Do you know how to read a pcap file continuously?

David Edelman dedelman at iname.com
Thu Sep 19 15:28:58 EDT 2013 

On Virtualbox you can create an internal network interface that will only
"speak" with other virtualbox instances. I have a few configurations where I
run one VM that runs a Linux instance with radium and all of the argus
clients. Argii on other VMs provide data to radium for subsequent
disposition. 

--Dave


-----Original Message-----
From: el draco [mailto:eldraco at gmail.com] 
Sent: Thursday, September 19, 2013 2:28 PM
To: jimr at highwire.stanford.edu
Cc: David Edelman; Argus
Subject: Re: [ARGUS] Do you know how to read a pcap file continuously?

Hi list. Sorry for my late reply, I was traveling.

Carter: I would vote up for a simple approach, similar to what argus
does today. So people does not get confused with the new functionality
or
find out a different behavior.
- If the file is not there, exit with an error.
- If the file is there but empty, then just wait and continue.
- If the file is deleted during runtime, exit with an error.

This way we force the users to start argus again conscientiously when
they change the pcap file.
I'm not into the internals of argus, but I imagine that a problem that
could arise if argus does not exit when the file is deleted is that
the
 internal state of the argus flows may be difficult to continue in the
new file. What if the new file has totally different packets?

I can test it as soon as you send it.

David and James: Thanks for your support. I didn't want to give too
much boring information before but I can tell you more. We are
managing a long-run malware capture facility. Long run means running
the malware (botnets in fact) for 1 or more months. However because of
university restrictions we are forced to use NATed networks devices on
the VirtualBox. That means that the only way to ONLY capture the
traffic of each vm is to have virtualbox capture the traffic for us.
That means using --nictrace
(https://www.virtualbox.org/wiki/Network_tips) to create a pcap file
with each guest traffic. Then, we can not run argus directly to
capture the guests flows.
Finally, the argus files are labeled with ralabel, but the pcap files
are needed to find out and verify those labels manually.

Hope it helps
sebas

On Thu, Sep 19, 2013 at 3:23 PM, James A. Robinson
<jimr at highwire.stanford.edu> wrote:
> I don't know the details, but the original poster stated that "We can not
> change and use only argus, we need the pcaps".  I could easily imagine
> a social vs. technical problem with running argus, e.g., some person in
> charge has paperwork indicating that a pcap generating tool has been
> fully audited by their internal security group, and so they've decided
> that's the only packet capturing tool they will allow.
>
> Jim
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6283 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130919/52946070/attachment.bin>

More information about the argus mailing list