rasplit and netflow question
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Sep 22 11:08:49 EDT 2016
Hmmmmmmm,
rasplit is a very simple program … it maybe that the Netflow records are not being parsed correctly. Depending on how its configured, you can generate poorly formed records from Cisco equipment. If you don’t mind, could you set the -D4 to -D9, and then send the output that indicates the result of the ArgusParseCiscoRecordV9Data routine, which is the most important information.
What version of client code are you running ????
Carter
> On Sep 22, 2016, at 9:45 AM, Michael Stone via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> On Wed, Sep 21, 2016 at 08:51:46PM -0400, Carter Bullard wrote:
>>> On Sep 21, 2016, at 7:35 PM, Michael Stone via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>>>
>>> I mainly use the argus daemon to generate flow records, but in one case I recieve netflow records and would like to store and access them in the same way as the argus flow data. Reception seems to be working, as ra -S cisco://any:9995
>>> outputs the expected flows (though the first line always has a 1969-12-31 19:00 timestamp). If I try to use rasplit, though, nothing is written to disk using
>>> rasplit -M time 5m -S cisco://any:9995 -w /argus/%Y/%m/%d/%Y.%m.%d.%H.%M.%S
>>>
>>> Should this work?
>>>
>> Yes, that should work. You may want to run with debug set, so you can see what rasplit is doing with the records. (you may need to re configure and remake with a .debug tag file in the root directory).
>> % cd /path/to/the/argus-clients/root/directory
>> % touch .debug
>> % ./configure;make
>> % bin/rasplit -D4 -M time 5m -S cisco://any:9995 -w /argus/%Y/%m/%d/%Y.%m.%d.%H.%M.%S
>
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780751 ArgusAddHostList (0xa5fc6010, cisco://any:9995, 16, 17) returning 1
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780794 ArgusNewList () returning 0x25407a0
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780829 main: reading files completed
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780838 ArgusNewQueue () returning 0x2541630
> rasplit[26394]: 2016-09-22 09:26:05.780875 Binding AF_ANY:9995 Expecting Netflow records
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780944 receiving
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.780955 ArgusGetServerSocket (0x7fada5f55010) returning 3
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783287 ArgusInitAddrtoname (0x7fada5fc6010, 0x0, 0x0)
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783316 ArgusParseInit(0x7fada5fc6010 0x7fada5f55010
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783325 ArgusReadConnection(0xa5f55010, 2) reading cisco wire format
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783332 ArgusReadConnection(0xa5f55010, 2) returning 0
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783351 ArgusDeleteQueue (0x2541630) returning
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783360 ArgusReadStream(0x7fada5fc6010) starting
> rasplit[26394.00b710a6ad7f0000]: 2016-09-22 09:26:05.783382 ArgusNewQueue () returning 0x2541630
>
> Followed by many many instances of ArgusParseCiscoRecordV9Data new flow, and nothing else. Nothing is written.
>
>> You may want to use radium to collect the netflow records and have rasplit connect to the radium, if you’d like the flexibility to have other analytics work with the flow records, out side of the archive.
>
> I tried with radium also, it didn't seem to be working either so I thought I'd work on the simpler case first.
>
> If I use -M size rather than -M time and no -w, then I do get an xaa file.
> Mike Stone
>
More information about the argus
mailing list