convert argus logs to pcap files
Peter Van Epp
vanepp at sfu.ca
Sat Oct 9 18:04:53 EDT 2010
On Fri, Oct 08, 2010 at 01:54:56PM -0500, Paul Schmehl wrote:
> Is there a way to do this?
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
Probably for some quite limited value of "do this" :-). Argus has
aggregated the flow so individual packet information is gone and you can't
recreate the exact traffic stream. You could (maybe) create a mostly equivelent
stream in terms of same mumber of bytes transmitted but individual packet
values (such as flags) will be only a guess. User data will be a dead loss as
only the first requested number of bytes are kept. Unfortunately the only real
way to do this (which I used to do sometimes for testing argus) is to use
another machine to capture the stream using tcpdump or now days by setting the
argus rc to capture the pcap records to file. Depending on line speed and if
you want full packet capture or only partial this can be hard to do because of
disk speed issues. You can then feed the resulting pcap file to argus to see
what happens with the same input data (hint: because of reporting intervals
the unaggregated ra output may not be identical from run to run :-)).
Peter Van Epp
More information about the argus
mailing list