[ARGUS] collecting and reporting flow content
eric
eric at catastrophe.net
Mon Jul 26 14:27:13 EDT 2004
On Mon, 2004-07-26 at 14:20:41 -0400, slif at bellsouth.net proclaimed...
> Can argus send those records in the stream of other argus records
> over a remote connection ?
Yes, so long as the capture host is configured to grab the first N
bytes.
$ ra -nnS capturehost -s +user
> How would the "ra()" command at the
> remote end separate the argus records from the tcpdump-formatted
> transaction data ?
It is logged either in argus' binary format (which is pcap
compatible) or in ASCII if you output it to a file via redirection.
> Whether gathered locally or remotely, how can the ra* tools be used
> to report the first 128 bytes of some transactions ?
$ ra -nnS capturehost -s +user - tcp dst port 6667 or icmp
> Can the report show the sequence and direction of each of the
> byte streams displaying their content ?
Yes; perhaps you should try the above and see what the output is.
It's very intuitive and easier than you'd think.
- Eric
More information about the argus
mailing list