Questions about payload buffers in argus

Carter Bullard carter at qosient.com
Thu Apr 7 13:02:43 EDT 2011 

Oh Digital Ninja,
Sorry for the delay, I was at the CERIAS Symposium at Purdue University.
Some very interesting things going on there.

OK, there are several answers to this question.  The largest argus record
can be 65536 bytes long including the header.  Argus records are composed
of a 4 byte header, and then a collection of Argus DSRs.  The DSR format allows
for sub sections of an argus record to be larger than 64K, but largest size of a
DSR is 65532 bytes in length.  The ArgusDataStruct, which holds
the user data buffers, can take up most of that space, but because there are
other DSRs that will be in the record, time, flow key identifiers, metrics, etc...
a practical limit could be considered to be around 24K for both the source and
destination capture buffers.

Argus will collect up to the configured amount of user data, during each
ARGUS_FLOW_STATUS_INTERVAL.  So if you want to do all payload capture,
you will want to have a large user buffer, and a small ARGUS_FLOW_STATUS_INTERVAL.
The interval can be a fraction of a second, if that is useful.

If you are interested in full packet capture for control plane information, but not
for other traffic, consider the "-C" option.  It will capture everything for some protocols,
and the ARGUS_CAPTURE_DATA_LEN for other traffic.

Seems to me, you have a bug when you go higher than 4335 bytes.
I'll look into it.   If you can share a data file that replicates the bug, that will
save me a lot of time.

For output formats, we support "hex", "ascii", "encode32", and "encode64"
formats.  Use the "-M [hex | ascii | encode32 | encode64] to set the format.

If you have any problems, send email !!!!

Carter

On Apr 7, 2011, at 12:12 PM, Digital Ninja wrote:

> Hello again list,  I've not seen any responses on this request from
> last week.  Is anyone using argus with payload buffers?
> 
> On Thu, Mar 31, 2011 at 1:00 PM, Digital Ninja <dn1nj4 at gmail.com> wrote:
>> Hi list,
>> 
>> When leveraging the argus -U option to capture user buffers, what is
>> the maximum amount of data that can be captured?  Is there a way to
>> store all payload information?
>> 
>> Second, when reading the user buffers back in, with ra -s +suser:XXXX,
>> has anyone experienced a segfault?  If I set XXXX to 4334 I get all of
>> the expected user buffers.  If however, I up that number to 4335 or
>> higher, I get a seg fault.  Ideally I'd like to see the entire buffer,
>> regardless of length.
>> 
>> Finally, are the user buffers printed out in binary format or are they
>> converted to straight ASCII (where all non-printable ASCII characters
>> are simply ".")?  If the latter, how can one get the actual hex values
>> from the buffers?
>> 
>> I am currently testing with v3.0.4.
>> 
>> Thanks in advance.
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110407/2a8a6a08/attachment.bin>

More information about the argus mailing list