Using tcpdump input
Andrew Pollock
andrew-argus at andrew.net.au
Mon Mar 24 22:21:51 EST 2003
Hi,
I'm running tcpdump packet captures at the same points of my network that
I run Argus, and so I grabbed a day's worth of tcpdumps and ran them
through argus and then compared that with a day's worth of natively
generated Argus logs.
I've found the difference quite unusual, the record counts come out close
(+/- 10,000) yet the packet and byte counts come out around 50% less for a
tcpdump than for a native Argus log.
The tcpdumps are all captured with a snap length of 100 bytes.
I would have thought that I'd get identical results? Or can you not use
tcpdumps as input?
Andrew
More information about the argus
mailing list