Full packet capture, missing something obvious.
Jesse Bowling
jesseb at uga.edu
Thu Dec 22 21:03:50 EST 2011
After some off list discussion with Scott, he explained to me that he
actually wants to have argus generate both a flow file as well as a pcap
file of the data as it's captured...
I'm not aware of a way to get argus to do this; anyone else?
Cheers,
Jesse
On 12/22/11 7:51 PM, Jesse Bowling wrote:
> On 12/22/11 5:34 PM, Scott McIntyre wrote:
>> Hi,
>>
>> I've enabled, I think, full packet capture in Argus, however, the
>> packet.out file, whilst created, remains empty.
>>
>> Short of uncommenting
>> the ARGUS_PACKET_CAPTURE_FILE="/log/argus/packet.out" line, is there
>
> I believe this file is only used in conjunction with the
> ARGUS_PACKET_CAPTURE_ON_ERROR setting...You probably want:
>
> ARGUS_CAPTURE_DATA_LEN=512 #set to number of bytes you want to capture
>
> This will capture the first 512 bytes of the content/user data in a
> stream and keep it in with the rest of the flow data...You can then view
> it with ra, for instance:
>
> # ra -r ra_capture_file -M dsrs=time,flow,metric,suser,duser -s
> +suser:512 +duser:512 - tcp and port 80
>
> This will show the first 512 bytes of the data from the source and
> destination...Be warned that capturing user data adds quite a bit of
> processing, which may or may not make a difference in packet drops
> depending on your setup.
>
> Hope that helps,
>
> Jesse
>
>> (this is with the -latest client and server)
>>
>> My thanks,
>>
>> Scott
>>
>
--
Jesse Bowling
Security Architect::Office of Information Security::UGA
jesseb at uga dot edu::706-542-2127
More information about the argus
mailing list