Argus-info Digest, Vol 42, Issue 18
CS Lee
geek00l at gmail.com
Fri Feb 20 11:17:03 EST 2009
hi oguz,
I usually use the bpf filter on tcpdump to get the pcap data based on argus
flow record since argus has offered basic five tuple record(another key is
the start time of the flow), for icmp session you can easily get it with
icmp filter.
One of the friend - will metcalf has done some works here -
http://node5.blogspot.com/2009/02/new-version-of-pcap-parser.html
In case your are interested.
On Fri, Feb 20, 2009 at 10:42 PM, Oguz Yarimtepe <comp.ogz at gmail.com> wrote:
> Hi,
>
>
> On Fri, Feb 20, 2009 at 4:08 AM, CS Lee <geek00l at gmail.com> wrote:
>
>> hi oguz,
>>
>
>
>>
>> What do you mean, do you mean retrieve the packets from pcap based on
>> certain flows in the argus dump?
>>
>
>
> I have offline tcpdump record. I am converting it to argus record and
> analyzing. I can see some flow information line by line when i used
> racluster. Lets say the second flow information is a bidirectional one. I
> want to make some further investigation on the second flow record. Lets say
> i want to investigate some payload distribution or calculate the ping-pong
> exchanges by checking the non empty packages and their payload information.
> I can do it by traversing on the packages if i know which packages are
> belong to the second flow record or if i somehow export it to a tcpdump
> file.
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090221/0101d8c6/attachment.html>
More information about the argus
mailing list