[unisog] Cisco netflow and argus (was registering servers)

Lucy E. Lynch llynch at darkwing.uoregon.edu
Mon Jul 31 00:40:41 GMT 2006


On Mon, 31 Jul 2006, Rudolph Pereira wrote:

> On Fri, Jul 28, 2006 at 12:46:52PM -0700, John Gerth wrote:
>>   However, I eventually gave up on the netflows when I discovered that
>>   our routers would often drop flows entirely, especially under load,
>>   and that they would also manage to screw up timestamps in some cases
>>   such that the flow would have the wrong orientation (this took a
>>   number of tedious and painful experiments to prove).  Unfortunately
>>   I had no authority or standing to pursue these problems very far
>>   so I don't know if they're config or programming errors that might
>>   be fixable.  All I can say is that in my case the errors could reach
>>   up to the 20% range which made me give up and switch to using argus
>>   on "span" ports.
> Does anyone have pointers to papers or other concrete descriptions of
> problems with netflow on cisco routers making them useless (ok: less
> useful) for security incident investigation and/or accounting/traffic
> analysis? We're having more problems with them as time goes on, and I
> suspect that netflow is more and more likely to become a second-class
> citizen on cisco platforms and would like some data to backup a case for
> abandoning it altogether in favour of something like argus.

looks like there is lots of 3rd party action -maybe you just need 
better tools? see:

http://www.projects.ncassr.org/sift/
http://www.nanog.org/mtg-0602/pdf/yurcik.pdf

and

http://www.cert.org/flocon/


> thanks
>

Lucy E. Lynch 				Academic User Services
Computing Center			University of Oregon
llynch  @darkwing.uoregon.edu		(541) 346-1774


More information about the unisog mailing list