How does srcid work?

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Mon Mar 21 10:18:05 EDT 2016


Hey Richard,
Source id is very important to argus, and we’ve put a lot of work into it, so should work.
But you never know, so need some more description of what you’re doing to know if its broken.

With netflow, the source id is the IPv4 address of the netflow source, which we get right out of the packet, so that definitely should be working.  All your routers could be sending to the same host:port, and the netflow parser should get the source correctly.  So with that in mind, how is it broken ???

The argus configuration for srcid has evolved a bit in the last 10 years, but you can specify the srcid in a lot of complex ways.  What does your argus.conf file look like ???

For radium.1, radium is a client, so it uses the clients library, which already uses the ‘-e’ option for grepping the user data.  We special cased it for radium, by looking to see if argv[0] is equal to “radium”.  Not sure if passing the full pathname defeats that …, should work however.

I would recommend that you try the radium.conf file, to see if its a work around, and then send a bit more information, so we can figure out if there is a bug.

Carter

> On Mar 20, 2016, at 7:19 PM, Richard Rothwell via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi List,
> 
> I am having trouble getting srcid to behave as expected.
> 
> My immediate problem is getting the streams from multiple routers labelled when passed into radium.
> This is using the command line:
> sudo /usr/local/sbin/radium -S cisco://any:9002 -S cisco://any:9006 -S cisco://any:9014 -S cisco://any:9019 -d -e 02 -P 562 -w /tmp/radium_20160319.argus -- local dur lte 300
> I’m sort of hoping that srcid can contain the router id, a number representing a truncated IP address would be enough.
> If not what is the recommend solution?
> 
> But there are other puzzles.
> When sourcing data via the argus daemon only the ‘hostname’ option seems to work. Bug perhaps?
> When sourcing data from radium I expect the –e option to provide the srcid, but that does not work at all. Is this expectation wrong?
> How to get srcid or something else to represent the router id in the argus records as noted above?
> Regards from Richard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160321/b7d29ae0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160321/b7d29ae0/attachment.bin>


More information about the argus mailing list