Extract DNS info from Flow
Rahimeh Khodadadi
rahimeh.khodadadi at gmail.com
Mon Jul 22 09:25:39 EDT 2013
But it doesn't work in rasqlinsert?!!
in your opinion what can I do for get a protocol level info?
I'm new to argus, please help by command.
thanks
On Mon, Jul 22, 2013 at 5:48 PM, Matt Brown <matthewbrown at gmail.com> wrote:
> You should be able to read the suser and duser info with rasqlinsert as
> you would any other ra client.
>
> radump()'s main purpose is to be an example of outputting tcpdump like
> output, if I remember correctly.
>
> If you want to simply get the protocol level info (like a log of questions
> and answers) you will probably have to consider more layers... I think.
>
>
> On Jul 22, 2013, at 8:59 AM, Rahimeh Khodadadi <
> rahimeh.khodadadi at gmail.com> wrote:
>
> Thanksss alot Mattt, Just I have a question what can I add to database
> this infos??
>
>
> On Mon, Jul 22, 2013 at 4:58 PM, Matt Brown <matthewbrown at gmail.com>wrote:
>
>> `radump -s stime pkts suser:64 duser:64 -r /usr/ze1.argus - port domain`
>>
>>
>>
>> On Jul 22, 2013, at 8:26 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com> wrote:
>>
>> It gives an error like:
>> radump -s stime pkts suser:64 duser:64 -r /usr/ze1.argus -port domain
>> radump[6259]: 16:51:36 domain filter syntax error
>>
>>
>>
>> On Mon, Jul 22, 2013 at 4:36 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> To parse the user data buffers in flow records, use radump(), or the new
>>> routine, radecode().
>>>
>>> Carter
>>>
>>> On Jul 22, 2013, at 7:50 AM, Rahimeh Khodadadi <
>>> rahimeh.khodadadi at gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> I red the docs and do the recommend orders that have been said. But the
>>> contain of dns record does not show.
>>>
>>>
>>> On Sun, Jun 30, 2013 at 7:10 PM, David Edelman <dedelman at iname.com>wrote:
>>>
>>>> Rahimah,****
>>>>
>>>> ** **
>>>>
>>>> Matt is right, you really do need to check the documents and experiment
>>>> a bit to get the feel for how argus and the clients work.****
>>>>
>>>> ** **
>>>>
>>>> I can save you some time with getting argus to read a pcap file and
>>>> converting it to argus flow record format. You will probably not need
>>>> all of the things that this set of options provides, but they are useful
>>>> and worth looking up so that you understand them.****
>>>>
>>>> ** **
>>>>
>>>> When I read a pcap into argus format I always do it this way: argus -X
>>>> -ACJRZm -U 2048 -r sourceFileName.pcap -w outputFileName****
>>>>
>>>> ** **
>>>>
>>>> I also make a point of creating an output file rather than piping the
>>>> output to a client since my experience tells me that I use the output file
>>>> many times as I refine my tactics based on information that I find.****
>>>>
>>>> ** **
>>>>
>>>> --Dave****
>>>>
>>>> ** **
>>>>
>>>> *From:* argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu[mailto:
>>>> argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] *On Behalf
>>>> Of *Matt Brown
>>>> *Sent:* Sunday, June 30, 2013 9:17 AM
>>>> *To:* Rahimeh Khodadadi
>>>> *Cc:* argus-info at lists.andrew.cmu.edu
>>>> *Subject:* Re: [ARGUS] Extract DNS info from Flow****
>>>>
>>>> ** **
>>>>
>>>> Rahimah,****
>>>>
>>>> ** **
>>>>
>>>> John's last response give you the answer you seek:
>>>> http://thread.gmane.org/gmane.network.argus/9500/focus=9502****
>>>>
>>>> ** **
>>>>
>>>> In order to capture the protocol information, you must configure a
>>>> setting a settings file.****
>>>>
>>>> ** **
>>>>
>>>> I'm responding because, like you, I was once a very inexperienced argus
>>>> user, and was very confused by how to use the software. See Carter's
>>>> response: http://article.gmane.org/gmane.network.argus/8495/match=ndpi*
>>>> ***
>>>>
>>>> ** **
>>>>
>>>> I won't go into details about anything deep here, but will advise you
>>>> to check out this page: http://qosient.com/argus/manuals.shtml****
>>>>
>>>> ** **
>>>>
>>>> On the left side, check out some of the topics under Using Argus.****
>>>>
>>>> ** **
>>>>
>>>> I can say this:****
