Netflow v9 ipv6

Carter Bullard carter at qosient.com
Mon Apr 27 13:00:08 EDT 2015 

Hey Eric,
In argus, we give them a duration based on 1Gbps rate, but we don't talk about argus support for this much.  We have time to figure out what we want in the clients.  You have a working version of argus-clients now ???


	 	
Carter Bullard • CTO
150 E 57th Street Suite 12D
New York, New York 10022-2795
Phone +1.212.588.9133 • Mobile +1.917.497.9494

> On Apr 27, 2015, at 12:55 PM, Eric Camirand <techr at nexweb.ca> wrote:
> 
> Hello Carter,
> 
> Did you take a decision about how to process these flows ? (a default vs no duration)
> 
> 
> Eric
> 
> 
> On Apr 14, 2015, at 9:40 PM, Eric Camirand <techr at nexweb.ca> wrote:
> 
> Hey Carter,
> 
> Since this is a corner case (sflow -> netflow -> ra) maybe the flow should go without a duration. This way, it will be easier to spot a misbehaving probe in a normal netflow setup (netflow -> ra). I.e. high pkts number + no duration = something is wrong with this probe.
> 
> I think its ok to lose some analytics here.
> 
> Eric
> 
> 
> On Apr 14, 2015, at 4:33 PM, Carter Bullard <carter at qosient.com> wrote:
> 
> Hey Eric,
> I was wondering why 512 pkts keeps repeating in your flow file.
> I thought I was doing something wrong until wireshark confirmed that that was the right number.
> 
> Well, the sanity check is a last ditch effort to pick up parsing errors, so I’m not inclined to take it out.
> What I’ve done, and it works great for all the flows you sent, is to provide a default rate, which generates a duration for the flows.  Right now I'm using 1Mpps (~1Gbps for 1K packets) so that 3K packets will take 3 milliseconds.   Is that reasonable ??  Since I know its Netflow, I could let it go without a duration, but that will screw up analytics down the line.
> 
> Let's do sFlow in 3.0.9, just after 3.0.8.1 is pushed out.
> 
> Carter
> 
>> On Apr 14, 2015, at 4:12 PM, Eric Camirand <techr at nexweb.ca> wrote:
>> 
>> Hey Carter,
>> 
>> Netflow v9 is exported using a custom template.
>> The last pcap file i gave you is sflow data converted to Netflow v9. This is why you see many pkts and no duration (sflow sampling is 512). I'm trying to unify all my flow data. 
>> 
>> I don’t think its a good idea to create an exception for this scenario. Could i just disable the check in the source code before compiling ?
>> 
>> I can also provide sflow data if you got time to complete the support for it.
>> 
>> Eric
>> 
>> 
>> On Apr 14, 2015, at 1:25 PM, Carter Bullard <carter at qosient.com> wrote:
>> 
>> Hey Eric,
>> So the error that we’re getting is an internal sanity check  for pkt count and duration.
>> Your netflow records are reporting significant pkt counts but with a duration of 0.0.
>> We generate the error when we see > 1000 pkts and no duration, as that is
>> not suppose to be physically possible.
>> 
>> I need to put in some form of exception to let these flow records through.  Possibly
>> we can generate a default duration for these flows ????  The netflow timestamp
>> granularity is really atrocious, so maybe we can do something like 1 mSec ???
>> 
>> Carter   
>> 
>>> On Apr 13, 2015, at 4:13 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>> 
>>> Hello Carter,
>>> 
>>> I’m still having a small issue with some flows giving ERR.
>>> 
>>> I attached a new pcap file with these errors.
>>> 
>>> Thanks !
>>> 
>>> 
>>> Eric
>>> 
>>> 
>>> On Apr 10, 2015, at 4:35 PM, Carter Bullard <carter at qosient.com> wrote:
>>> 
>>> Hey Eric,
>>> Thanks for the debug data !!!!    So how about this ./common/argus_import.c ??? 
>>> Carter
>>> 
>>> <argus_import.c>
>>> 
>>>> On Apr 9, 2015, at 2:16 PM, Carter Bullard <carter at qosient.com> wrote:
>>>> 
>>>> Hey Eric,
>>>> Can I get a copy of the file that demonstrates the problem so I can fix it ???
>>>> Carter
>>>> 
>>>> 
>>>> 
