Argus & IPFIX?
Drew Dixon
dwdixon at umich.edu
Thu Oct 26 12:31:29 EDT 2017
: ( Well, I appreciate your help anyhow, it happens...I might be able to
figure something out to convert the IPFIX to Netflow v9 temporarily I
guess...would be getting really messy and wasting CPU cycles/disk space
trying to do that tho...I thought you said "To that end, if you have some
IPFIX data that the ra* programs can’t read, I’ll spend some time making it
work." though? I suppose I was banking on that either way.
Thanks,
-Drew
On Wed, Oct 25, 2017 at 7:15 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Drew,
> So, all the records are IPFIX, my mistake, we only go to Netflow V9 in
> argus-clients-3.0.8.2 …. we see that the version number is 10, and just
> jump right past the payload. Any chance you can get your box to output
> Netflow V9 ???? My memory was on our commercial clients, which do a lot,
> netflow, sflow, ipfix.
>
> Sorry to have wasted all your time … If you get motivated, the code to
> support Netflow V10 would go in argus_import.c, create the NetflowV10
> routines using the NetflowV9 support as a guide (they are almost
> identical), add some includes and constants and it should be difficult,
> given that v10 is almost identical to v9. We’ll put it in the distribution
> if you get it going ...
>
> Really sorry about that !!!!
> Carter
>
>
>>>>>>
>>>>>> Carter Bullard <carter at qosient.com>• CTO
>>>>>> 150 E 57th Street, Suite 12D
>>>>>> <https://maps.google.com/?q=150+E+57th+Street,+Suite+12D+%0D+%0D+%0D+%0D+New+York,+New+York+10022&entry=gmail&source=g>
>>>>>> New York, New York 10022
>>>>>> <https://maps.google.com/?q=150+E+57th+Street,+Suite+12D+%0D+%0D+%0D+%0D+New+York,+New+York+10022&entry=gmail&source=g>
>>>>>> -2795
>>>>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>>>>
>>>>>>
>>>>>> On Mon, Oct 16, 2017 at 1:52 PM, Carter Bullard <carter at qosient.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hey Drew,
>>>>>>> Argus should be able to read most/any IPFIX TCP/UDP data source, at
>>>>>>> least that is the goal. To that end, if you have some IPFIX data that the
>>>>>>> ra* programs can’t read, I’ll spend some time making it work. So if your
>>>>>>> using Juniper, have it export UDP IPFIX, and we should be able to read
>>>>>>> them, as the router advertises the templates in a reasonable timeframe, as
>>>>>>> we need to see the templates before we can decode the records (really
>>>>>>> terrible design flaw).
>>>>>>>
>>>>>>> We, of course recommend that you generate your own flow records
>>>>>>> rather than read from integrated IPFIX, especially if you’re network is
>>>>>>> going particularly fast. QoSient has 1g, 10g, 40g and 100g argus sensor
>>>>>>> appliances for sale, so if you’re looking to do the do for real, think
>>>>>>> about generating your own data.
>>>>>>>
>>>>>>> Hope all is most excellent,
>>>>>>> Carter
>>>>>>>
>>>>>>> [image: QoSient] <http://qosient.com/>
>>>>>>> Carter Bullard <carter at qosient.com> • CTO
>>>>>>> 150 E 57th Street, Suite 12D
>>>>>>> <https://maps.google.com/?q=150+E+57th+Street,+Suite+12D+%0D+%0D+%0D+%0D+New+York,+New+York+10022&entry=gmail&source=g>
>>>>>>> New York, New York 10022
>>>>>>> <https://maps.google.com/?q=150+E+57th+Street,+Suite+12D+%0D+%0D+%0D+%0D+New+York,+New+York+10022&entry=gmail&source=g>
>>>>>>> -2795
>>>>>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Oct 16, 2017, at 11:18 AM, Drew Dixon <dwdixon at umich.edu> wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I'm wondering what the current status of Argus' support of reading
>>>>>>> IPFIX and if there might be any relevant information/updates on that front
>>>>>>> which someone could share?
>>>>>>>
>>>>>>> I did some quick searching online and see mention of IPFIX in
>>>>>>> relation to Argus but nothing really stating that it's officially supported
>>>>>>> at this time etc.
>>>>>>>
>>>>>>> Thank you!
>>>>>>>
>>>>>>> -Drew
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20171026/1868c755/attachment.html>
More information about the argus
mailing list