Full packet capture, missing something obvious.
Carter Bullard
carter at qosient.com
Fri Dec 23 16:14:00 EST 2011
Hey Jesse,
I think your response is just a little off target. By setting the packet output file option in the argus.conf file, you're telling argus to write out packets.
Without any other configurations, argus will write out all packets into the file. You can rename the output file, or delete it, and argus will detect the file has gone and it will start another one.
By setting the capture on error variable, argus will only capture packets where argus could not process the packet.
When this works you should get at file created, and rhen packets should show up. I need to test this, it seems.
Carter
Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
On Dec 22, 2011, at 7:51 PM, Jesse Bowling <jesseb at uga.edu> wrote:
> On 12/22/11 5:34 PM, Scott McIntyre wrote:
>> Hi,
>>
>> I've enabled, I think, full packet capture in Argus, however, the
>> packet.out file, whilst created, remains empty.
>>
>> Short of uncommenting
>> the ARGUS_PACKET_CAPTURE_FILE="/log/argus/packet.out" line, is there
>
> I believe this file is only used in conjunction with the
> ARGUS_PACKET_CAPTURE_ON_ERROR setting...You probably want:
>
> ARGUS_CAPTURE_DATA_LEN=512 #set to number of bytes you want to capture
>
> This will capture the first 512 bytes of the content/user data in a
> stream and keep it in with the rest of the flow data...You can then view
> it with ra, for instance:
>
> # ra -r ra_capture_file -M dsrs=time,flow,metric,suser,duser -s
> +suser:512 +duser:512 - tcp and port 80
>
> This will show the first 512 bytes of the data from the source and
> destination...Be warned that capturing user data adds quite a bit of
> processing, which may or may not make a difference in packet drops
> depending on your setup.
>
> Hope that helps,
>
> Jesse
>
>> (this is with the -latest client and server)
>>
>> My thanks,
>>
>> Scott
>>
>
> --
> Jesse Bowling
> Security Architect::Office of Information Security::UGA
> jesseb at uga dot edu::706-542-2127
>
More information about the argus
mailing list