Capture User Data Bytes

Carter Bullard carter at qosient.com
Mon Dec 4 11:08:29 EST 2006 

Hey Guys,
The user data that is captured starts after the last header parsed.   
The flow
key is generally what determines where the parsing stops, but because
argus supports about 14 flow models (see the web site for description
of all flow models), the "rule" is not simple (although not that  
complicated
either).   The rule of thumb is, whatever the next header is after
the "proto" field of the flow key, that's where we start capturing.    
Because
argus supports L2, L3, L4 and L5 flows, the user data can start at
any of the next layers, depending on the flow type.

The argus configuration specifies how much data to capture, and it can
go up to just under 64K in size (unsigned short), although  
practically it
should be something that is useful.  128 bytes seems to be a great  
number.
The largest argus record possible is 64K, so the combined user data
capture can't be bigger than this.

Default printing size of the user data is 16 bytes, but you can print  
as much
as is there:   "-s suser:1500"  is a good option.

Ragrep, is simply grep.1 applied to the user data buffers.

Carter





On Dec 3, 2006, at 11:12 PM, Philipp E. Letschert wrote:

> The capture starts in application layer (= user data). Another  
> thing to remind
> is, that the maximum capture size seems to be 32 byte, that is 16  
> byte each for
> source and destination.
>
>
> Philipp
>
> On Mon, Dec 04, 2006 at 09:58:04AM +0800, CS Lee wrote:
>> Hello people,
>>
>> Thanks for ragrep man page, ragrep works now by capturing user  
>> data bytes,
>> with this I'm confused since it says user data bytes, if I specify  
>> -U 60,
>> the capture will start on application layer or network layer? I  
>> know the mac
>> data can be captured as well but my concern now on the payloads  
>> and that's
>> what I think ragrep is used for.
>>
>> Sorry if I'm asking too many questions, but I need to know exactly to
>> specify the better value for user data bytes to be captured.
>>
>> Thanks again.
>>
>> -- 
>> Best Regards,
>>
>> CS Lee<geekooL[at]gmail.com>
>
> -- 
>   /-\
>  C oo   "Das beste Werkzeug wird zum Tand in eines tumben Toren Hand."
>  _( ^)                                               Daniel Düsentrieb
> /   -\
>

More information about the argus mailing list