Getting flows from a span port

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Thu May 26 07:21:34 EDT 2016 

Hey Monah,
Hmmmmm ... still not enough info ... of course they can do "netflow usage" and "view one entire flow", but what does that mean ???   If you use ratop, which can read argus data and netflow data, you are doing "netflow usage", so there is more to the question than what is being presented.  ratop, by default, is showing you "one entire flow", for realtime on-going flows.  If that is not enough, then there is more to the question ...

Solarwinds does a lot of stuff, usually driven by SNMP data.  Stuff like strip charts/time series bulk interface counts.  If they want to replace solarwinds, I would guess that they want to do a lot of different graphs and reports, possibly hourly or daily reports of what is going on, or they want to see graphs of specific metrics, such as the number of transactions or time series graphs of top talkers, or ...

Argus data can drive all the traditional views that can be generated by SNMP based data, if your normally looking to do strip charts of interface counters, etc, but there is quite a bit of work for you to do, if your starting from scratch.  

Regardless of what you want to do, a first step is to start storing your argus data.  That will give you the primitive data needed to generate historical reports and graphs.    Look at rasplit.1 or rastream.1.  If you want to generate realtime graphs, use programs like rabins.1 to generate periodic XML data that can be used by javascript json style widgets.  That is pretty straightforward.   There is a gap between Argus open source tools and Solarwinds.  Some sites like GLORIAD did do just what you're presenting.  But it is a bit of work.

What specifically do they want to do ????
Carter

> On May 25, 2016, at 2:45 PM, Monah Baki <monahbaki at gmail.com> wrote:
> 
> Hi Carter,
> 
> 
> Our networking team are looking to replace solarwinds, and they were
> impressed with the output of a simple
> 
> ratop -s stime sport dport duser suser
> 
> which is what I use on a daily basis
> 
> But they asked about netflow usage and if they can view "one entire flow"
> 
> Since I am the only one using Argus which is on a span port
> 
> That's all that I got from them.
> 
> Thanks
> Monah
> 
> 
>> On Wed, May 25, 2016 at 2:39 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Monah,
>> Hmmmmm, not enough info.  So what have to tried to do ???  Have you read any
>> of the documentation, or README files ??
>> 
>> Carter
>> 
>> On May 25, 2016, at 2:14 PM, Monah Baki via Argus-info
>> <argus-info at lists.andrew.cmu.edu> wrote:
>> 
>> Hi all,
>> 
>> we have our argus on a span port, any way to get flows from it?
>> 
>> 
>> Thanks
>> Monah
>

More information about the argus mailing list