convert argus logs to pcap files

Carter Bullard carter at qosient.com
Fri Oct 8 15:59:37 EDT 2010


Well, in each flow record (assuming most common options), you have enough information to
craft packets, although you will have to do a bit of work to "interpolate" packets for some flows.
Things like cksum, sequence number generation, ipid, etc... will need a bit of thought,
especially if you get the indication that there was loss, reordering, etc...

My whole way of thinking is to get away from packet inspection, and get to flow inspection,
but I know that the world rarely does what you want it to do ;o)  I believe that you could
do a decent job, but it will not be as gratifying as some would like.

Carter



On Oct 8, 2010, at 3:54 PM, George Jones wrote:

> I was looking for a way to do anonymization of some pcap data.  ranonymize seemed
> to do a pretty good job with argus data, but I wanted to anonymize pcap data for use
> across multiple tools with the same set of anonymized address....yes, this is somewhat
> bass ackwards.   I've since stumbled acdross:
> 
> http://scrub-tcpdump.sourceforge.net/docs.php
> 
> which works pretty well for tcp and udp....but does not clean up arp and friends.
> 
> ---George
> 
> On Fri, Oct 8, 2010 at 3:48 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Guys,
> Why would you want to do this?
> Carter
> 
> On Oct 8, 2010, at 3:15 PM, George Jones wrote:
> 
>> I was wondering that myself.
>> 
>> Best answers seem to be text2pcap from wireshark, and possibly some pythonic thing
>> such as http://dirtbags.net/py-pcap.html
>> 
>> ---George Jones
>> 
>> On Fri, Oct 8, 2010 at 2:54 PM, Paul Schmehl <pschmehl_lists at tx.rr.com> wrote:
>> Is there a way to do this?
>> 
>> -- 
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>> "There are some ideas so wrong that only a very
>> intelligent person could believe in them." George Orwell
>> 
>> 
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101008/08614e30/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101008/08614e30/attachment.bin>


More information about the argus mailing list