argus to tcpdump conversion
Carter Bullard
carter at qosient.com
Thu Jun 14 10:01:49 EDT 2001
Scott,
Seems like the list is back. Hmmm, well this is something
that has come up with snort/argus integration, and it is not
a crazy idea, but its not trivial. You are suggesting that
we take argus data and convert it back to packet data. I was
thinking that that would be the way to drive Peter's tcpreplay()
tools.
There is no support for doing this today. The way to do this
is with a new ra* client, not with argus itself. Take an
argus flow record, and generate the potential packet stream,
trying to do well with data sizes, sequence numbers, and the
like, possibly even generating a real TCP session out of a
single argus record. Is this what you're thinking about.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Scott A.
McIntyre
Sent: Thursday, June 14, 2001 7:12 AM
To: argus-info at lists.andrew.cmu.edu
Subject: argus to tcpdump conversion
Hi,
I need to somehow export a series of argus data files into tcpdump
format for portability purposes (a series of tools that are already
built around tcpdump; at some point I'll convert to ra and client
friends, but until then...).
I thought that a:
argus_linux -r argus_capture_file -w - | tcpdump -w tcpdump.out -r -
would do it, but, that generates a:
argus_linux[12043]: ArgusInitSource: Unknown packet file format
Must be something obvious...
Thanks,
Scott
More information about the argus
mailing list