>>> On Apr 7, 2015, at 2:14 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>> 
>>>>>> Hello Carter,
>>>>>> 
>>>>>> Ipv4 address are ok now but some source port are still missing.
>>>>>> 
>>>>>> 
>>>>>> Eric
>>>>>> 
>>>>>>> On Apr 7, 2015, at 12:13 AM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>> 
>>>>>>> Hey Eric,
>>>>>>> Any luck on our attempt to fix Netflow v9 parsing of ipv6 flows ???
>>>>>>> Carter
>>>>>>> 
>>>>>>>> On Apr 3, 2015, at 3:37 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>> 
>>>>>>>> Hey Eric,
>>>>>>>> Lets change k_CiscoV9IPv6SrcMask to k_CiscoV9IPV6SrcMask (for consistency), and try out this argus_output.c file.
>>>>>>>> I’m getting good results with this attempt.
>>>>>>>> Carter
>>>>>>>> 
>>>>>>>> <argus_import.c>
>>>>>>>> 
>>>>>>>>> On Apr 2, 2015, at 5:17 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Or for consistency, change include/argus/CflowdFlowPdu.h
>>>>>>>>> 
>>>>>>>>> 475c475
>>>>>>>>> < #define k_CiscoV9IPv6SrcMask        29
>>>>>>>>> ---
>>>>>>>>>> #define k_CiscoV9IPV6SrcMask        29
>>>>>>>>> 
>>>>>>>>> Thanks,
>>>>>>>>> 
>>>>>>>>> Eric
>>>>>>>>> 
>>>>>>>>>> On Apr 2, 2015, at 3:56 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>>>>>> 
>>>>>>>>>> Carter,
>>>>>>>>>> 
>>>>>>>>>> Please replace k_CiscoV9IPV6SrcMask by k_CiscoV9IPv6SrcMask in your file.
>>>>>>>>>> 
>>>>>>>>>> I will get back to you soon with a test result.
>>>>>>>>>> 
>>>>>>>>>> Thanks,
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Eric
>>>>>>>>>> 
>>>>>>>>>>> On Apr 2, 2015, at 3:39 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Gentle people,
>>>>>>>>>>> I think I have a fix for netflow v9 ipv6 import. If you could test the mods, replace your clients ./common/argus_import.c with the included one, recompile, that then check out ra.1 to see if you can now read some IPv6 Netflow v9 data, that would be great !!!
>>>>>>>>>>> 
>>>>>>>>>>> Thanks,
>>>>>>>>>>> 
>>>>>>>>>>> Carter
>>>>>>>>>>> 
>>>>>>>>>>> <argus_import.c>
>>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150414/d07c7cd7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3563 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150414/d07c7cd7/attachment.bin>

More information about the argus mailing list