[ARGUS] Checking argus counts

Peter Van Epp vanepp at sfu.ca
Tue Jun 29 23:53:45 EDT 2004 

	As part of testing a new perl script I needed to know the source and
destination bytes as tcpdump sees them. As a bonus (with some help from
Carter to get the counts from tcpdump right :-)) it also can be used to check 
the accuracy of the argus counts. It was written on FreeBSD so it may or may not
work as is on other OSes depending on how standard tcpdump output is. Given
a tcpdump file t.tcpd, feed it to argus to get an argus file:

argus_bpf -r t.tcpd -w t.argus

then feed it to a chain of tcpdump and perl (perl below) to get tcpdump data
summed by src/dst ip/port which can then be compared to the output from ra
reading the t.argus file created above:

%tcpdump -r t.tcpd -n -X | tcpdump_adr_cnt.pl |tcpdump_adr_sum.pl
142.58.74.121 50650 208.38.45.191 80 162
208.38.45.191 80 142.58.74.121 50650 7570
142.58.101.24 59604 208.38.45.191 80 3220
208.38.45.191 80 142.58.101.24 59604 63965
208.38.45.191 80 142.58.74.121 50652 284
142.58.74.121 50652 208.38.45.191 80 768
208.38.45.191 80 142.58.101.24 59600 2614
142.58.101.24 59600 208.38.45.191 80 2672
%ra -r t.argus -c -nn
29 Jun 04 12:15:27           man  229.97.122.203  v2.0                   1 0     0        0         0            0           STA
28 Jun 04 20:02:06           tcp   142.58.74.121.50652  ?>   208.38.45.191.80    1        1         768          284         CON
28 Jun 04 20:02:06           tcp   142.58.101.24.59600  ?>   208.38.45.191.80    6        5         2672         2614        CON
28 Jun 04 20:02:06           tcp   208.38.45.191.80     ?>   142.58.101.24.59604 45       25        63965        3220        CON
28 Jun 04 20:02:06           tcp   208.38.45.191.80     ?>   142.58.74.121.50650 5        3         7570         162         CON
29 Jun 04 12:15:27           man  229.97.122.203  v2.0                   5 0     91       0         81405        4           SHT

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


tcpdump_adr_cnt.pl

--- cut here ---

#!/usr/bin/perl

open(STDIN,$ARGV[0]) || die "Can't open $ARGV[0]: $!\n"
	if $ARGV[0];


while (<STDIN>) {
	chop;
	if ($_ !~ /^0x/) {

		# Let the first one go by to accumulate the count from the 
		# packet following it.

		if ($length ne "") {
			print "$src_ip $src_port $dst_ip $dst_port $length\n";
		}
		($time, $src, $flag, $dst, $rest) = split(' ',$_);
		($a, $b, $c, $d, $src_port) = split(/\./,$src);
		$src_ip = "$a.$b.$c.$d";
		($a, $b, $c, $d, $dst_port) = split(/\./,$dst);
		$dst_ip = "$a.$b.$c.$d";
		$dst_port =~ s/://;
	} else {
		if ($_ =~ /0x000/) {

			# read the IP length header from the packet.

			($hex_len) = unpack("x13,a4", $_);

			# add 14 bytes for the non IP header info to get the
			# size of the packet for printing later.

			$length = hex($hex_len) + 14;
		}

	}
}

# Print the last packet

print "$src_ip $src_port $dst_ip $dst_port $length\n";

--- cut here ---

tcpdump_adr_sum.pl

--- cut here ---

#!/usr/bin/perl

open(STDIN,$ARGV[0]) || die "Can't open $ARGV[0]: $!\n"
	if $ARGV[0];


while (<STDIN>) {
	chop;
	($src_ip, $src_port, $dst_ip, $dst_port, $length) = split(' ',$_);
	$src_pair{"$src_ip $src_port $dst_ip $dst_port"} += $length;
}
foreach $quad (keys %src_pair) {
	print "$quad $src_pair{$quad}\n";
}

More information about the argus mailing list