rasplit and netflow question

Michael Stone via Argus-info argus-info at lists.andrew.cmu.edu
Thu Sep 22 09:45:18 EDT 2016


On Wed, Sep 21, 2016 at 08:51:46PM -0400, Carter Bullard wrote:
>> On Sep 21, 2016, at 7:35 PM, Michael Stone via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>>
>> I mainly use the argus daemon to generate flow records, but in one case I recieve netflow records and would like to store and access them in the same way as the argus flow data. Reception seems to be working, as   ra -S cisco://any:9995
>> outputs the expected flows (though the first line always has a 1969-12-31 19:00 timestamp). If I try to use rasplit, though, nothing is written to disk using
>>  rasplit -M time 5m -S cisco://any:9995 -w /argus/%Y/%m/%d/%Y.%m.%d.%H.%M.%S
>>
>> Should this work?
>>
>Yes, that should work.  You may want to run with debug set, so you can see what rasplit is doing with the records.  (you may need to re configure and remake with a .debug tag file in the root directory).
>   % cd /path/to/the/argus-clients/root/directory
>   % touch .debug
>   % ./configure;make
>   % bin/rasplit -D4 -M time 5m -S cisco://any:9995 -w /argus/%Y/%m/%d/%Y.%m.%d.%H.%M.%S

rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780751 ArgusAddHostList (0xa5fc6010, cisco://any:9995, 16, 17) returning 1
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780794 ArgusNewList () returning 0x25407a0
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780829 main: reading files completed
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780838 ArgusNewQueue () returning 0x2541630
rasplit[26394]: 2016-09-22 09:26:05.780875 Binding AF_ANY:9995 Expecting Netflow records
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780944 receiving
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780955 ArgusGetServerSocket (0x7fada5f55010) returning 3
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783287 ArgusInitAddrtoname (0x7fada5fc6010, 0x0, 0x0)
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783316 ArgusParseInit(0x7fada5fc6010 0x7fada5f55010
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783325 ArgusReadConnection(0xa5f55010, 2) reading cisco wire format
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783332 ArgusReadConnection(0xa5f55010, 2) returning 0
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783351 ArgusDeleteQueue (0x2541630) returning
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783360 ArgusReadStream(0x7fada5fc6010) starting
rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783382 ArgusNewQueue () returning 0x2541630

Followed by many many instances of ArgusParseCiscoRecordV9Data new flow, and nothing else. Nothing is written.

>You may want to use radium to collect the netflow records and have rasplit connect to the radium, if you’d like the flexibility to have other analytics work with the flow records, out side of the archive.

I tried with radium also, it didn't seem to be working either so I 
thought I'd work on the simpler case first.

If I use -M size rather than -M time and no -w, then I do get an xaa file. 

Mike Stone



More information about the argus mailing list