[unisog] Cisco netflow and argus (was registering servers)

Rudolph Pereira rudolph at usyd.edu.au
Mon Jul 31 00:24:04 GMT 2006

On Fri, Jul 28, 2006 at 12:46:52PM -0700, John Gerth wrote:
>   However, I eventually gave up on the netflows when I discovered that
>   our routers would often drop flows entirely, especially under load,
>   and that they would also manage to screw up timestamps in some cases
>   such that the flow would have the wrong orientation (this took a
>   number of tedious and painful experiments to prove).  Unfortunately
>   I had no authority or standing to pursue these problems very far
>   so I don't know if they're config or programming errors that might
>   be fixable.  All I can say is that in my case the errors could reach
>   up to the 20% range which made me give up and switch to using argus
>   on "span" ports.
Does anyone have pointers to papers or other concrete descriptions of
problems with netflow on cisco routers making them useless (ok: less
useful) for security incident investigation and/or accounting/traffic
analysis? We're having more problems with them as time goes on, and I
suspect that netflow is more and more likely to become a second-class 
citizen on cisco platforms and would like some data to backup a case for
abandoning it altogether in favour of something like argus.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.dshield.org/pipermail/unisog/attachments/20060731/031715df/attachment.bin 

More information about the unisog mailing list