>>>>
>>>> argus = probe****
>>>>
>>>> ra* client apps = "attach to" probe and do something****
>>>>
>>>> ra* client apps = "attach to" other ra* client apps****
>>>>
>>>> "attach to" = read from stdin (`-r -`) , from the std out (written with
>>>> `-w -`) from other apps; read from binary argus data files (`-r
>>>> file.argus`) produced with other apps (`-w file.argus`). ****
>>>>
>>>> ** **
>>>>
>>>> Also, check out this poor diagram:
>>>> http://mbrownnyc.files.wordpress.com/2013/05/argus.png****
>>>>
>>>> And this not poor presentation:
>>>> https://www.cert.org/flocon/2010/presentations/Bullard_IntroductionToArgus.pdf
>>>> ****
>>>>
>>>> ** **
>>>>
>>>> ** **
>>>>
>>>> So, for you, just follow what John said. Then read the files output by
>>>> whatever client.****
>>>>
>>>> ** **
>>>>
>>>> Also, keep in mind that this project and everyone on this list are
>>>> doing this out of the kindness of their hearts. Carter, the lead dev, runs
>>>> a company that I believe the the sole purpose of implementing monitoring
>>>> architecture, which of course includes argus. But... he's willing to give
>>>> argus and the client programs away for free!****
>>>>
>>>> ** **
>>>>
>>>> ** **
>>>>
>>>> The learning curve here isn't huge, but it isn't so little that it
>>>> doesn't take no time to learn.****
>>>>
>>>> ** **
>>>>
>>>> ** **
>>>>
>>>> Hope this helps,
>>>> ****
>>>>
>>>> ** **
>>>>
>>>> Matt Brown****
>>>>
>>>> ** **
>>>>
>>>> On Sun, Jun 30, 2013 at 2:55 AM, Rahimeh Khodadadi <
>>>> rahimeh.khodadadi at gmail.com> wrote:****
>>>>
>>>> I have a pcap file which have been converted to argus file, and Now I
>>>> want to extract DNS data from it.****
>>>>
>>>> Please help me what command do I write for this task?****
>>>>
>>>> ** **
>>>>
>>>> On Sun, Jun 30, 2013 at 10:45 AM, John Gerth <
>>>> gerth at graphics.stanford.edu> wrote:****
>>>>
>>>> Did you turn on user data capture in argus itself...the default is not
>>>> to capture data.
>>>> The directive in /etc/argus.conf is:
>>>> ARGUS_CAPTURE_DATA_LEN=nnn
>>>>
>>>> also "... -udp ..." needs to be ".... - udp "
>>>> --
>>>> John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273
>>>> ****
>>>>
>>>>
>>>> On 6/29/13 9:22 PM, Rahimeh Khodadadi wrote:
>>>> > Hi,
>>>> >
>>>> > When I run such a command it doesn't work.
>>>> >
>>>> > radump -r /usr/zero.argus -vvv -s suser:128 duser:128 -udp and port
>>>> domain
>>>> >
>>>> > s[0]=""
>>>> > d[0]=""
>>>> > s[0]=""
>>>> > d[0]=""
>>>> > s[0]=""
>>>> > d[0]=""
>>>> > s[0]=""
>>>> > d[0]=""
>>>> >
>>>> > Please help :((
>>>> >
>>>> >****
>>>>
>>>> > On Wed, Jun 26, 2013 at 11:52 AM, Rahimeh Khodadadi <
>>>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>>
>>>> wrote:
>>>> >
>>>> > Thanks alot,
>>>> >
>>>> >****
>>>>
>>>> > On Wed, Jun 26, 2013 at 8:12 AM, Matt Brown <
>>>> matthewbrown at gmail.com <mailto:matthewbrown at gmail.com>> wrote:
>>>> >
>>>> > Also try passivedns: https://github.com/gamelinux/passivedns
>>>> >
>>>> >
>>>> > Good luck,
>>>> >
>>>> > Matt Brown
>>>> >
>>>> >****
>>>>
>>>> > On Tue, Jun 25, 2013 at 9:11 AM, Rahimeh Khodadadi <
>>>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>>
>>>> wrote:
>>>> >
>>>> > Hi Carter,
>>>> >
>>>> > Please help me to know how to extract DNS info and its
>>>> flags from flow?! with filtering commands I couldn't do it.
>>>> > I need urgently,
>>>> >
>>>> > Thanks in advance,
>>>> > Rahimeh
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > With Best Regards
>>>> > Rahimeh Khodadadi
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > With Best Regards
>>>> > Rahimeh Khodadadi
>>>> >****
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> With Best Regards
>>>> Rahimeh Khodadadi****
>>>>
>>>>
>>>
>>>
>>> --
>>> With Best Regards
>>> Rahimeh Khodadadi
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Rahimeh Khodadadi
>>
>>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
--
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130722/94e92daf/attachment.html>
More information about the argus
mailing list