Do you know how to read a pcap file continuously?

David Edelman dedelman at iname.com
Wed Sep 18 20:19:21 EDT 2013 

I've been following this thread for a bit and I still don't understand why
you would have argus read the pcap files. It is possible to run argus in
parallel with a packet capture tool against the same packet source. 

Are the packet captures being run on one set of systems and the pcap files
being written to another system? If so, I would investigate running argus on
the collector systems and radium -> rastream on the central system. If the
packet capture is already running on the system where the files are being
stored, then this solution is simpler then reading the pcap files. 

--Dave


-----Original Message-----
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of el draco
Sent: Tuesday, September 17, 2013 8:12 AM
To: Argus
Subject: [ARGUS] Do you know how to read a pcap file continuously?

Hi list.

We need your help.
We have a lot of running pcap captures here that are storing the
packets in pcap files on the disk. These files are continuously
growing and we are using argus to analyze them.
(We can not change and use only argus, we need the pcaps)

We want to have argus read these pcap files and generate some output
(or a server port waiting for a client or write the data to files).
But argus should run continuously without stopping, like when it is
reading packets from the network. If new packets are added to the pcap
file, we want argus to find them.

I know that you can not use -r in argus and at the same time open a
port for listening requests.

Did any of you solve this before? How to continuously analyze a pcap file?

Also we can't run argus each time we need data, because in large files
it can take up to 5 minutes to read one pcap.

thanks a lot
sebas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6283 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130918/0207cd93/attachment.bin>

More information about the argus mailing list