argus-3.0 conformance testing and website repository

Richard Bejtlich taosecurity at gmail.com
Fri Jun 23 20:40:54 EDT 2006


On 6/23/06, Carter Bullard <carter at qosient.com> wrote:
> Hey Richard,
>     That would be great!!!  After I put together some standard packet
> traces into a respository, we can use any tools to see what they
> do.   The comparison may give us some ideas as to how to
> improve argus, but really (just a personal political statement)
> I could care less what they do, as long as its correct (whatever
> that means ;o)
>
>     So, I have an arp and traceroute capture file, the tools you mention
> don't do much with those, but these are real flows for argus.  We
> may have to compare argus to, what, arpwatch, in order to see what
> we could do?
>
> Carter

Hi Carter,

Maybe we could run the trace through all of the tools using an IP
filter, to get some sort of even comparison.

Arpwatch would only report the first time it sees a new MAC addr, or
when it sees a new IP addr assigned to an old MAC addr.  I'm not sure
what we could do about layer 2 sessions.

Sincerely,

Richard



More information about the argus mailing list