argus usage
Peter Van Epp
vanepp at sfu.ca
Tue Feb 3 00:06:59 EST 2009
On Mon, Feb 02, 2009 at 10:50:20PM +0200, Oguz Yarimtepe wrote:
> Hi,
>
> I want some information about argus capabilities. I tried argus a bit
> and read the wiki. I want to learn whether it is possible to get
> application level information from a flow record by using argus, like
> HTTP, HTTPS, IMAP, POP, SMTP, FTP ...
> As i understood from its usage it is possible to get these information
> indirectly by analyzing the argus output but maybe there is a way that
> argus serves that i don't know.
>
> Thanx.
>
Depends on what you need. If you enable user data capture (the -U
option on the argus) it will capture up to the first 512 bytes of the user
data of the flow. That may or may not give you enough information about the
flow to do what you want. Note that on a fast link best results are going to
occur using a DAG card as the data capture adds a fairly heavy load to the
server. To display the data with ra (for instance) you need to use the -s
command to add suser and duser to the output (as in
ra -r argus_file -n -s +suser:512 -s +duser:512
which will tack the user data on the end of the line. This of course raises a
number of sticky privacy issues that you need to have considered and gotten
approved by appropriate management of the link you are tapping (which may or
may not be you :-)).
Peter Van Epp
More information about the argus
mailing list