Full packet capture, missing something obvious.

John Gerth gerth at graphics.stanford.edu
Thu Dec 22 22:39:07 EST 2011 

If the goal is full packet capture in addition to argus, I'm wondering if it would actually
be any more expensive to just run the argus and tcpdump independently rather than using
the two fifo setup with all the context swithces that implies for its two extra processes.
(Of course, it's writing the packets to disk that usually kills ya)

If simultaneous near real-time is not an issue one could process the packet files later with argus.

/John

--
John Gerth      gerth at graphics.stanford.edu

On 12/22/11 6:27 PM, Jesse Bowling wrote:
> On 12/22/11 9:03 PM, Jesse Bowling wrote:
>> After some off list discussion with Scott, he explained to me that he
>> actually wants to have argus generate both a flow file as well as a pcap
>> file of the data as it's captured...
>>
>> I'm not aware of a way to get argus to do this; anyone else?
>>
> 
> I thought of a hackish way to go about it...YMMV:
> 
> mkfifo tcpdump.fifo
> mkfifo argus.fifo
> tcpdump -r tcpdump.fifo -w /pcaps/%Y_%m_%d_%H%M_test.pcap -G 300 &
> argus -r argus.fifo -w - | rasplit -r - -M time 5m -w
> /argus/%Y_%m_%d_%H%M_test.argus &
> tcpdump -i eth0 -s 2048 -w - | tee argus.fifo > tcpdump.fifo &
> 
> I was worried that file rotation might break the pipe, but it appears
> that it does not on my RHEL6 box...
> 
> Cheers,
> 
> Jesse
> 
>> Cheers,
>>
>> Jesse
>>
>> On 12/22/11 7:51 PM, Jesse Bowling wrote:
>>> On 12/22/11 5:34 PM, Scott McIntyre wrote:
>>>> Hi,
>>>>
>>>> I've enabled, I think, full packet capture in Argus, however, the
>>>> packet.out file, whilst created, remains empty.
>>>>
>>>> Short of uncommenting
>>>> the ARGUS_PACKET_CAPTURE_FILE="/log/argus/packet.out" line, is there
>>>
>>> I believe this file is only used in conjunction with the
>>> ARGUS_PACKET_CAPTURE_ON_ERROR setting...You probably want:
>>>
>>> ARGUS_CAPTURE_DATA_LEN=512   #set to number of bytes you want to capture
>>>
>>> This will capture the first 512 bytes of the content/user data in a
>>> stream and keep it in with the rest of the flow data...You can then view
>>> it with ra, for instance:
>>>
>>> # ra -r ra_capture_file -M dsrs=time,flow,metric,suser,duser -s
>>> +suser:512 +duser:512 - tcp and port 80
>>>
>>> This will show the first 512 bytes of the data from the source and
>>> destination...Be warned that capturing user data adds quite a bit of
>>> processing, which may or may not make a difference in packet drops
>>> depending on your setup.
>>>
>>> Hope that helps,
>>>
>>> Jesse
>>>
>>>> (this is with the -latest client and server)
>>>>
>>>> My thanks,
>>>>
>>>> Scott
>>>>
>>>
>>
>

More information about the argus mailing list