Verifying flow to biflow conversion?

Richard Rothwell via Argus-info argus-info at lists.andrew.cmu.edu
Thu Jul 21 20:47:13 EDT 2016


Thanks Carter,

I was beginning to suspect that my change from using rabins to ra might be the issue.

It was never clear to me why GLORIAD InSight used rabins instead of ra.
On the face of it rabins does splitting and aggregation .
Since ElasticSearch does aggregation and the router does splitting of flows, the rabins functions seemed redundant.
Oh well, looks like I change back to rabins.

Is kind of disappointing that ra can’t do the conversion to biflows, given that it can take in Netflow 9 flows.

I sort of know that using netflow / IPFIX is not ideal.
But since I am connecting to routers that provide flows in that format, that I am stuck with it.

I might be missing something here though?
Can Argus connect to a router? I thought its function was to connect to a network interface??
I don’t have any network interfaces to connect to that allow me to probe the traffic.

Regards


Hey Richard,
ra.1 does not perform flow record aggregation, so you shouldn't expect any bi-directional flows from ra.1.  You will need to use racluster.1, rabins.1, ratop.1 or rasqlinsert.1.  These are flow aggregators.  By default they will merge matching records into bi-directional flows.

If you are hoping for good bi-directional flow data, netflow / IPFIX is a very poor starting point.  Argus generates bi-directional flows and I would recommend using argus ... If you have to use nprobe, you can run argus and nprobe on the same box, that does work pretty well in many situations.

Carter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160722/2775dff4/attachment.html>


More information about the argus mailing list