[ARGUS] Argus taking libpcap files from stdin

Carter Bullard carter at qosient.com
Thu Sep 30 11:08:07 EDT 2004 

Well, argus is suppose to be able to handle "-r -".  Is that not working?
Carter


> From: Bill Guyton <guyton at bguyton.com>
> Date: Thu, 30 Sep 2004 10:03:47 -0500
> To: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
> 
> 
> 
> Hi, Carter.
> 
>> Can you pipe tcpdump() data files into tcpdump()?
> 
> Yep.
> 
> A silly example:
> 
> tcpdump -r /tmp/tcp.data -w - | tcpdump -r - -nnq icmp
> 
> A better example, using mergecap from ethereal to merge two pcap files and
> then tcpdump to evaluate the "sorted" packets:
> 
> mergecap -w - tcp1.data tcp2.data | tcpdump -r - -nn
> 
> 
> libpcap recognizes the input file '-' as stdin.
> 
> Thanks!
> Bill
> 
> 
> On Thu, Sep 30, 2004 at 10:37:33AM -0400, Carter Bullard wrote:
>> Hey Bill,
>>    Sorry for the massive delay in responding.  Because argus
>> uses the libpcap() library, we're kinda limited in what we can
>> do with it.  Can you pipe tcpdump() data files into tcpdump()?
>> 
>> Carter
>> 
>> 
>> 
>>> From: Bill Guyton <guyton at bguyton.com>
>>> Date: Tue, 31 Aug 2004 23:12:07 -0500
>>> To: <argus-info at lists.andrew.cmu.edu>
>>> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
>>> 
>>> On Wed, Sep 01, 2004 at 03:58:54PM +1200, Russell Fulton wrote:
>>> 
>>>> On Wed, 2004-09-01 at 15:48, Bill Guyton wrote:
>>> 
>>>>> Forgive me if this has already been discussed -- I'm new to the list.
>>>>> 
>>>>> I noticed that the argus program will not take libpcap files from stdin.
>>>>> For example, if I zcat a compressed tcpdump output file into argus, the
>>>>> following fails:
>>>>> 
>>>>> zcat tcp.2004080901.gz | ./argus -r - -w - | gzip > argus.log.gz
>>>> 
>>>> ra will read gz file directly have you tried
>>>> 
>>>> argus -r tcp.2004080901.gz
>>>> 
>>>> -- 
>>>> Russell Fulton, Information Security Officer, The University of Auckland
>>>> New Zealand
>>> 
>>> 
>>> Thanks, Russell!  I didn't know that -- it may come in handy.
>>>                
>>> Unfortunately, I oversimplified my example.  What I've actually working on
>>> is a tcpdump-like process listening on a live interface that dynamically
>>> adjusts its pcap filter based on certain events.  What I really want to
>>> do is to be able to pipe directly into argus if at all possible and avoid
>>> writing to disk.
>>>                
>>> Would getting rid of the fclose(stdin) break anything, as far as anyone
>>> knows?
>>>                
>>> Thanks!
>>> Bill
>>> 
>>> 
>> 
>

More information about the argus mailing list