Capturing Cisco IPFIX flows

bassem zaki via Argus-info argus-info at lists.andrew.cmu.edu
Fri Dec 16 14:18:46 EST 2016


Hello Carter,

I really appreciate your prompt response. I already spent sometime dealing
with netflow and as I told you I collected ipfix using pmacct, SILK, and
manageengine. I know that it takes sometime for the exporter to send the
template, that's why I configured short template interval on the router "15
secs I think ". I already tried using "D8" option to debug, but I didn't
know that I have to create ".debug " so I'll try again with debugging on
and feed you back with result.

Thanks,
Bassem

On Fri, Dec 16, 2016, 7:08 PM Carter Bullard <carter at qosient.com> wrote:

> Hey Bassem,
> The IPFIX support in argus is evolving, but you should be able to get
> flows from it.  Because of how IPFIX is designed, you must, of course,
>  listen to the port for a while before you can read flows.  This is because
> you must first receive IPFIX template records, which describes the format
> of the IPFIX records, so that the reader can know how to decode the IPFIX
> messages.
>
> If you are having problems, you should run ra.1 with the -D debug option,
> and it will tell what is going on, especially with regard to reading flows,
> discarding because it doesn’t have a template, receiving templates and then
> decoding the messages.  Compile the clients with a .debug tag in the root
> directory, if you haven’t done this already:
>
>    % cd /directory/where/argus-clients/is
>    % touch .debug
>    % ./configure;make
>
> Then run you commands:
>
>    ra -A -S cisco://any:9996 -D6
>
>
> Officially, the argus project is designed to show you that you can do much
> better than IPFIX and Cisco Netflow.  I would recommend generating argus
> flow data, rather than collecting Cisco flow data, and trying to take
> advantage of the improvements argus data provides.
>
> Carter
>
> On Dec 15, 2016, at 7:08 AM, bassem zaki via Argus-info <
> argus-info at lists.andrew.cmu.edu> wrote:
>
> Hello all,
>
> I'm new to Argus, and I'm trying to collect IPFIX flows sent from Cisco
> router. Do I have to export the flows to an Argus server first then use ra
> client tools to read those flows or can I just use client tools to read
> flows sent directly from the cisco router?
> I'm using (argus-clients-3.0.8.2) to collect the IPFIX but unfortunately
> I'm caputering nothing at all. I thought maybe Argus doesn't support IPFIX
> so I tried to collect netflow v5 exported by ipt_netflow but I had the same
> result. I spent sometime reviewing the mailing list but I couldn't solve
> the problem. I don't know exactly what I'm missing!!
> Another question, reviewing GLORIAD solution made me really interested to
> try argus, so I want to make sure that it's a good choice to monitor a
> 3Gbps network???
>
> <SNIP>
> # ra -A -S cisco://any:9996
>
> ^C Totalrecords 2         TotalManRecords 1         TotalFarRecords
> 0        TotalPkts 0        TotalBytes 0
> <SNIP>
>
> PS:
> I made sure that I'm receiving the flows using tcpdump and tshark, and I
> was already collecting flows using other netflow collecting tools like
> nfacct, silk, and manageengine.
>
> thanks,
> bassem
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20161216/15e2a611/attachment.html>


More information about the argus mailing list