rasplit and netflow question

Michael Stone via Argus-info argus-info at lists.andrew.cmu.edu
Thu Sep 22 11:49:41 EDT 2016


On Thu, Sep 22, 2016 at 11:08:49AM -0400, Carter Bullard wrote:
>Hmmmmmmm,
>rasplit is a very simple program … it maybe that the Netflow records are not being parsed correctly.  Depending on how its configured, you can generate poorly formed records from Cisco equipment.   If you don’t mind, could you set the -D4 to -D9, and then send the output that indicates the result of the ArgusParseCiscoRecordV9Data routine, which is the most important information.

rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392504 ArgusReadConnection(0xde0ee010, 2) reading cisco wire format
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392514 ArgusReadConnection(0xde0ee010, 2) returning 0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392533 ArgusHandleRecord (0x7f16de0ee228, 0x7f16de280808) returning -1
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392546 ArgusFree (0x19163a0)
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392556 ArgusDeleteQueue (0x19163a0) returning
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392565 ArgusReadStream(0x7f16de15f010) starting
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392581 ArgusAdjustGlobalTime real 1474558911.392581 global 1474558911.392581
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392599 ArgusReadCiscoDatagramSocket (0xde0ee010) starting
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392609 ArgusCalloc (1, 80) returning 0x19163a0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392618 ArgusNewQueue () returning 0x19163a0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392633 ArgusReadCiscoDatagramSocket (0x7f16de0ee010) read 1392 bytes, capacity 1392
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392643 ArgusReadCiscoDatagramSocket (0x7f16de15f010, 0x7f16de0ee010) read record header
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392657 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392667 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392677 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392686 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392695 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392704 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392728 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392738 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392747 ArgusReadCiscoDatagramSocket (0xde0ee010) returning 0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392758 ArgusAdjustGlobalTime real 1474558911.392758 global 1474558911.392758
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392768 ArgusReadCiscoDatagramSocket (0xde0ee010) starting
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392778 ArgusReadCiscoDatagramSocket (0x7f16de0ee010) read 1448 bytes, capacity 1448
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392788 ArgusReadCiscoDatagramSocket (0x7f16de15f010, 0x7f16de0ee010) read record header
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392797 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392805 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392815 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392823 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0

There is no ArgusParseCiscoRecordV9Data

>What version of client code are you running ????

3.0.8.2

Mike Stone



More information about the argus mailing list