Capturing Cisco IPFIX flows

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Fri Dec 16 12:08:06 EST 2016 

Hey Bassem,
The IPFIX support in argus is evolving, but you should be able to get flows from it.  Because of how IPFIX is designed, you must, of course,  listen to the port for a while before you can read flows.  This is because you must first receive IPFIX template records, which describes the format of the IPFIX records, so that the reader can know how to decode the IPFIX messages.  

If you are having problems, you should run ra.1 with the -D debug option, and it will tell what is going on, especially with regard to reading flows, discarding because it doesn’t have a template, receiving templates and then decoding the messages.  Compile the clients with a .debug tag in the root directory, if you haven’t done this already:

   % cd /directory/where/argus-clients/is
   % touch .debug
   % ./configure;make

Then run you commands:
   
   ra -A -S cisco://any:9996 <cisco://any:9996> -D6


Officially, the argus project is designed to show you that you can do much better than IPFIX and Cisco Netflow.  I would recommend generating argus flow data, rather than collecting Cisco flow data, and trying to take advantage of the improvements argus data provides. 

Carter

> On Dec 15, 2016, at 7:08 AM, bassem zaki via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hello all,
> 
> I'm new to Argus, and I'm trying to collect IPFIX flows sent from Cisco router. Do I have to export the flows to an Argus server first then use ra client tools to read those flows or can I just use client tools to read flows sent directly from the cisco router?
> I'm using (argus-clients-3.0.8.2) to collect the IPFIX but unfortunately I'm caputering nothing at all. I thought maybe Argus doesn't support IPFIX so I tried to collect netflow v5 exported by ipt_netflow but I had the same result. I spent sometime reviewing the mailing list but I couldn't solve the problem. I don't know exactly what I'm missing!!
> Another question, reviewing GLORIAD solution made me really interested to try argus, so I want to make sure that it's a good choice to monitor a 3Gbps network???
> 
> <SNIP>
> # ra -A -S cisco://any:9996
> 
> ^C Totalrecords 2         TotalManRecords 1         TotalFarRecords 0        TotalPkts 0        TotalBytes 0 
> <SNIP>
> 
> PS:
> I made sure that I'm receiving the flows using tcpdump and tshark, and I was already collecting flows using other netflow collecting tools like nfacct, silk, and manageengine.
> 
> thanks,
> bassem

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20161216/3e880e72/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2448 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20161216/3e880e72/attachment.bin>

More information about the argus mailing list