IPFIX support timeline.

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Thu Feb 4 15:39:43 EST 2016 

Hey Richard,
We have preliminary support in argus-clients now for IPFIX UDP and TCP.  That needs debugging and additional support as new IEs are used.  It would be reasonable to read the IPFIX data with radium, and have rabins connect to radium to get the converted data.  That way we can figure out if any bugs are in IPFIX conversion or in record processing later on.

rabins.1 has some very specific issues with flow data coming way out of time order.  We’re going to report on time period t1-t2, and if IPFIX sends data late, rabins throws it away … could be the memory leak relates to data out of bounds ???  If so, you need to add a bit of buffering using the -B option, so that rabins doesn’t flush out a time bin, when more IPFIX data is coming.    With some implementations, you may need a “-B 300s” to make sure the data is ok.  But if you can get some guarantees from IPFIX, then the -B can be shorter.

If you have a bug report for rabins, please send it to the list.  Try using radium to convert IPFIX to argus format, check to see how out of order the flow records are, then adjust using a ‘-B delay’ option to give the IPFIX data time to show up, and then lets see if you have blow ups or memory leaks ????

Gloriad.org, an NSF IRE service provider, has a great argus -> ELK system they have said they will share.  Not sure the status of that.

Carter

> On Feb 4, 2016, at 12:20 AM, Richard Rothwell via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi list,
> 
> I am investigating all of the bits need to get network monitoring up and running for AARNET.
> Front-end most likely would involve the ELK stack in some way with Argus providing the probes.
> 
> However we are interested in getting our data from the routers rather than network interfaces.
> But we have settled on IPFIX. Feeding IPFIX flows into the Argus rabins client seems to work, sort of.
> 
> There are 2 issues I need to address.
> When will proper IPFIX support be available?
> What are the limitations of feeding IPFIX flows into the front end of rabins when it expects NetFlow 9. (I’m just the programmer not the network expert.)
> Feeding IPFIX data into rabins causes it to blow up pretty quick with a major memory leak. I have studied this with heaptracker, but no definite conclusion yet.
> Regards from Richard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160204/f7e2005b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160204/f7e2005b/attachment.bin>

More information about the argus mailing list