argus usage
Oguz Yarimtepe
comp.ogz at gmail.com
Tue Feb 3 00:59:33 EST 2009
>
> Depends on what you need. If you enable user data capture (the -U
> option on the argus) it will capture up to the first 512 bytes of the user
> data of the flow. That may or may not give you enough information about the
> flow to do what you want. Note that on a fast link best results are going
> to
> occur using a DAG card as the data capture adds a fairly heavy load to the
> server. To display the data with ra (for instance) you need to use the -s
> command to add suser and duser to the output (as in
>
> ra -r argus_file -n -s +suser:512 -s +duser:512
>
> which will tack the user data on the end of the line. This of course raises
> a
> number of sticky privacy issues that you need to have considered and gotten
> approved by appropriate management of the link you are tapping (which may
> or
> may not be you :-)).
>
> Peter Van Epp
What i am willing to do is to characterize the network traffic by using
some characteristics derived from flow information. My final decision about
a flow record will be whether the flow belongs to a chat session, a mail
transfer, a FTP connection, a web browsing, ...
I had discovered Bro which has identifiers related with high level
protocols. The protocol family that it supports is not as much as Argus does
so i was planning to go on with Argus.
--
Oğuz Yarımtepe
www.loopbacking.info
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090203/2e9c8a9c/attachment.html>
More information about the argus
mailing list