Netflow v9 ipv6

Eric Camirand techr at nexweb.ca
Tue Apr 14 16:12:20 EDT 2015 

Hey Carter,

Netflow v9 is exported using a custom template.
The last pcap file i gave you is sflow data converted to Netflow v9. This is why you see many pkts and no duration (sflow sampling is 512). I'm trying to unify all my flow data. 

I don’t think its a good idea to create an exception for this scenario. Could i just disable the check in the source code before compiling ?

I can also provide sflow data if you got time to complete the support for it.

Eric


On Apr 14, 2015, at 1:25 PM, Carter Bullard <carter at qosient.com> wrote:

Hey Eric,
So the error that we’re getting is an internal sanity check  for pkt count and duration.
Your netflow records are reporting significant pkt counts but with a duration of 0.0.
We generate the error when we see > 1000 pkts and no duration, as that is
not suppose to be physically possible.

I need to put in some form of exception to let these flow records through.  Possibly
we can generate a default duration for these flows ????  The netflow timestamp
granularity is really atrocious, so maybe we can do something like 1 mSec ???

Carter   

> On Apr 13, 2015, at 4:13 PM, Eric Camirand <techr at nexweb.ca> wrote:
> 
> Hello Carter,
> 
> I’m still having a small issue with some flows giving ERR.
> 
> I attached a new pcap file with these errors.
> 
> Thanks !
> 
> 
> Eric
> 
> 
> On Apr 10, 2015, at 4:35 PM, Carter Bullard <carter at qosient.com> wrote:
> 
> Hey Eric,
> Thanks for the debug data !!!!    So how about this ./common/argus_import.c ??? 
> Carter
> 
> <argus_import.c>
> 
>> On Apr 9, 2015, at 2:16 PM, Carter Bullard <carter at qosient.com> wrote:
>> 
>> Hey Eric,
>> Can I get a copy of the file that demonstrates the problem so I can fix it ???
>> Carter
>> 
>> 
>> 
>> On Apr 9, 2015, at 12:08 PM, Eric Camirand <techr at nexweb.ca> wrote:
>> 
>>> Hello Carter,
>>> 
>>> I’m replaying netflow v9 from a file and feed it to ra. How do you feed the pcap file to ra ? with argus ?
>>> 
>>> 
>>> On Apr 9, 2015, at 10:49 AM, Carter Bullard <carter at qosient.com> wrote:
>>> 
>>> Hey Eric,
>>> Is this coming from one of your pcap files ??  Do I have, or can I get that file ??
>>> Carter
>>> 
>>> 
>>> 
>>> On Apr 9, 2015, at 12:12 AM, Eric Camirand <techr at nexweb.ca> wrote:
>>> 
>>>> Hello Carter,
>>>> 
>>>> ra output look like this ->
>>>> 
>>>> argus-client-3.0.8 (with the new argus_import.c) :
>>>> 10:34:33.576000 N tcp 98.137.204.89.256 ?> 192.168.100.162.50443 1 1492   INT
>>>> 10:39:54.568000 N tcp 69.164.37.139 ?> 192.168.10.213.19350 1 1440   INT
>>>> 10:39:23.560000 N tcp 192.168.100.221 ?> 66.87.83.69.27267 1 1500   INT
>>>> 
>>>> argus-client-3.0.8 :
>>>> 10:34:33.576000 N tcp 98.137.204.89.https ?> 192.168.100.162.50443 1 1492   INT
>>>> 10:39:54.568000 N tcp 69.164.37.139.http ?> 192.168.10.213.19350 1 1440   INT
>>>> 10:39:23.560000 N tcp 192.168.100.221.http ?> 66.87.83.69.27267 1 1500   INT
>>>> 
>>>> Eric
>>>> 
>>>> 
>>>>> On Apr 7, 2015, at 9:15 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>> 
>>>>> Hey Eric,
>>>>> Hmmmm, do you have any NetFlow data that demonstrates that ???
>>>>> I don’t have any examples here that have missing ports.
>>>>> Could you print out some output so I can see what you think is missing ???
>>>>> 
>>>>> Carter
>>>>> 
>>>>> 
>>>>>> On Apr 7, 2015, at 2:14 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>> 
>>>>>> Hello Carter,
>>>>>> 
>>>>>> Ipv4 address are ok now but some source port are still missing.
>>>>>> 
>>>>>> 
>>>>>> Eric
>>>>>> 
>>>>>>> On Apr 7, 2015, at 12:13 AM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>> 
>>>>>>> Hey Eric,
>>>>>>> Any luck on our attempt to fix Netflow v9 parsing of ipv6 flows ???
>>>>>>> Carter
>>>>>>> 
>>>>>>>> On Apr 3, 2015, at 3:37 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>> 
>>>>>>>> Hey Eric,
>>>>>>>> Lets change k_CiscoV9IPv6SrcMask to k_CiscoV9IPV6SrcMask (for consistency), and try out this argus_output.c file.
>>>>>>>> I’m getting good results with this attempt.
>>>>>>>> Carter
>>>>>>>> 
>>>>>>>> <argus_import.c>
>>>>>>>> 
>>>>>>>>> On Apr 2, 2015, at 5:17 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Or for consistency, change include/argus/CflowdFlowPdu.h
>>>>>>>>> 
>>>>>>>>> 475c475
>>>>>>>>> < #define k_CiscoV9IPv6SrcMask        29
>>>>>>>>> ---
>>>>>>>>>> #define k_CiscoV9IPV6SrcMask        29
>>>>>>>>> 
>>>>>>>>> Thanks,
>>>>>>>>> 
>>>>>>>>> Eric
>>>>>>>>> 
>>>>>>>>>> On Apr 2, 2015, at 3:56 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>>>>>> 
>>>>>>>>>> Carter,
>>>>>>>>>> 
>>>>>>>>>> Please replace k_CiscoV9IPV6SrcMask by k_CiscoV9IPv6SrcMask in your file.
>>>>>>>>>> 
>>>>>>>>>> I will get back to you soon with a test result.
>>>>>>>>>> 
>>>>>>>>>> Thanks,
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Eric
>>>>>>>>>> 
>>>>>>>>>>> On Apr 2, 2015, at 3:39 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Gentle people,
>>>>>>>>>>> I think I have a fix for netflow v9 ipv6 import. If you could test the mods, replace your clients ./common/argus_import.c with the included one, recompile, that then check out ra.1 to see if you can now read some IPv6 Netflow v9 data, that would be great !!!
>>>>>>>>>>> 
>>>>>>>>>>> Thanks,
>>>>>>>>>>> 
>>>>>>>>>>> Carter
>>>>>>>>>>> 
>>>>>>>>>>> <argus_import.c>
>>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>>>

More information about the argus mailing list