[ARGUS] collecting and reporting flow content
slif at bellsouth.net
slif at bellsouth.net
Mon Jul 26 14:20:41 EDT 2004
Apologies in advance if this has already been covered.
I'm about one third through the 2500+ archived mail messages.
I have questions related to eric's response.
>subject was: [ARGUS] Sensor Setup
>On Mon, 2004-07-26 at 10:37:00 -0400, John Nagro proclaimed...
> Could someone please outline (or point me to docs) on properly setting
> up a machine to run argus and instead of writing its output to disk,
> sent it to another machine and have it record there.
On 2004/07/26 Mon AM 10:41:48 EDT eric wrote:
>On machineA, compile argus and use the following argus.conf
>[SNIP removed for brevity]
>
>Then on machineB..
>
>$ nohup ra -nn -S 10.10.10.10 -w argus.cap &
>
>Rotate your flows, as necessary, using argusarchive.
#-#-#-#-#-#
I have several questions that are related to argus' ability
to save the first N bytes of each flow's transaction.
I know that argus can either use command line (e.g., -U128)
or configuration (e.g., ARGUS_PACKET_CAPTURE_FILE=), and this
copies the first N bytes of each flow's transaction.
Can argus send those records in the stream of other argus records
over a remote connection ? Or Would another argus instance be required
to provide this content stream separately ?
How would the "ra()" command at the
remote end separate the argus records from the tcpdump-formatted
transaction data ? Would multiple "ra()" instances be needed ?
Whether gathered locally or remotely, how can the ra* tools be used
to report the first 128 bytes of some transactions ?
How can these be shown as plaintext, or as hexadecimal ?
Can the report show the sequence and direction of each of the
byte streams displaying their content ?
Thank you,
-Mike Slifcak
More information about the argus
mailing list