tool to convert packet level pcap format to argus flow level data?
Russell Fulton
r.fulton at auckland.ac.nz
Tue Aug 8 14:26:06 EDT 2006
George Nychis wrote:
> Thanks Peter,
>
> I have argus flow data captured from others in this format:
> StartTime LastTime T port D
> ort SrcPkt DstPkt SrcBytes DstBytes State
> 1104969276 1104969276 udp 0.2.132.134.54446 ->
> 97.153.58.99.21501 1 0 65 0 INT
>
> I notice when I create the argus files with argus -r file.tcp -w
> file.argus, its contents are unreadable to my human eye, and I'm sure
> they are in some argus format. So I am wondering how I now convert this
> argus file to human readable text in the format I have above?
>
argus converts the pcap file to and argus binary file (just like what
you get when argus captures the data from the network). You then use ra
to view the file.
You can probably do this in one line (but I have not tried it):
argus -r pcap file -w - | ra -r - |less
giving - as the file name tells the program to write/read the file
to/from stdout.
Russell
More information about the argus
mailing list