Extract DNS info from Flow

Rahimeh Khodadadi rahimeh.khodadadi at gmail.com
Mon Jul 22 08:59:12 EDT 2013 

Thanksss alot Mattt, Just I have a question what can I add to database this
infos??


On Mon, Jul 22, 2013 at 4:58 PM, Matt Brown <matthewbrown at gmail.com> wrote:

> `radump -s stime pkts suser:64  duser:64  -r /usr/ze1.argus - port domain`
>
>
>
> On Jul 22, 2013, at 8:26 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> It gives an error like:
>  radump -s stime pkts suser:64  duser:64  -r /usr/ze1.argus -port domain
> radump[6259]: 16:51:36 domain filter syntax error
>
>
>
> On Mon, Jul 22, 2013 at 4:36 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> To parse the user data buffers in flow records, use radump(), or the new
>> routine, radecode().
>>
>> Carter
>>
>> On Jul 22, 2013, at 7:50 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> Hi,
>>
>> I red the docs and do the recommend orders that have been said. But the
>> contain of dns record does not show.
>>
>>
>> On Sun, Jun 30, 2013 at 7:10 PM, David Edelman <dedelman at iname.com>wrote:
>>
>>> Rahimah,****
>>>
>>> ** **
>>>
>>> Matt is right, you really do need to check the documents and experiment
>>> a bit to get the feel for how argus and the clients work.****
>>>
>>> ** **
>>>
>>> I can save you some time with getting argus to read a pcap file and
>>> converting it to argus flow record format. You will probably not need
>>> all of the things that this set of options provides, but they are useful
>>> and worth looking up so that you understand them.****
>>>
>>> ** **
>>>
>>> When I read a pcap into argus format I always do it this way: argus -X -
>>> ACJRZm -U 2048  -r sourceFileName.pcap -w outputFileName****
>>>
>>> ** **
>>>
>>> I also make a point of creating an output file rather than piping the
>>> output to a client since my experience tells me that I use the output file
>>> many times as I refine my tactics based on information that I find.****
>>>
>>> ** **
>>>
>>> --Dave****
>>>
>>> ** **
>>>
>>> *From:* argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu[mailto:
>>> argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] *On Behalf
>>> Of *Matt Brown
>>> *Sent:* Sunday, June 30, 2013 9:17 AM
>>> *To:* Rahimeh Khodadadi
>>> *Cc:* argus-info at lists.andrew.cmu.edu
>>> *Subject:* Re: [ARGUS] Extract DNS info from Flow****
>>>
>>> ** **
>>>
>>> Rahimah,****
>>>
>>> ** **
>>>
>>> John's last response give you the answer you seek:
>>> http://thread.gmane.org/gmane.network.argus/9500/focus=9502****
>>>
>>> ** **
>>>
>>> In order to capture the protocol information, you must configure a
>>> setting a settings file.****
>>>
>>> ** **
>>>
>>> I'm responding because, like you, I was once a very inexperienced argus
>>> user, and was very confused by how to use the software.  See Carter's
>>> response: http://article.gmane.org/gmane.network.argus/8495/match=ndpi**
>>> **
>>>
>>> ** **
>>>
>>> I won't go into details about anything deep here, but will advise you to
>>> check out this page: http://qosient.com/argus/manuals.shtml****
>>>
>>> ** **
>>>
>>> On the left side, check out some of the topics under Using Argus.****
>>>
>>> ** **
>>>
>>> I can say this:****
>>>
>>> argus = probe****
>>>
>>> ra* client apps = "attach to" probe and do something****
>>>
>>> ra* client apps = "attach to" other ra* client apps****
>>>
>>> "attach to" = read from stdin (`-r -`) , from the std out (written with
>>> `-w -`) from other apps; read from binary argus data files (`-r
>>> file.argus`) produced with other apps (`-w file.argus`). ****
>>>
>>> ** **
>>>
>>> Also, check out this poor diagram:
>>> http://mbrownnyc.files.wordpress.com/2013/05/argus.png****
>>>
>>> And this not poor presentation:
>>> https://www.cert.org/flocon/2010/presentations/Bullard_IntroductionToArgus.pdf
>>> ****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> So, for you, just follow what John said.  Then read the files output by
>>> whatever client.****
>>>
>>> ** **
>>>
>>> Also, keep in mind that this project and everyone on this list are doing
>>> this out of the kindness of their hearts.  Carter, the lead dev, runs a
>>> company that I believe the the sole purpose of implementing monitoring
>>> architecture, which of course includes argus.  But... he's willing to give
>>> argus and the client programs away for free!****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> The learning curve here isn't huge, but it isn't so little that it
>>> doesn't take no time to learn.****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> Hope this helps,
>>> ****
>>>
>>> ** **
>>>
>>> Matt Brown****
>>>
>>> ** **
>>>
>>> On Sun, Jun 30, 2013 at 2:55 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com> wrote:****
>>>
>>> I have a pcap file which have been converted to argus file, and Now I
>>> want to extract DNS data from it.****
>>>
>>> Please help me what command do I write for this task?****
>>>
>>> ** **
>>>
>>> On Sun, Jun 30, 2013 at 10:45 AM, John Gerth <
>>> gerth at graphics.stanford.edu> wrote:****
>>>
>>> Did you turn on user data capture in argus itself...the default is not
>>> to capture data.
>>> The directive in /etc/argus.conf is:
>>>  ARGUS_CAPTURE_DATA_LEN=nnn
>>>
>>> also "... -udp ..." needs to be ".... - udp "
>>> --
>>> John Gerth      gerth at graphics.stanford.edu  Gates 378   (650) 725-3273*
>>> ***
>>>
>>>
>>> On 6/29/13 9:22 PM, Rahimeh Khodadadi wrote:
>>> > Hi,
>>> >
>>> > When I run such a command it doesn't work.
>>> >
>>> > radump -r /usr/zero.argus -vvv  -s suser:128  duser:128 -udp and port
>>> domain
>>> >
>>> > s[0]=""
>>> > d[0]=""
>>> >     s[0]=""
>>> > d[0]=""
>>> >     s[0]=""
>>> > d[0]=""
>>> >     s[0]=""
>>> > d[0]=""
>>> >
>>> > Please help :((
>>> >
>>> >****
>>>
>>> > On Wed, Jun 26, 2013 at 11:52 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
>>> >
>>> >     Thanks alot,
>>> >
>>> >****
>>>
>>> >     On Wed, Jun 26, 2013 at 8:12 AM, Matt Brown <
>>> matthewbrown at gmail.com <mailto:matthewbrown at gmail.com>> wrote:
>>> >
>>> >         Also try passivedns: https://github.com/gamelinux/passivedns
>>> >
>>> >
>>> >         Good luck,
>>> >
>>> >         Matt Brown
>>> >
>>> >****
>>>
>>> >         On Tue, Jun 25, 2013 at 9:11 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
>>> >
>>> >             Hi Carter,
>>> >
>>> >             Please help me to know how to extract DNS info and its
>>> flags from flow?! with filtering commands I couldn't do it.
>>> >             I need urgently,
>>> >
>>> >             Thanks in advance,
>>> >             Rahimeh
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >     --
>>> >     With Best Regards
>>> >     Rahimeh Khodadadi
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > With Best Regards
>>> > Rahimeh Khodadadi
>>> >****
>>>
>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi****
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>


-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130722/72426d80/attachment.html>

More information about the argus mailing list