Extract DNS info from Flow
Matt Brown
matthewbrown at gmail.com
Sun Jun 30 09:17:28 EDT 2013
Rahimah,
John's last response give you the answer you seek:
http://thread.gmane.org/gmane.network.argus/9500/focus=9502
In order to capture the protocol information, you must configure a setting
a settings file.
I'm responding because, like you, I was once a very inexperienced argus
user, and was very confused by how to use the software. See Carter's
response: http://article.gmane.org/gmane.network.argus/8495/match=ndpi
I won't go into details about anything deep here, but will advise you to
check out this page: http://qosient.com/argus/manuals.shtml
On the left side, check out some of the topics under Using Argus.
I can say this:
argus = probe
ra* client apps = "attach to" probe and do something
ra* client apps = "attach to" other ra* client apps
"attach to" = read from stdin (`-r -`) , from the std out (written with `-w
-`) from other apps; read from binary argus data files (`-r file.argus`)
produced with other apps (`-w file.argus`).
Also, check out this poor diagram:
http://mbrownnyc.files.wordpress.com/2013/05/argus.png
And this not poor presentation:
https://www.cert.org/flocon/2010/presentations/Bullard_IntroductionToArgus.pdf
So, for you, just follow what John said. Then read the files output by
whatever client.
Also, keep in mind that this project and everyone on this list are doing
this out of the kindness of their hearts. Carter, the lead dev, runs a
company that I believe the the sole purpose of implementing monitoring
architecture, which of course includes argus. But... he's willing to give
argus and the client programs away for free!
The learning curve here isn't huge, but it isn't so little that it doesn't
take no time to learn.
Hope this helps,
Matt Brown
On Sun, Jun 30, 2013 at 2:55 AM, Rahimeh Khodadadi <
rahimeh.khodadadi at gmail.com> wrote:
> I have a pcap file which have been converted to argus file, and Now I want
> to extract DNS data from it.
>
> Please help me what command do I write for this task?
>
>
> On Sun, Jun 30, 2013 at 10:45 AM, John Gerth <gerth at graphics.stanford.edu>
> wrote:
>
>> Did you turn on user data capture in argus itself...the default is not to
>> capture data.
>> The directive in /etc/argus.conf is:
>> ARGUS_CAPTURE_DATA_LEN=nnn
>>
>> also "... -udp ..." needs to be ".... - udp "
>> --
>> John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273
>>
>> On 6/29/13 9:22 PM, Rahimeh Khodadadi wrote:
>> > Hi,
>> >
>> > When I run such a command it doesn't work.
>> >
>> > radump -r /usr/zero.argus -vvv -s suser:128 duser:128 -udp and port
>> domain
>> >
>> > s[0]=""
>> > d[0]=""
>> > s[0]=""
>> > d[0]=""
>> > s[0]=""
>> > d[0]=""
>> > s[0]=""
>> > d[0]=""
>> >
>> > Please help :((
>> >
>> >
>> > On Wed, Jun 26, 2013 at 11:52 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
>> >
>> > Thanks alot,
>> >
>> >
>> > On Wed, Jun 26, 2013 at 8:12 AM, Matt Brown <matthewbrown at gmail.com
>> <mailto:matthewbrown at gmail.com>> wrote:
>> >
>> > Also try passivedns: https://github.com/gamelinux/passivedns
>> >
>> >
>> > Good luck,
>> >
>> > Matt Brown
>> >
>> >
>> > On Tue, Jun 25, 2013 at 9:11 AM, Rahimeh Khodadadi <
>> rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>> wrote:
>> >
>> > Hi Carter,
>> >
>> > Please help me to know how to extract DNS info and its
>> flags from flow?! with filtering commands I couldn't do it.
>> > I need urgently,
>> >
>> > Thanks in advance,
>> > Rahimeh
>> >
>> >
>> >
>> >
>> >
>> > --
>> > With Best Regards
>> > Rahimeh Khodadadi
>> >
>> >
>> >
>> >
>> > --
>> > With Best Regards
>> > Rahimeh Khodadadi
>> >
>>
>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130630/ace92b00/attachment.html>
More information about the argus
mailing list