Extract DNS info from Flow
Carter Bullard
carter at qosient.com
Tue Jun 25 09:55:23 EDT 2013
Hey Rahimeh,
To capture any application payload in argus, you use the ARGUS_CAPTURE_DATA_LEN
variable in /etc/argus.conf, or use the "-U bytes" option on the command line.
This will capture flow content and place it in the flow records. A value like
128 bytes is a good start for most DNS query capture.
Use the program radump() to printout the contents of the argus record's
user data buffer contents. radump() uses tcpdump() routines to decode the
user buffer. So look at the tcpdump.1 manpage to see how to read the output.
radump() supports a few tcpdump() options, like -v -vv
You must tell radump() how much of the user data to decode, and for DNS
you should decode all of it.
radump -S argus.source -vvv -s suser:128 duser:128 - udp and port domain
radump() will look just like ra() if you don't print the suser and/or duser fields.
For some transactions, your original user data capture value may not be
large enough to capture the entire DNS transaction. If that is a problem,
increase the user data capture values. Each transaction will capture this
amount of data, which you can remove from your archive later:
ra -r argus.file -M dsr="-suser,-duser" -w argus.file.less.user.data
Hope this helps,
Carter
thoth:argus carter$ radump -S localhost -s suser:80 duser:128 -vv - port domain
Jun 25 09:44:43 thoth.newyork.qosient.com radump[74737] <Warning>: 2013/06/25.09:44:43.716252 connect to ::1:561 failed 'Connection refused'
srcUdata dstUdata
s[55]="33358+ [_] A? 1.courier-push-apple.com.akadns.net. (53)" d[101]="33358 q: A? 1.courier-push-apple.com.akadns.net. 8/10/6 1.courier-push-apple.com.akadns.net.[|domain]"
s[38]="19457+ [_] A? www.wip4.adobe.com. (36)" d[105]="19457 q: A? www.wip4.adobe.com. 1/3/3 www.wip4.adobe.com. A 192.150.16.64 ns: wip4.adobe.com. NS[|domain]"
s[64]="33656+ [_] A? e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net. (62)" d[118]="33656 q: A? e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net. 1/8/8 e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net.[|domain]"
s[38]="18901+ [_] A? jaws.oscar.aol.com. (36)" d[107]="18901 q: A? jaws.oscar.aol.com. 4/4/4 jaws.oscar.aol.com. A 205.188.100.136, jaws.oscar.aol.com. A[|domain]"
s[64]="33656+ [_] A? e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net. (62)" d[118]="33656 q: A? e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net. 1/8/8 e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net.[|domain]"
s[38]="19457+ [_] A? www.wip4.adobe.com. (36)" d[105]="19457 q: A? www.wip4.adobe.com. 1/3/3 www.wip4.adobe.com. A 192.150.16.64 ns: wip4.adobe.com. NS[|domain]"
s[64]="33656+ [_] A? e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net. (62)" d[118]="33656 q: A? e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net. 1/8/8 e3191.c.akamaiedge.net.0.1.cn.akamaiedge.net.[|domain]"
s[36]="41480+ [_] A? sync-api.box.net. (34)" d[99]="41480 q: A? sync-api.box.net. 2/4/4 sync-api.box.net. A 74.112.184.75, sync-api.box.net. A[|domain]"
s[39]="56266+ [_] AAAA? sync-api.box.net. (34)" d[64]="56266 q: AAAA? sync-api.box.net. 0/1/0 ns: box.net. SOA[|domain]"
Carter
On Jun 25, 2013, at 9:11 AM, Rahimeh Khodadadi <rahimeh.khodadadi at gmail.com> wrote:
> Hi Carter,
>
> Please help me to know how to extract DNS info and its flags from flow?! with filtering commands I couldn't do it.
> I need urgently,
>
> Thanks in advance,
> Rahimeh
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130625/ac2381c1/attachment.bin>
More information about the argus
mailing list