argus usage

[Stewart Gray]

Hi Oguz, 

Argus supports the Berkeley packet filter (as other apps like tcpdump
and ngrep do) so you're able to lock queries down to port numbers,
specific hosts etc. Knowing the port number an application runs on means
it fairly easy to pull out transactions for a particular protocol. Keep
in mind it doesn't operate at layer 7, flow information for a protocol
such as HTTP will be very similar to SMTP. If you're after more in-depth
analysis of a transaction, i.e. what happened during an http connection
(GET, POST, HEAD etc) you're probably best to be taking full packet
captures alongside argus so you can run them through another tool such
as wireshark. 

Have a look at this wiki page for some common usages -
http://nsmwiki.org/index.php?title=Argus.

Cheers, 

Stewart

-----Original Message-----
From: argus-info-bounces+stewart.gray=safecom.co.nz at lists.andrew.cmu.edu
[mailto:argus-info-bounces+stewart.gray=safecom.co.nz at lists.andrew.cmu.e
du] On Behalf Of Oguz Yarimtepe
Sent: Tuesday, 3 February 2009 9:50 a.m.
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] argus usage

Hi,

I want some information about argus capabilities. I tried argus a bit
and read the wiki. I want to learn whether it is possible to get
application level information from a flow record by using argus, like
HTTP, HTTPS, IMAP, POP, SMTP, FTP ...
As i understood from its usage it is possible to get these information
indirectly by analyzing the argus output but maybe there is a way that
argus serves that i don't know. 

Thanx.

#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################