rasplit and netflow question
Carter Bullard via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Sep 22 11:55:20 EDT 2016
Hey Mike,
If you can do some packet capture on that port, and grab some of the Netflow packets, I’ll take a look as to why we’re not parsing them out. Just grab a handful. If you’d like to keep them private, upload them to ftp://ftp.qosient.com/incoming, and I’ll grab the file from there.
Carter
> On Sep 22, 2016, at 11:49 AM, Michael Stone via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> On Thu, Sep 22, 2016 at 11:08:49AM -0400, Carter Bullard wrote:
>> Hmmmmmmm,
>> rasplit is a very simple program … it maybe that the Netflow records are not being parsed correctly. Depending on how its configured, you can generate poorly formed records from Cisco equipment. If you don’t mind, could you set the -D4 to -D9, and then send the output that indicates the result of the ArgusParseCiscoRecordV9Data routine, which is the most important information.
>
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392504 ArgusReadConnection(0xde0ee010, 2) reading cisco wire format
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392514 ArgusReadConnection(0xde0ee010, 2) returning 0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392533 ArgusHandleRecord (0x7f16de0ee228, 0x7f16de280808) returning -1
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392546 ArgusFree (0x19163a0)
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392556 ArgusDeleteQueue (0x19163a0) returning
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392565 ArgusReadStream(0x7f16de15f010) starting
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392581 ArgusAdjustGlobalTime real 1474558911.392581 global 1474558911.392581
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392599 ArgusReadCiscoDatagramSocket (0xde0ee010) starting
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392609 ArgusCalloc (1, 80) returning 0x19163a0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392618 ArgusNewQueue () returning 0x19163a0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392633 ArgusReadCiscoDatagramSocket (0x7f16de0ee010) read 1392 bytes, capacity 1392
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392643 ArgusReadCiscoDatagramSocket (0x7f16de15f010, 0x7f16de0ee010) read record header
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392657 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392667 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392677 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392686 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392695 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392704 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392728 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392738 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392747 ArgusReadCiscoDatagramSocket (0xde0ee010) returning 0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392758 ArgusAdjustGlobalTime real 1474558911.392758 global 1474558911.392758
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392768 ArgusReadCiscoDatagramSocket (0xde0ee010) starting
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392778 ArgusReadCiscoDatagramSocket (0x7f16de0ee010) read 1448 bytes, capacity 1448
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392788 ArgusReadCiscoDatagramSocket (0x7f16de15f010, 0x7f16de0ee010) read record header
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392797 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392805 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392815 ArgusParseCiscoRecordV9 (0x7f16de0ee010, 0x7ffd1eb04ed8) returning (nil)
> rasplit[30119.00472ade167f0000]: 2016-09-22 11:41:51.392823 ArgusHandleRecord ((nil), 0x7f16de280808) returning 0
>
> There is no ArgusParseCiscoRecordV9Data
>
>> What version of client code are you running ????
>
> 3.0.8.2
>
> Mike Stone
>
More information about the argus
mailing list