Extract DNS info from Flow
Matt Brown
matthewbrown at gmail.com
Mon Jul 22 08:28:20 EDT 2013
`radump -s stime pkts suser:64 duser:64 -r /usr/ze1.argus - port domain`
On Jul 22, 2013, at 8:26 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com>
wrote:
It gives an error like:
radump -s stime pkts suser:64 duser:64 -r /usr/ze1.argus -port domain
radump[6259]: 16:51:36 domain filter syntax error
On Mon, Jul 22, 2013 at 4:36 PM, Carter Bullard <carter at qosient.com> wrote:
> To parse the user data buffers in flow records, use radump(), or the new
> routine, radecode().
>
> Carter
>
> On Jul 22, 2013, at 7:50 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> Hi,
>
> I red the docs and do the recommend orders that have been said. But the
> contain of dns record does not show.
>
>
> On Sun, Jun 30, 2013 at 7:10 PM, David Edelman <dedelman at iname.com> wrote:
>
>> Rahimah,****
>>
>> ** **
>>
>> Matt is right, you really do need to check the documents and experiment a
>> bit to get the feel for how argus and the clients work.****
>>
>> ** **
>>
>> I can save you some time with getting argus to read a pcap file and
>> converting it to argus flow record format. You will probably not need
>> all of the things that this set of options provides, but they are useful
>> and worth looking up so that you understand them.****
>>
>> ** **
>>
>> When I read a pcap into argus format I always do it this way: argus -X -
>> ACJRZm -U 2048 -r sourceFileName.pcap -w outputFileName****
>>
>> ** **
>>
>> I also make a point of creating an output file rather than piping the
>> output to a client since my experience tells me that I use the output file
>> many times as I refine my tactics based on information that I find.****
>>
>> ** **
>>
>> --Dave****
>>
>> ** **
>>
>> *From:* argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu[mailto:
>> argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] *On Behalf
>> Of *Matt Brown
>> *Sent:* Sunday, June 30, 2013 9:17 AM
>> *To:* Rahimeh Khodadadi
>> *Cc:* argus-info at lists.andrew.cmu.edu
>> *Subject:* Re: [ARGUS] Extract DNS info from Flow****
>>
>> ** **
>>
>> Rahimah,****
>>
>> ** **
>>
>> John's last response give you the answer you seek:
>> http://thread.gmane.org/gmane.network.argus/9500/focus=9502****
>>
>> ** **
>>
>> In order to capture the protocol information, you must configure a
>> setting a settings file.****
>>
>> ** **
>>
>> I'm responding because, like you, I was once a very inexperienced argus
>> user, and was very confused by how to use the software. See Carter's
>> response: http://article.gmane.org/gmane.network.argus/8495/match=ndpi***
>> *
>>
>> ** **
>>
>> I won't go into details about anything deep here, but will advise you to
>> check out this page: http://qosient.com/argus/manuals.shtml****
>>
>> ** **
>>
>> On the left side, check out some of the topics under Using Argus.****
>>
>> ** **
>>
>> I can say this:****
>>
>> argus = probe****
>>
>> ra* client apps = "attach to" probe and do something****
>>
>> ra* client apps = "attach to" other ra* client apps****
>>
>> "attach to" = read from stdin (`-r -`) , from the std out (written with
>> `-w -`) from other apps; read from binary argus data files (`-r
>> file.argus`) produced with other apps (`-w file.argus`). ****
>>
>> ** **
>>
>> Also, check out this poor diagram:
>> http://mbrownnyc.files.wordpress.com/2013/05/argus.png****
>>
>> And this not poor presentation:
>> https://www.cert.org/flocon/2010/presentations/Bullard_IntroductionToArgus.pdf
>> ****
>>
>> ** **
>>
>> ** **
>>
>> So, for you, just follow what John said. Then read the files output by
>> whatever client.****
>>
>> ** **
>>
>> Also, keep in mind that this project and everyone on this list are doing
>> this out of the kindness of their hearts. Carter, the lead dev, runs a
>> company that I believe the the sole purpose of implementing monitoring
>> architecture, which of course includes argus. But... he's willing to give
>> argus and the client programs away for free!****
>>
>> ** **
>>
>> ** **
>>
>> The learning curve here isn't huge, but it isn't so little that it
>> doesn't take no time to learn.****
>>
>> ** **
>>
>> ** **
>>
>> Hope this helps,
>> ****
>>
>> ** **
>>
>> Matt Brown****
>>
>> ** **
>>
>> On Sun, Jun 30, 2013 at 2:55 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:****
>>
>> I have a pcap file which have been converted to argus file, and Now I
>> want to extract DNS data from it.****
>>
>> Please help me what command do I write for this task?****
>>
>> ** **
>>
>> On Sun, Jun 30, 2013 at 10:45 AM, John Gerth <gerth at graphics.stanford.edu
>> > wrote:****
>>
>> Did you turn on user data capture in argus itself...the default is not to
>> capture data.
>> The directive in /etc/argus.conf is:
>> ARGUS_CAPTURE_DATA_LEN=nnn
>>
>> also "... -udp ..." needs to be ".... - udp "
>> --
>> John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273**
>> **
>>
>>
>> On 6/29/13 9:22 PM, Rahimeh Khodadadi wrote:
>> > Hi,
>> >
>> > When I run such a command it doesn't work.
>> >
>> > radump -r /usr/zero.argus -vvv -s suser:128 duser:128 -udp and port
>> domain
>> >
>> > s[0]=""
>> > d[0]=""
>> > s[0]=""
>> > d[0]=""
>> > s[0]=""
>> > d[0]=""
>> > s[0]=""
>> > d[0]=""
>> >
>> > Please help :((
>> >
>> >****
>>
>> > On Wed, Jun 26, 2013 at 11:52 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
>> >
>> > Thanks alot,
>> >
>> >****
>>
>> > On Wed, Jun 26, 2013 at 8:12 AM, Matt Brown <matthewbrown at gmail.com
>> <mailto:matthewbrown at gmail.com>> wrote:
>> >
>> > Also try passivedns: https://github.com/gamelinux/passivedns
>> >
>> >
>> > Good luck,
>> >
>> > Matt Brown
>> >
>> >****
>>
>> > On Tue, Jun 25, 2013 at 9:11 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
>> >
>> > Hi Carter,
>> >
>> > Please help me to know how to extract DNS info and its
>> flags from flow?! with filtering commands I couldn't do it.
>> > I need urgently,
>> >
>> > Thanks in advance,
>> > Rahimeh
>> >
>> >
>> >
>> >
>> >
>> > --
>> > With Best Regards
>> > Rahimeh Khodadadi
>> >
>> >
>> >
>> >
>> > --
>> > With Best Regards
>> > Rahimeh Khodadadi
>> >****
>>
>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi****
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
--
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130722/609d61fc/attachment.html>
More information about the argus
mailing list