[ARGUS] Argus taking libpcap files from stdin
Carter Bullard
carter at qosient.com
Thu Sep 30 10:37:33 EDT 2004
Hey Bill,
Sorry for the massive delay in responding. Because argus
uses the libpcap() library, we're kinda limited in what we can
do with it. Can you pipe tcpdump() data files into tcpdump()?
Carter
> From: Bill Guyton <guyton at bguyton.com>
> Date: Tue, 31 Aug 2004 23:12:07 -0500
> To: <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
>
> On Wed, Sep 01, 2004 at 03:58:54PM +1200, Russell Fulton wrote:
>
>> On Wed, 2004-09-01 at 15:48, Bill Guyton wrote:
>
>>> Forgive me if this has already been discussed -- I'm new to the list.
>>>
>>> I noticed that the argus program will not take libpcap files from stdin.
>>> For example, if I zcat a compressed tcpdump output file into argus, the
>>> following fails:
>>>
>>> zcat tcp.2004080901.gz | ./argus -r - -w - | gzip > argus.log.gz
>>
>> ra will read gz file directly have you tried
>>
>> argus -r tcp.2004080901.gz
>>
>> --
>> Russell Fulton, Information Security Officer, The University of Auckland
>> New Zealand
>
>
> Thanks, Russell! I didn't know that -- it may come in handy.
>
> Unfortunately, I oversimplified my example. What I've actually working on
> is a tcpdump-like process listening on a live interface that dynamically
> adjusts its pcap filter based on certain events. What I really want to
> do is to be able to pipe directly into argus if at all possible and avoid
> writing to disk.
>
> Would getting rid of the fclose(stdin) break anything, as far as anyone
> knows?
>
> Thanks!
> Bill
>
>
More information about the argus
mailing list