Argus Ra() Arp Support and the -R option

Carter Bullard carter at qosient.com
Thu Aug 17 09:26:04 EDT 2000 

Gentle People,
   In argus-2.0 we will have Arp and DHCP support, which
means we will audit every arp and dhcp transaction we
see.  This is pretty straightforward and it works quite
well, so far, given the science of testing ;o)

   The biggest concern, of course, is what will ra()
print out.  Well, in thinking about this, a new issue
came up and I'd like to hear your opinions.

   In each arp argus record we have all the basic arp
info, who made the request, who answered and what was
answered, etc.... So when trying to print out the arp
record using our standard formats, I was faced with a
dilemma.  We have A is requesting a MAC address for
B, so we have two IP addresses, that fits very well,
but we have a hardware address response.

   In some cases I can see the need to know who made
the request for what address, and what address is mapped
to what hardware address, and I saw a need for packet
counts as well, so Hmmmm.

   I came up with a 'R' option on the ra() command line
to print out the (R)esponse data.  This would work for
Arp, DHCP and possibly DNS.  This is what it looks like
now given this strategy.  What do you think?

Carter


~/argus-2.0.c/bin/ra -uncr /tmp/argus-2.0.out
 966461038.880511       arp     192.168.0.1   who-has   192.168.0.130
1      1       46        46       ACC
 966461105.010022       arp   192.168.0.128   who-has   192.168.0.129
1      1       28        46       ACC
 966461180.690022       arp   192.168.0.128   who-has   192.168.0.129
1      1       28        46       ACC
 966461339.073697       arp     192.168.0.1   who-has   192.168.0.130
1      1       46        46       ACC

~/argus-2.0.c/bin/ra -Runcr /tmp/argus-2.0.out
 966461038.880511       arp   192.168.0.130    is-at    00:01:03:1d:93:0a
1      1       46        46       ACC
 966461105.010022       arp   192.168.0.129    is-at    00:c0:4f:7b:e0:87
1      1       28        46       ACC
 966461180.690022       arp   192.168.0.129    is_at    00:c0:4f:7b:e0:87
1      1       28        46       ACC
 966461339.073697       arp   192.168.0.130    is-at    00:01:03:1d:93:0a
1      1       46        46       ACC

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426

More information about the argus mailing list