Full packet capture, missing something obvious.

Jeffrey Everling jeffrey.everling at surfnet.nl
Fri Jun 15 06:30:29 EDT 2012


Dear Carter

A while ago I followed the following tutorial:
http://www.team-cymru.org/Services/darknets.html

With their sample config I was able to get a separate file for the pcap.

But now I am installing a fresh FreeBSD 9.0 system with argus 3.04
(tried 3.06 but did not help), but no matter what I try the packet
capture file isn't showing up.

In my config I use these settings. Am I missing something or am I doing
something wrong here? I tried removing the settings with a * behind them
without results.

ARGUS_DAEMON=yes
ARGUS_MONITOR_ID=5
ARGUS_ACCESS_PORT=2002
ARGUS_INTERFACE=bge1
ARGUS_OUTPUT_FILE=/var/log/argus/argus-id5-log
ARGUS_SET_PID=yes
ARGUS_GO_PROMISCUOUS=yes
ARGUS_FLOW_STATUS_INTERVAL=5
ARGUS_MAR_STATUS_INTERVAL=60
ARGUS_GENERATE_RESPONSE_TIME_DATA=yes *
ARGUS_GENERATE_JITTER_DATA=yes *
ARGUS_GENERATE_MAC_DATA=no
ARGUS_CAPTURE_DATA_LEN=1518 *
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER="" *
ARGUS_PACKET_CAPTURE_FILE=/var/log/argus/argus-id5-tcpdump

I've also tried to use tcpdump and this works, so I really am receiving
data.

Maybe you can point me in the right direction.

Greeting Jeffrey Everling


On 23-12-2011 10:14 PM, Carter Bullard wrote:
> Hey Jesse,
> I think your response is just a little off target.  By setting the packet output file option in the argus.conf file, you're telling argus to write out packets.  
> Without any other configurations, argus will write out all packets into the file.  You can rename the output file, or delete it, and argus will detect the file has gone and it will start another one.
> 
> By setting the capture on error variable, argus will only capture packets where argus could not process the packet.
> 
> When this works you should get at file created, and rhen packets should show up.  I need to test this, it seems.
> 
> Carter
> 
> 
> Carter Bullard, QoSient, LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
> 
> On Dec 22, 2011, at 7:51 PM, Jesse Bowling <jesseb at uga.edu> wrote:
> 
>> On 12/22/11 5:34 PM, Scott McIntyre wrote:
>>> Hi,
>>>
>>> I've enabled, I think, full packet capture in Argus, however, the
>>> packet.out file, whilst created, remains empty.
>>>
>>> Short of uncommenting
>>> the ARGUS_PACKET_CAPTURE_FILE="/log/argus/packet.out" line, is there
>>
>> I believe this file is only used in conjunction with the
>> ARGUS_PACKET_CAPTURE_ON_ERROR setting...You probably want:
>>
>> ARGUS_CAPTURE_DATA_LEN=512 #set to number of bytes you want to capture
>>
>> This will capture the first 512 bytes of the content/user data in a
>> stream and keep it in with the rest of the flow data...You can then view
>> it with ra, for instance:
>>
>> # ra -r ra_capture_file -M dsrs=time,flow,metric,suser,duser -s
>> +suser:512 +duser:512 - tcp and port 80
>>
>> This will show the first 512 bytes of the data from the source and
>> destination...Be warned that capturing user data adds quite a bit of
>> processing, which may or may not make a difference in packet drops
>> depending on your setup.
>>
>> Hope that helps,
>>
>> Jesse
>>
>>> (this is with the -latest client and server)
>>>
>>> My thanks,
>>>
>>> Scott
>>>
>>
>> -- 
>> Jesse Bowling
>> Security Architect::Office of Information Security::UGA
>> jesseb at uga dot edu::706-542-2127
>>
> 


-- 
Met vriendelijke groet,


Jeffrey Everling
SURFnet B.V.



More information about the argus mailing list