Extract DNS info from Flow

Matt Brown matthewbrown at gmail.com
Mon Jul 22 09:18:41 EDT 2013


You should be able to read the suser and duser info with rasqlinsert as you
would any other ra client.

radump()'s main purpose is to be an example of outputting tcpdump like
output, if I remember correctly.

If you want to simply get the protocol level info (like a log of questions
and answers) you will probably have to consider more layers... I think.


On Jul 22, 2013, at 8:59 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com>
wrote:

Thanksss alot Mattt, Just I have a question what can I add to database this
infos??


On Mon, Jul 22, 2013 at 4:58 PM, Matt Brown <matthewbrown at gmail.com> wrote:

> `radump -s stime pkts suser:64  duser:64  -r /usr/ze1.argus - port domain`
>
>
>
> On Jul 22, 2013, at 8:26 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> It gives an error like:
>  radump -s stime pkts suser:64  duser:64  -r /usr/ze1.argus -port domain
> radump[6259]: 16:51:36 domain filter syntax error
>
>
>
> On Mon, Jul 22, 2013 at 4:36 PM, Carter Bullard <carter at qosient.com>wrote:
>
>> To parse the user data buffers in flow records, use radump(), or the new
>> routine, radecode().
>>
>> Carter
>>
>> On Jul 22, 2013, at 7:50 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> Hi,
>>
>> I red the docs and do the recommend orders that have been said. But the
>> contain of dns record does not show.
>>
>>
>> On Sun, Jun 30, 2013 at 7:10 PM, David Edelman <dedelman at iname.com>wrote:
>>
>>> Rahimah,****
>>>
>>> ** **
>>>
>>> Matt is right, you really do need to check the documents and experiment
>>> a bit to get the feel for how argus and the clients work.****
>>>
>>> ** **
>>>
>>> I can save you some time with getting argus to read a pcap file and
>>> converting it to argus flow record format. You will probably not need
>>> all of the things that this set of options provides, but they are useful
>>> and worth looking up so that you understand them.****
>>>
>>> ** **
>>>
>>> When I read a pcap into argus format I always do it this way: argus -X -
>>> ACJRZm -U 2048  -r sourceFileName.pcap -w outputFileName****
>>>
>>> ** **
>>>
>>> I also make a point of creating an output file rather than piping the
>>> output to a client since my experience tells me that I use the output file
>>> many times as I refine my tactics based on information that I find.****
>>>
>>> ** **
>>>
>>> --Dave****
>>>
>>> ** **
>>>
>>> *From:* argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu[mailto:
>>> argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] *On Behalf
>>> Of *Matt Brown
>>> *Sent:* Sunday, June 30, 2013 9:17 AM
>>> *To:* Rahimeh Khodadadi
>>> *Cc:* argus-info at lists.andrew.cmu.edu
>>> *Subject:* Re: [ARGUS] Extract DNS info from Flow****
>>>
>>> ** **
>>>
>>> Rahimah,****
>>>
>>> ** **
>>>
>>> John's last response give you the answer you seek:
>>> http://thread.gmane.org/gmane.network.argus/9500/focus=9502****
>>>
>>> ** **
>>>
>>> In order to capture the protocol information, you must configure a
>>> setting a settings file.****
>>>
>>> ** **
>>>
>>> I'm responding because, like you, I was once a very inexperienced argus
>>> user, and was very confused by how to use the software.  See Carter's
>>> response: http://article.gmane.org/gmane.network.argus/8495/match=ndpi**
>>> **
>>>
>>> ** **
>>>
>>> I won't go into details about anything deep here, but will advise you to
>>> check out this page: http://qosient.com/argus/manuals.shtml****
>>>
>>> ** **
>>>
>>> On the left side, check out some of the topics under Using Argus.****
>>>
>>> ** **
>>>
>>> I can say this:****
>>>
>>> argus = probe****
>>>
>>> ra* client apps = "attach to" probe and do something****
>>>
