Are we archiving the list? (and argus 2.0)
Peter Van Epp
vanepp at sfu.ca
Tue Jun 13 18:50:49 EDT 2000
I managed to delete Carter's message this morning before reading it.
Do I remember someone starting an archive of the list? If so would someone
supply a pointer to the archive and/or forward me a copy of Carter's message
please?
To make this not a completely useless post, I've thought of another
2.0 requirement (although it isn't really argus): we need to modify the bpf
filter to return the entire IP header (rather than a fixed length). As it
stands should I want to avoid being caught by argus while doing something
undesirable, I fill my headers with options to overflow the input buffer before
the interesting headers are appended.
I have also been playing with tcpreplay from
http://www.anzen.com/research/nidsbench to provide reproducable, variable rate
traffic streams to argus. For instance my 386 at home can capture up to about
4 megabits per second before it starts losing packets (and that looks to be
bpf/ the kernel not argus). When I have done some more poking I'll report
further, but it looks like an excellent tool for testing network gear in
general and IDSs in particular.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list