Radium identify TLS handshakes?

James A. Robinson jim.robinson at gmail.com
Thu Mar 15 18:42:23 EDT 2018


Hi,

I've a need to identify hosts initiating outgoing TLS connections.  It's a
lot of hosts that I need to examine (around a thousand), and I'm worried
about the amount of disk that will consume if I just gather the argus data
from all of them.

Is there a way to filter the radium data such that I can just capture the
minimal fact of "host X initiated a TLS connection to host Y"?

Looking over the man page I saw there is a RADIUM_FILTER option that can
take the same sort of filtering parameters as tcpdump.  On stackoverflow
there is a discussion about capturing just the initial part of a TLS
conversation:

https://stackoverflow.com/questions/39624745/capture-only-ssl-handshake-with-tcpdump

If I run tcpdump and apply the following expression:

tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)

It seems to do what I want, it shows a bit of activity for each outgoing
TLS connection I make, rather than all the packets.  Is there a way to use
something similar to this expression in RADIUM_FILTER to capture just the
initial handshake?  I tried adding it wholesale

RADIUM_FILTER="tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)"

but radium didn't register any activity, whereas I do see activity when I
filter on the simpler expression just looking at the port:

RADIUM_FILTER="tcp port 443"

This is on a pair of Linux systems running argus and radium 3.0-8.

Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180315/fb460d5a/attachment.html>


More information about the argus mailing list