Extract DNS info from Flow
Rahimeh Khodadadi
rahimeh.khodadadi at gmail.com
Mon Jul 22 07:50:47 EDT 2013
Hi,
I red the docs and do the recommend orders that have been said. But the
contain of dns record does not show.
On Sun, Jun 30, 2013 at 7:10 PM, David Edelman <dedelman at iname.com> wrote:
> Rahimah,****
>
> ** **
>
> Matt is right, you really do need to check the documents and experiment a
> bit to get the feel for how argus and the clients work.****
>
> ** **
>
> I can save you some time with getting argus to read a pcap file and
> converting it to argus flow record format. You will probably not need all
> of the things that this set of options provides, but they are useful and
> worth looking up so that you understand them.****
>
> ** **
>
> When I read a pcap into argus format I always do it this way: argus -X -
> ACJRZm -U 2048 -r sourceFileName.pcap -w outputFileName****
>
> ** **
>
> I also make a point of creating an output file rather than piping the
> output to a client since my experience tells me that I use the output file
> many times as I refine my tactics based on information that I find.****
>
> ** **
>
> --Dave****
>
> ** **
>
> *From:* argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu[mailto:
> argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] *On Behalf Of
> *Matt Brown
> *Sent:* Sunday, June 30, 2013 9:17 AM
> *To:* Rahimeh Khodadadi
> *Cc:* argus-info at lists.andrew.cmu.edu
> *Subject:* Re: [ARGUS] Extract DNS info from Flow****
>
> ** **
>
> Rahimah,****
>
> ** **
>
> John's last response give you the answer you seek:
> http://thread.gmane.org/gmane.network.argus/9500/focus=9502****
>
> ** **
>
> In order to capture the protocol information, you must configure a setting
> a settings file.****
>
> ** **
>
> I'm responding because, like you, I was once a very inexperienced argus
> user, and was very confused by how to use the software. See Carter's
> response: http://article.gmane.org/gmane.network.argus/8495/match=ndpi****
>
> ** **
>
> I won't go into details about anything deep here, but will advise you to
> check out this page: http://qosient.com/argus/manuals.shtml****
>
> ** **
>
> On the left side, check out some of the topics under Using Argus.****
>
> ** **
>
> I can say this:****
>
> argus = probe****
>
> ra* client apps = "attach to" probe and do something****
>
> ra* client apps = "attach to" other ra* client apps****
>
> "attach to" = read from stdin (`-r -`) , from the std out (written with
> `-w -`) from other apps; read from binary argus data files (`-r
> file.argus`) produced with other apps (`-w file.argus`). ****
>
> ** **
>
> Also, check out this poor diagram:
> http://mbrownnyc.files.wordpress.com/2013/05/argus.png****
>
> And this not poor presentation:
> https://www.cert.org/flocon/2010/presentations/Bullard_IntroductionToArgus.pdf
> ****
>
> ** **
>
> ** **
>
> So, for you, just follow what John said. Then read the files output by
> whatever client.****
>
> ** **
>
> Also, keep in mind that this project and everyone on this list are doing
> this out of the kindness of their hearts. Carter, the lead dev, runs a
> company that I believe the the sole purpose of implementing monitoring
> architecture, which of course includes argus. But... he's willing to give
> argus and the client programs away for free!****
>
> ** **
>
> ** **
>
> The learning curve here isn't huge, but it isn't so little that it doesn't
> take no time to learn.****
>
> ** **
>
> ** **
>
> Hope this helps,
> ****
>
> ** **
>
> Matt Brown****
>
> ** **
>
> On Sun, Jun 30, 2013 at 2:55 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:****
>
> I have a pcap file which have been converted to argus file, and Now I want
> to extract DNS data from it.****
>
> Please help me what command do I write for this task?****
>
> ** **
>
> On Sun, Jun 30, 2013 at 10:45 AM, John Gerth <gerth at graphics.stanford.edu
> > wrote:****
>
> Did you turn on user data capture in argus itself...the default is not to
> capture data.
> The directive in /etc/argus.conf is:
> ARGUS_CAPTURE_DATA_LEN=nnn
>
> also "... -udp ..." needs to be ".... - udp "
> --
> John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273***
> *
>
>
> On 6/29/13 9:22 PM, Rahimeh Khodadadi wrote:
> > Hi,
> >
> > When I run such a command it doesn't work.
> >
> > radump -r /usr/zero.argus -vvv -s suser:128 duser:128 -udp and port
> domain
> >
> > s[0]=""
> > d[0]=""
> > s[0]=""
> > d[0]=""
> > s[0]=""
> > d[0]=""
> > s[0]=""
> > d[0]=""
> >
> > Please help :((
> >
> >****
>
> > On Wed, Jun 26, 2013 at 11:52 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
> >
> > Thanks alot,
> >
> >****
>
> > On Wed, Jun 26, 2013 at 8:12 AM, Matt Brown <matthewbrown at gmail.com
> <mailto:matthewbrown at gmail.com>> wrote:
> >
> > Also try passivedns: https://github.com/gamelinux/passivedns
> >
> >
> > Good luck,
> >
> > Matt Brown
> >
> >****
>
> > On Tue, Jun 25, 2013 at 9:11 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
> >
> > Hi Carter,
> >
> > Please help me to know how to extract DNS info and its flags
> from flow?! with filtering commands I couldn't do it.
> > I need urgently,
> >
> > Thanks in advance,
> > Rahimeh
> >
> >
> >
> >
> >
> > --
> > With Best Regards
> > Rahimeh Khodadadi
> >
> >
> >
> >
> > --
> > With Best Regards
> > Rahimeh Khodadadi
> >****
>
>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi****
>
>
--
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130722/21c45599/attachment.html>
More information about the argus
mailing list