Full packet capture, missing something obvious.
Jesse Bowling
jesseb at uga.edu
Thu Dec 22 19:51:00 EST 2011
On 12/22/11 5:34 PM, Scott McIntyre wrote:
> Hi,
>
> I've enabled, I think, full packet capture in Argus, however, the
> packet.out file, whilst created, remains empty.
>
> Short of uncommenting
> the ARGUS_PACKET_CAPTURE_FILE="/log/argus/packet.out" line, is there
I believe this file is only used in conjunction with the
ARGUS_PACKET_CAPTURE_ON_ERROR setting...You probably want:
ARGUS_CAPTURE_DATA_LEN=512 #set to number of bytes you want to capture
This will capture the first 512 bytes of the content/user data in a
stream and keep it in with the rest of the flow data...You can then view
it with ra, for instance:
# ra -r ra_capture_file -M dsrs=time,flow,metric,suser,duser -s
+suser:512 +duser:512 - tcp and port 80
This will show the first 512 bytes of the data from the source and
destination...Be warned that capturing user data adds quite a bit of
processing, which may or may not make a difference in packet drops
depending on your setup.
Hope that helps,
Jesse
> (this is with the -latest client and server)
>
> My thanks,
>
> Scott
>
--
Jesse Bowling
Security Architect::Office of Information Security::UGA
jesseb at uga dot edu::706-542-2127
More information about the argus
mailing list