[ARGUS] Argus taking libpcap files from stdin
Carter Bullard
carter at qosient.com
Thu Sep 30 12:23:23 EDT 2004
So I've moved it in the main branch.
So that "feature" was suppose to be on line
383-384, when we test for daemonflag, and
close if if we're going to do the fork.
Index: argus.c
===================================================================
RCS file: /usr/local/cvsroot/argus/server/argus.c,v
retrieving revision 1.94
diff -r1.94 argus.c
228d227
< fclose(stdin);
383a383
> fclose(stdin);
must have migrated by mistake a while ago. Thanks
for sending the mail!!!!
Carter
> From: Bill Guyton <guyton at bguyton.com>
> Date: Thu, 30 Sep 2004 11:11:37 -0500
> To: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
>
>
> Nope; not working. It would work if there were not the following early on
> in the code (server/argus.c):
>
> fclose(stdin);
>
> Someone probably added it. I'll re-attach a patch I've got for argus-2.0.6
> source. Hopefully that will help.
>
> Thanks!
> Bill
>
>
>
>
> On Thu, Sep 30, 2004 at 11:08:07AM -0400, Carter Bullard wrote:
>> Well, argus is suppose to be able to handle "-r -". Is that not working?
>> Carter
>>
>>
>>> From: Bill Guyton <guyton at bguyton.com>
>>> Date: Thu, 30 Sep 2004 10:03:47 -0500
>>> To: Carter Bullard <carter at qosient.com>
>>> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
>>>
>>>
>>>
>>> Hi, Carter.
>>>
>>>> Can you pipe tcpdump() data files into tcpdump()?
>>>
>>> Yep.
>>>
>>> A silly example:
>>>
>>> tcpdump -r /tmp/tcp.data -w - | tcpdump -r - -nnq icmp
>>>
>>> A better example, using mergecap from ethereal to merge two pcap files and
>>> then tcpdump to evaluate the "sorted" packets:
>>>
>>> mergecap -w - tcp1.data tcp2.data | tcpdump -r - -nn
>>>
>>>
>>> libpcap recognizes the input file '-' as stdin.
>>>
>>> Thanks!
>>> Bill
>>>
>>>
>>> On Thu, Sep 30, 2004 at 10:37:33AM -0400, Carter Bullard wrote:
>>>> Hey Bill,
>>>> Sorry for the massive delay in responding. Because argus
>>>> uses the libpcap() library, we're kinda limited in what we can
>>>> do with it. Can you pipe tcpdump() data files into tcpdump()?
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>>>> From: Bill Guyton <guyton at bguyton.com>
>>>>> Date: Tue, 31 Aug 2004 23:12:07 -0500
>>>>> To: <argus-info at lists.andrew.cmu.edu>
>>>>> Subject: Re: [ARGUS] Argus taking libpcap files from stdin
>>>>>
>>>>> On Wed, Sep 01, 2004 at 03:58:54PM +1200, Russell Fulton wrote:
>>>>>
>>>>>> On Wed, 2004-09-01 at 15:48, Bill Guyton wrote:
>>>>>
>>>>>>> Forgive me if this has already been discussed -- I'm new to the list.
>>>>>>>
>>>>>>> I noticed that the argus program will not take libpcap files from stdin.
>>>>>>> For example, if I zcat a compressed tcpdump output file into argus, the
>>>>>>> following fails:
>>>>>>>
>>>>>>> zcat tcp.2004080901.gz | ./argus -r - -w - | gzip > argus.log.gz
>>>>>>
>>>>>> ra will read gz file directly have you tried
>>>>>>
>>>>>> argus -r tcp.2004080901.gz
>>>>>>
>>>>>> --
>>>>>> Russell Fulton, Information Security Officer, The University of Auckland
>>>>>> New Zealand
>>>>>
>>>>>
>>>>> Thanks, Russell! I didn't know that -- it may come in handy.
>>>>>
>>>>> Unfortunately, I oversimplified my example. What I've actually working on
>>>>> is a tcpdump-like process listening on a live interface that dynamically
>>>>> adjusts its pcap filter based on certain events. What I really want to
>>>>> do is to be able to pipe directly into argus if at all possible and avoid
>>>>> writing to disk.
>>>>>
>>>>> Would getting rid of the fclose(stdin) break anything, as far as anyone
>>>>> knows?
>>>>>
>>>>> Thanks!
>>>>> Bill
>>>>>
>>>>>
>>>>
>>>
>>
More information about the argus
mailing list