[ARGUS] Argus taking libpcap files from stdin
Bill Guyton
guyton at bguyton.com
Wed Sep 1 00:12:07 EDT 2004
On Wed, Sep 01, 2004 at 03:58:54PM +1200, Russell Fulton wrote:
> On Wed, 2004-09-01 at 15:48, Bill Guyton wrote:
> > Forgive me if this has already been discussed -- I'm new to the list.
> >
> > I noticed that the argus program will not take libpcap files from stdin.
> > For example, if I zcat a compressed tcpdump output file into argus, the
> > following fails:
> >
> > zcat tcp.2004080901.gz | ./argus -r - -w - | gzip > argus.log.gz
>
> ra will read gz file directly have you tried
>
> argus -r tcp.2004080901.gz
>
> --
> Russell Fulton, Information Security Officer, The University of Auckland
> New Zealand
Thanks, Russell! I didn't know that -- it may come in handy.
Unfortunately, I oversimplified my example. What I've actually working on
is a tcpdump-like process listening on a live interface that dynamically
adjusts its pcap filter based on certain events. What I really want to
do is to be able to pipe directly into argus if at all possible and avoid
writing to disk.
Would getting rid of the fclose(stdin) break anything, as far as anyone
knows?
Thanks!
Bill
More information about the argus
mailing list