How is the flgs field derived?
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Wed Apr 27 09:26:28 EDT 2016
Hey Richard,
Not to inject myself too much in your project, but radium should be able to read IPFIX ... so not sure of the nprobe element??? Gloriad generated native argus data, didn't use Netflow, so there maybe some tweaking.
You won't get the loss data that was so cool about Gloriad's displays, but most of the rest will be doable.
Carter
On Apr 27, 2016, at 3:06 AM, Richard Rothwell via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> Hi Carter,
>
> The GLORIAD software I have inherited is converting all flags fields into “Netflow”.
> This is because the flags field as sent by rabins contains just “N”.
> Flags is call just flgs in a netflow record.
>
> The data processing chain I have in place has router(IPFIX) -> nprobe(Netflow9) -> radium (Argus) -> rabins.
> I have looked at the output of nprobe and that seems to be OK.
> I use nfcapd and nfdump together to inspect the output of nprobe.
>
> A record output from nprobe looks like:
>
> Flow Record:
> Flags = 0x06 FLOW, Unsampled
> export sysid = 1
> size = 72
> first = 1461737035 [2016-04-27 06:03:55]
> last = 1461737035 [2016-04-27 06:03:55]
> msec_first = 304
> msec_last = 304
> src addr = ***.***.***.***
> dst addr = ***.***.***.***
> src port = 27878
> dst port = 443
> fwd status = 0
> tcp flags = 0x18 .AP...
> proto = 6 TCP
> (src)tos = 0
> (in)packets = 2
> (in)bytes = 193
> input = 824
> output = 644
> src as = 10148
> dst as = 32934
>
> So the question is where have tcp flags gone in the conversion between netflow and Argus records.
> Is this expected behaviour??
>
> Regards from Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160427/990924fa/attachment.html>
More information about the argus
mailing list