>>>>> On Apr 9, 2015, at 12:08 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>> 
>>>>> Hello Carter,
>>>>> 
>>>>> I’m replaying netflow v9 from a file and feed it to ra. How do you feed the pcap file to ra ? with argus ?
>>>>> 
>>>>> 
>>>>> On Apr 9, 2015, at 10:49 AM, Carter Bullard <carter at qosient.com> wrote:
>>>>> 
>>>>> Hey Eric,
>>>>> Is this coming from one of your pcap files ??  Do I have, or can I get that file ??
>>>>> Carter
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Apr 9, 2015, at 12:12 AM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>> 
>>>>>> Hello Carter,
>>>>>> 
>>>>>> ra output look like this ->
>>>>>> 
>>>>>> argus-client-3.0.8 (with the new argus_import.c) :
>>>>>> 10:34:33.576000 N tcp 98.137.204.89.256 ?> 192.168.100.162.50443 1 1492   INT
>>>>>> 10:39:54.568000 N tcp 69.164.37.139 ?> 192.168.10.213.19350 1 1440   INT
>>>>>> 10:39:23.560000 N tcp 192.168.100.221 ?> 66.87.83.69.27267 1 1500   INT
>>>>>> 
>>>>>> argus-client-3.0.8 :
>>>>>> 10:34:33.576000 N tcp 98.137.204.89.https ?> 192.168.100.162.50443 1 1492   INT
>>>>>> 10:39:54.568000 N tcp 69.164.37.139.http ?> 192.168.10.213.19350 1 1440   INT
>>>>>> 10:39:23.560000 N tcp 192.168.100.221.http ?> 66.87.83.69.27267 1 1500   INT
>>>>>> 
>>>>>> Eric
>>>>>> 
>>>>>> 
>>>>>>> On Apr 7, 2015, at 9:15 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>> 
>>>>>>> Hey Eric,
>>>>>>> Hmmmm, do you have any NetFlow data that demonstrates that ???
>>>>>>> I don’t have any examples here that have missing ports.
>>>>>>> Could you print out some output so I can see what you think is missing ???
>>>>>>> 
>>>>>>> Carter
>>>>>>> 
>>>>>>> 
>>>>>>>> On Apr 7, 2015, at 2:14 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>>>> 
>>>>>>>> Hello Carter,
>>>>>>>> 
>>>>>>>> Ipv4 address are ok now but some source port are still missing.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Eric
>>>>>>>> 
>>>>>>>>> On Apr 7, 2015, at 12:13 AM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>>> 
>>>>>>>>> Hey Eric,
>>>>>>>>> Any luck on our attempt to fix Netflow v9 parsing of ipv6 flows ???
>>>>>>>>> Carter
>>>>>>>>> 
>>>>>>>>>> On Apr 3, 2015, at 3:37 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hey Eric,
>>>>>>>>>> Lets change k_CiscoV9IPv6SrcMask to k_CiscoV9IPV6SrcMask (for consistency), and try out this argus_output.c file.
>>>>>>>>>> I’m getting good results with this attempt.
>>>>>>>>>> Carter
>>>>>>>>>> 
>>>>>>>>>> <argus_import.c>
>>>>>>>>>> 
>>>>>>>>>>> On Apr 2, 2015, at 5:17 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Or for consistency, change include/argus/CflowdFlowPdu.h
>>>>>>>>>>> 
>>>>>>>>>>> 475c475
>>>>>>>>>>> < #define k_CiscoV9IPv6SrcMask        29
>>>>>>>>>>> ---
>>>>>>>>>>>> #define k_CiscoV9IPV6SrcMask        29
>>>>>>>>>>> 
>>>>>>>>>>> Thanks,
>>>>>>>>>>> 
>>>>>>>>>>> Eric
>>>>>>>>>>> 
>>>>>>>>>>>> On Apr 2, 2015, at 3:56 PM, Eric Camirand <techr at nexweb.ca> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> Carter,
>>>>>>>>>>>> 
>>>>>>>>>>>> Please replace k_CiscoV9IPV6SrcMask by k_CiscoV9IPv6SrcMask in your file.
>>>>>>>>>>>> 
>>>>>>>>>>>> I will get back to you soon with a test result.
>>>>>>>>>>>> 
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> Eric
>>>>>>>>>>>> 
>>>>>>>>>>>>> On Apr 2, 2015, at 3:39 PM, Carter Bullard <carter at qosient.com> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Gentle people,
>>>>>>>>>>>>> I think I have a fix for netflow v9 ipv6 import. If you could test the mods, replace your clients ./common/argus_import.c with the included one, recompile, that then check out ra.1 to see if you can now read some IPv6 Netflow v9 data, that would be great !!!
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Carter
>>>>>>>>>>>>> 
>>>>>>>>>>>>> <argus_import.c>
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150427/108f8c4c/attachment.html>

More information about the argus mailing list