>>> ra* client apps = "attach to" other ra* client apps****
>>>
>>> "attach to" = read from stdin (`-r -`) , from the std out (written with
>>> `-w -`) from other apps; read from binary argus data files (`-r
>>> file.argus`) produced with other apps (`-w file.argus`). ****
>>>
>>> ** **
>>>
>>> Also, check out this poor diagram:
>>> http://mbrownnyc.files.wordpress.com/2013/05/argus.png****
>>>
>>> And this not poor presentation:
>>> https://www.cert.org/flocon/2010/presentations/Bullard_IntroductionToArgus.pdf
>>> ****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> So, for you, just follow what John said.  Then read the files output by
>>> whatever client.****
>>>
>>> ** **
>>>
>>> Also, keep in mind that this project and everyone on this list are doing
>>> this out of the kindness of their hearts.  Carter, the lead dev, runs a
>>> company that I believe the the sole purpose of implementing monitoring
>>> architecture, which of course includes argus.  But... he's willing to give
>>> argus and the client programs away for free!****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> The learning curve here isn't huge, but it isn't so little that it
>>> doesn't take no time to learn.****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> Hope this helps,
>>> ****
>>>
>>> ** **
>>>
>>> Matt Brown****
>>>
>>> ** **
>>>
>>> On Sun, Jun 30, 2013 at 2:55 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com> wrote:****
>>>
>>> I have a pcap file which have been converted to argus file, and Now I
>>> want to extract DNS data from it.****
>>>
>>> Please help me what command do I write for this task?****
>>>
>>> ** **
>>>
>>> On Sun, Jun 30, 2013 at 10:45 AM, John Gerth <
>>> gerth at graphics.stanford.edu> wrote:****
>>>
>>> Did you turn on user data capture in argus itself...the default is not
>>> to capture data.
>>> The directive in /etc/argus.conf is:
>>>  ARGUS_CAPTURE_DATA_LEN=nnn
>>>
>>> also "... -udp ..." needs to be ".... - udp "
>>> --
>>> John Gerth      gerth at graphics.stanford.edu  Gates 378   (650) 725-3273*
>>> ***
>>>
>>>
>>> On 6/29/13 9:22 PM, Rahimeh Khodadadi wrote:
>>> > Hi,
>>> >
>>> > When I run such a command it doesn't work.
>>> >
>>> > radump -r /usr/zero.argus -vvv  -s suser:128  duser:128 -udp and port
>>> domain
>>> >
>>> > s[0]=""
>>> > d[0]=""
>>> >     s[0]=""
>>> > d[0]=""
>>> >     s[0]=""
>>> > d[0]=""
>>> >     s[0]=""
>>> > d[0]=""
>>> >
>>> > Please help :((
>>> >
>>> >****
>>>
>>> > On Wed, Jun 26, 2013 at 11:52 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
>>> >
>>> >     Thanks alot,
>>> >
>>> >****
>>>
>>> >     On Wed, Jun 26, 2013 at 8:12 AM, Matt Brown <
>>> matthewbrown at gmail.com <mailto:matthewbrown at gmail.com>> wrote:
>>> >
>>> >         Also try passivedns: https://github.com/gamelinux/passivedns
>>> >
>>> >
>>> >         Good luck,
>>> >
>>> >         Matt Brown
>>> >
>>> >****
>>>
>>> >         On Tue, Jun 25, 2013 at 9:11 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
>>> >
>>> >             Hi Carter,
>>> >
>>> >             Please help me to know how to extract DNS info and its
>>> flags from flow?! with filtering commands I couldn't do it.
>>> >             I need urgently,
>>> >
>>> >             Thanks in advance,
>>> >             Rahimeh
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >     --
>>> >     With Best Regards
>>> >     Rahimeh Khodadadi
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > With Best Regards
>>> > Rahimeh Khodadadi
>>> >****
>>>
>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi****
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>


-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130722/715c939f/attachment.html>


More information about the argus mailing list