Getting flows from a span port

Thu May 26 10:43:22 EDT 2016

Monah,

argus can consume netflow, render it to argus binary data, which can be
store/reviewed with the various ra* clients.

Solarwinds has an add-in that renders netflow graphically ("NetFlow Traffic
Analyzer"); argus doesn't do this, but people have stored argus data and
then used `ragraph` to render graphs of data.

There are a few examples on the NSMwiki page: http://nsmwiki.org/Argus

[image: https://mbrownnyc.files.wordpress.com/2013/07/argus.png]

Hope this helps,

Matt

On Thu, May 26, 2016 at 8:45 AM, Monah Baki via Argus-info <
argus-info at lists.andrew.cmu.edu> wrote:

> Morning Carter,
>
> I guess this implementation is missing from my end.
>
> http://www.qosient.com/argus/argusnetflow.shtml
>
> I am only running argus of a Span Port from our core switches.
>
>
>
>
> On Thu, May 26, 2016 at 7:21 AM, Carter Bullard <carter at qosient.com>
> wrote:
> > Hey Monah,
> > Hmmmmm ... still not enough info ... of course they can do "netflow
> usage" and "view one entire flow", but what does that mean ???   If you use
> ratop, which can read argus data and netflow data, you are doing "netflow
> usage", so there is more to the question than what is being presented.
> ratop, by default, is showing you "one entire flow", for realtime on-going
> flows.  If that is not enough, then there is more to the question ...
> >
> > Solarwinds does a lot of stuff, usually driven by SNMP data.  Stuff like
> strip charts/time series bulk interface counts.  If they want to replace
> solarwinds, I would guess that they want to do a lot of different graphs
> and reports, possibly hourly or daily reports of what is going on, or they
> want to see graphs of specific metrics, such as the number of transactions
> or time series graphs of top talkers, or ...
> >
> > Argus data can drive all the traditional views that can be generated by
> SNMP based data, if your normally looking to do strip charts of interface
> counters, etc, but there is quite a bit of work for you to do, if your
> starting from scratch.
> >
> > Regardless of what you want to do, a first step is to start storing your
> argus data.  That will give you the primitive data needed to generate
> historical reports and graphs.    Look at rasplit.1 or rastream.1.  If you
> want to generate realtime graphs, use programs like rabins.1 to generate
> periodic XML data that can be used by javascript json style widgets.  That
> is pretty straightforward.   There is a gap between Argus open source tools
> and Solarwinds.  Some sites like GLORIAD did do just what you're
> presenting.  But it is a bit of work.
> >
> > What specifically do they want to do ????
> > Carter
> >
> >> On May 25, 2016, at 2:45 PM, Monah Baki <monahbaki at gmail.com> wrote:
> >>
> >> Hi Carter,
> >>
> >>
> >> Our networking team are looking to replace solarwinds, and they were
> >> impressed with the output of a simple
> >>
> >> ratop -s stime sport dport duser suser
> >>
> >> which is what I use on a daily basis
> >>
> >> But they asked about netflow usage and if they can view "one entire
> flow"
> >>
> >> Since I am the only one using Argus which is on a span port
> >>
> >> That's all that I got from them.
> >>
> >> Thanks
> >> Monah
> >>
> >>
> >>> On Wed, May 25, 2016 at 2:39 PM, Carter Bullard <carter at qosient.com>
> wrote:
> >>> Hey Monah,
> >>> Hmmmmm, not enough info.  So what have to tried to do ???  Have you
> read any
> >>> of the documentation, or README files ??
> >>>
> >>> Carter
> >>>
> >>> On May 25, 2016, at 2:14 PM, Monah Baki via Argus-info
> >>> <argus-info at lists.andrew.cmu.edu> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> we have our argus on a span port, any way to get flows from it?
> >>>
> >>>
> >>> Thanks
> >>> Monah
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160526/e629eccd/attachment.html>