[ARGUS] Argus taking libpcap files from stdin

Carter Bullard carter at qosient.com
Thu Sep 30 12:23:23 EDT 2004


So I've moved it in the main branch.
So that "feature" was suppose to be on line
383-384, when we test for daemonflag, and
close if if we're going to do the fork.

Index: argus.c
===================================================================
RCS file: /usr/local/cvsroot/argus/server/argus.c,v
retrieving revision 1.94
diff -r1.94 argus.c
228d227
<    fclose(stdin);
383a383
>       fclose(stdin);

must have migrated by mistake a while ago.  Thanks
for sending the mail!!!!

Carter




> From: Bill Guyton <guyton at bguyton.com>
> Date: Thu, 30 Sep 2004 11:11:37 -0500
> To: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
> 
> 
> Nope; not working.  It would work if there were not the following early on
> in the code (server/argus.c):
> 
> fclose(stdin);
> 
> Someone probably added it.  I'll re-attach a patch I've got for argus-2.0.6
> source.  Hopefully that will help.
> 
> Thanks!
> Bill
> 
> 
> 
> 
> On Thu, Sep 30, 2004 at 11:08:07AM -0400, Carter Bullard wrote:
>> Well, argus is suppose to be able to handle "-r -".  Is that not working?
>> Carter
>> 
>> 
>>> From: Bill Guyton <guyton at bguyton.com>
>>> Date: Thu, 30 Sep 2004 10:03:47 -0500
>>> To: Carter Bullard <carter at qosient.com>
>>> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
>>> 
>>> 
>>> 
>>> Hi, Carter.
>>> 
>>>> Can you pipe tcpdump() data files into tcpdump()?
>>> 
>>> Yep.
>>> 
>>> A silly example:
>>> 
>>> tcpdump -r /tmp/tcp.data -w - | tcpdump -r - -nnq icmp
>>> 
>>> A better example, using mergecap from ethereal to merge two pcap files and
>>> then tcpdump to evaluate the "sorted" packets:
>>> 
>>> mergecap -w - tcp1.data tcp2.data | tcpdump -r - -nn
>>> 
>>> 
>>> libpcap recognizes the input file '-' as stdin.
>>> 
>>> Thanks!
>>> Bill
>>> 
>>> 
>>> On Thu, Sep 30, 2004 at 10:37:33AM -0400, Carter Bullard wrote:
>>>> Hey Bill,
>>>>    Sorry for the massive delay in responding.  Because argus
>>>> uses the libpcap() library, we're kinda limited in what we can
>>>> do with it.  Can you pipe tcpdump() data files into tcpdump()?
>>>> 
>>>> Carter
>>>> 
>>>> 
>>>> 
>>>>> From: Bill Guyton <guyton at bguyton.com>
>>>>> Date: Tue, 31 Aug 2004 23:12:07 -0500
>>>>> To: <argus-info at lists.andrew.cmu.edu>
>>>>> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
>>>>> 
>>>>> On Wed, Sep 01, 2004 at 03:58:54PM +1200, Russell Fulton wrote:
>>>>> 
>>>>>> On Wed, 2004-09-01 at 15:48, Bill Guyton wrote:
>>>>> 
>>>>>>> Forgive me if this has already been discussed -- I'm new to the list.
>>>>>>> 
>>>>>>> I noticed that the argus program will not take libpcap files from stdin.
>>>>>>> For example, if I zcat a compressed tcpdump output file into argus, the
>>>>>>> following fails:
>>>>>>> 
>>>>>>> zcat tcp.2004080901.gz | ./argus -r - -w - | gzip > argus.log.gz
>>>>>> 
>>>>>> ra will read gz file directly have you tried
>>>>>> 
>>>>>> argus -r tcp.2004080901.gz
>>>>>> 
>>>>>> -- 
>>>>>> Russell Fulton, Information Security Officer, The University of Auckland
>>>>>> New Zealand
>>>>> 
>>>>> 
>>>>> Thanks, Russell!  I didn't know that -- it may come in handy.
>>>>>              
>>>>> Unfortunately, I oversimplified my example.  What I've actually working on
>>>>> is a tcpdump-like process listening on a live interface that dynamically
>>>>> adjusts its pcap filter based on certain events.  What I really want to
>>>>> do is to be able to pipe directly into argus if at all possible and avoid
>>>>> writing to disk.
>>>>>              
>>>>> Would getting rid of the fclose(stdin) break anything, as far as anyone
>>>>> knows?
>>>>>              
>>>>> Thanks!
>>>>> Bill
>>>>> 
>>>>> 
>>>> 
>>> 
>> 





More information about the argus mailing list