packet data capture in argus-clients.b37

Carter Bullard carter at qosient.com
Thu Jan 2 19:31:27 EST 2003


Hey David,
   Hope you had a great holiday!   Yes, Mark is correct,
you need to specify the user data field either in the
.rarc file or on the command line.   If you just want to
tack the data to the end of the default record, use:

   ra -s +user -r datafile

If you just want the user data and nothing else:

   ra -s user -r datafile

and of course if you wanted something like, startime,
src <-> dst host, dst port and user data:

   ra -s startime saddr dir daddr dport user -r datafile

The default is to use ascii encoding and 32 bytes, I
believe.  Still use the -d[sd]x to specify other byte
values.

Carter




> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Mark Poepping
> Sent: Thursday, January 02, 2003 6:45 PM
> To: 'David Ressman'
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: RE: packet data capture in argus-clients.b37
> 
> 
> 
> The options have changed in the newer clients (I forget 
> offhand which version changed them - b22 perhaps?).  Anyway, 
> now there are a bunch of "-s" options for ordering printed 
> fields.  They are all documented in the new manpages, but 
> you'll need to change your scripts (or alias the options you 
> want).  All in all, the new options are *much* more powerful 
> and useful, but the change is a bit confusing if you didn't 
> get round to reading the 'ChangeLog' (to know what manpages 
> to diff:-)..
> 
> Mark.
> 
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus- 
> > info at lists.andrew.cmu.edu] On Behalf Of David Ressman
> > Sent: Thursday, January 02, 2003 4:28 PM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: packet data capture in argus-clients.b37
> > 
> > Hi all,
> > 
> > I've been playing around with the argus-tools beta 37 package, and 
> > everything appears to work well, except for one.  For some 
> reason, it 
> > seems to be ignoring the user data capture fields when I ask it to 
> > print them out with the "-d" option.
> > 
> > We make extensive use of this option in our production 
> environment (an 
> > argus-2.0.6b5 server feeding to an argus-2.0.6b1 client).
> > 
> > I installed the argus-clients package because there was 
> lots of nifty 
> > stuff in it that I wanted to try out, but when I tried to 
> use the b37 
> > ra client to read out an argus file written with the 2.0.6b1 client 
> > (captured by the 2.0.6b5 server) with "ra -nr 
> /some/argus.file -d 64", 
> > I got all of the flow data, but the user data stuff just 
> wasn't in the 
> > output.
> > 
> > I tried using the b37 ra client to capture flow data from 
> the 2.0.6b5 
> > server, and that worked fine, but I still couldn't access 
> any of the 
> > user data, I know that the user data was definitely in the files 
> > because I could read it with the 2.0.6b1 client.  I just 
> can't get the 
> > b37 client to see the data.
> > 
> > Does anyone have any ideas as to what's happening?
> > 
> > Thanks,
> > 
> > David
> > 
> > --
> > David Ressman                          davidr at uchicago.edu
> > Network Security Center, The University of Chicago
> > PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
> 
> 
> 
> 



More information about the argus mailing list