Extract DNS info from Flow

David Edelman dedelman at iname.com
Sun Jun 30 10:40:40 EDT 2013


Rahimah,
 
Matt is right, you really do need to check the documents and experiment a
bit to get the feel for how argus and the clients work.
 
I can save you some time with getting argus to read a pcap file and
converting it to argus flow record format. You will probably not need all of
the things that this set of options provides, but they are useful and worth
looking up so that you understand them.
 
When I read a pcap into argus format I always do it this way: argus -X
-ACJRZm -U 2048  -r sourceFileName.pcap -w outputFileName
 
I also make a point of creating an output file rather than piping the output
to a client since my experience tells me that I use the output file many
times as I refine my tactics based on information that I find.
 
--Dave
 
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Matt Brown
Sent: Sunday, June 30, 2013 9:17 AM
To: Rahimeh Khodadadi
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Extract DNS info from Flow
 
Rahimah,
 
John's last response give you the answer you seek:
http://thread.gmane.org/gmane.network.argus/9500/focus=9502
 
In order to capture the protocol information, you must configure a setting a
settings file.
 
I'm responding because, like you, I was once a very inexperienced argus
user, and was very confused by how to use the software.  See Carter's
response: http://article.gmane.org/gmane.network.argus/8495/match=ndpi
 
I won't go into details about anything deep here, but will advise you to
check out this page: http://qosient.com/argus/manuals.shtml
 
On the left side, check out some of the topics under Using Argus.
 
I can say this:
argus = probe
ra* client apps = "attach to" probe and do something
ra* client apps = "attach to" other ra* client apps
"attach to" = read from stdin (`-r -`) , from the std out (written with `-w
-`) from other apps; read from binary argus data files (`-r file.argus`)
produced with other apps (`-w file.argus`). 
 
Also, check out this poor diagram:
http://mbrownnyc.files.wordpress.com/2013/05/argus.png
And this not poor presentation:
https://www.cert.org/flocon/2010/presentations/Bullard_IntroductionToArgus.p
df
 
 
So, for you, just follow what John said.  Then read the files output by
whatever client.
 
Also, keep in mind that this project and everyone on this list are doing
this out of the kindness of their hearts.  Carter, the lead dev, runs a
company that I believe the the sole purpose of implementing monitoring
architecture, which of course includes argus.  But... he's willing to give
argus and the client programs away for free!
 
 
The learning curve here isn't huge, but it isn't so little that it doesn't
take no time to learn.
 
 
Hope this helps,

 
Matt Brown
 
On Sun, Jun 30, 2013 at 2:55 AM, Rahimeh Khodadadi
<rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com> > wrote:
I have a pcap file which have been converted to argus file, and Now I want
to extract DNS data from it.
Please help me what command do I write for this task?
 
On Sun, Jun 30, 2013 at 10:45 AM, John Gerth <gerth at graphics.stanford.edu
<mailto:gerth at graphics.stanford.edu> > wrote:
Did you turn on user data capture in argus itself...the default is not to
capture data.
The directive in /etc/argus.conf is:
 ARGUS_CAPTURE_DATA_LEN=nnn

also "... -udp ..." needs to be ".... - udp "
--
John Gerth      gerth at graphics.stanford.edu
<mailto:gerth at graphics.stanford.edu>   Gates 378   (650) 725-3273
<tel:%28650%29%20725-3273> 

On 6/29/13 9:22 PM, Rahimeh Khodadadi wrote:
> Hi,
>
> When I run such a command it doesn't work.
>
> radump -r /usr/zero.argus -vvv  -s suser:128  duser:128 -udp and port
domain
>
> s[0]=""
> d[0]=""
>     s[0]=""
> d[0]=""
>     s[0]=""
> d[0]=""
>     s[0]=""
> d[0]=""
>
> Please help :((
>
>
> On Wed, Jun 26, 2013 at 11:52 AM, Rahimeh Khodadadi
<rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>
<mailto:rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com> >>
wrote:
>
>     Thanks alot,
>
>
>     On Wed, Jun 26, 2013 at 8:12 AM, Matt Brown <matthewbrown at gmail.com
<mailto:matthewbrown at gmail.com>  <mailto:matthewbrown at gmail.com
<mailto:matthewbrown at gmail.com> >> wrote:
>
>         Also try passivedns: https://github.com/gamelinux/passivedns
>
>
>         Good luck,
>
>         Matt Brown
>
>
>         On Tue, Jun 25, 2013 at 9:11 AM, Rahimeh Khodadadi
<rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com>
<mailto:rahimeh.khodadadi at gmail.com <mailto:rahimeh.khodadadi at gmail.com> >>
wrote:
>
>             Hi Carter,
>
>             Please help me to know how to extract DNS info and its flags
from flow?! with filtering commands I couldn't do it.
>             I need urgently,
>
>             Thanks in advance,
>             Rahimeh
>
>
>
>
>
>     --
>     With Best Regards
>     Rahimeh Khodadadi
>
>
>
>
> --
> With Best Regards
> Rahimeh Khodadadi
>



-- 
With Best Regards
Rahimeh Khodadadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130630/04745d26/attachment.html>


More information about the argus mailing list