Argus & IPFIX?

Carter Bullard carter at qosient.com
Thu Oct 26 14:08:28 EDT 2017


Hey Drew,
Well, I’ve been working on some non-critical Argus bugs for well over 2 years now, as I have absolutely little time for free engineering anymore.  Getting IPFIX data into open source Argus is unfortunately at the same priority level as those bugs, so you may have to wait for a while for me to get to it.  I was willing to fix a feature thinking it was already in Argus, rather than doing new work.   But it isn’t hard to do, maybe someone else has done the work and can share ????  I heard a rumor that some at the CMU’s CERT have been doing some Argus integration work for Silk, which is mostly IPFIX.  Maybe someone there has taken on this little project ???

Carter

> On Oct 26, 2017, at 12:31 PM, Drew Dixon <dwdixon at umich.edu> wrote:
> 
> : (  Well, I appreciate your help anyhow, it happens...I might be able to figure something out to convert the IPFIX to Netflow v9 temporarily I guess...would be getting really messy and wasting CPU cycles/disk space trying to do that tho...I thought you said "To that end, if you have some IPFIX data that the ra* programs can’t read, I’ll spend some time making it work."  though?  I suppose I was banking on that either way.
> 
> Thanks,
> 
> -Drew
> 
> On Wed, Oct 25, 2017 at 7:15 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> Hey Drew,
> So, all the records are IPFIX, my mistake, we only go to Netflow V9 in argus-clients-3.0.8.2 …. we see that the version number is 10, and just jump right past the payload.   Any chance you can get your box to output Netflow V9 ????  My memory was on our commercial clients, which do a lot, netflow, sflow, ipfix.  
> 
> Sorry to have wasted all your time … If you get motivated, the code to support Netflow V10 would go in argus_import.c, create the NetflowV10 routines using the NetflowV9 support as a guide (they are almost identical), add some includes and constants and it should be difficult, given that v10 is almost identical to v9.  We’ll put it in the distribution if you get it going ...
> 
> Really sorry about that !!!!
> Carter
> 
>>>>>>>> 
>>>>>>>>  	
>>>>>>>> Carter Bullard  <mailto:carter at qosient.com>• CTO
>>>>>>>> 150 E 57th Street, Suite 12D <https://maps.google.com/?q=150+E+57th+Street,+Suite+12D+%0D+%0D+%0D+%0D+New+York,+New+York+10022&entry=gmail&source=g>
>>>>>>>> New York, New York 10022 <https://maps.google.com/?q=150+E+57th+Street,+Suite+12D+%0D+%0D+%0D+%0D+New+York,+New+York+10022&entry=gmail&source=g>-2795
>>>>>>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Mon, Oct 16, 2017 at 1:52 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
>>>>>>>> Hey Drew,
>>>>>>>> Argus should be able to read most/any IPFIX TCP/UDP data source, at least that is the goal.  To that end, if you have some IPFIX data that the ra* programs can’t read, I’ll spend some time making it work.  So if your using Juniper, have it export UDP IPFIX, and we should be able to read them, as the router advertises the templates in a reasonable timeframe, as we need to see the templates before we can decode the records (really terrible design flaw).
>>>>>>>> 
>>>>>>>> We, of course recommend that you generate your own flow records rather than read from integrated IPFIX, especially if you’re network is going particularly fast.  QoSient has 1g, 10g, 40g and 100g argus sensor appliances for sale, so if you’re looking to do the do for real, think about generating your own data.
>>>>>>>> 
>>>>>>>> Hope all is most excellent,
>>>>>>>> Carter
>>>>>>>> 
>>>>>>>>          <http://qosient.com/>     	 	
>>>>>>>> Carter Bullard  <mailto:carter at qosient.com>• CTO
>>>>>>>> 150 E 57th Street, Suite 12D <https://maps.google.com/?q=150+E+57th+Street,+Suite+12D+%0D+%0D+%0D+%0D+New+York,+New+York+10022&entry=gmail&source=g>
>>>>>>>> New York, New York 10022 <https://maps.google.com/?q=150+E+57th+Street,+Suite+12D+%0D+%0D+%0D+%0D+New+York,+New+York+10022&entry=gmail&source=g>-2795
>>>>>>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>>>>>>> 
>>>>>>>>  
>>>>>>>> 
>>>>>>>>> On Oct 16, 2017, at 11:18 AM, Drew Dixon <dwdixon at umich.edu <mailto:dwdixon at umich.edu>> wrote:
>>>>>>>>> 
>>>>>>>>> Hello,
>>>>>>>>> 
>>>>>>>>> I'm wondering what the current status of Argus' support of reading IPFIX and if there might be any relevant information/updates on that front which someone could share?  
>>>>>>>>> 
>>>>>>>>> I did some quick searching online and see mention of IPFIX in relation to Argus but nothing really stating that it's officially supported at this time etc.
>>>>>>>>> 
>>>>>>>>> Thank you!
>>>>>>>>> 
>>>>>>>>> -Drew
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20171026/cd7d857d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4045 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20171026/cd7d857d/attachment.bin>


More information about the argus mailing list