[ARGUS] ArgusOpenInputPacketFile(all.pcap) unsupported device type 117

Carter Bullard carter at qosient.com
Sat Mar 28 10:43:21 EDT 2020 

Hey Mike,
Here you go … Need to update ArgusSource.h and ArgusSource.c to add the DLT_PFLOG handler.
I’ve included a patchfile from git, and copies of ArgusSource.h and ArgusSource.c …
You can just replace these two files and things should work …

This decodes the file you supplied to some localhost DNS requests without replies …
Send some status if you get a chance to check it out ….
Carter
 


> On Mar 27, 2020, at 7:30 PM, Carter Bullard <carter at qosient.com> wrote:
> 
> Hmmmmm,
> I'll take a look at it tomorrow ... bug me if I don't back sooner than later !!
> Carter
> 
>  <http://qosient.com/>	 	
> Carter Bullard  <mailto:carter at qosient.com>• Founder
> 150 E 57th Street Suite 12D
> New York, New York 10022-2795
> Phone +1.212.588.9133 • Mobile +1.917.497.9494
> 
>> On Mar 27, 2020, at 6:46 PM, mike tancsa <mike at sentex.ca> wrote:
>> 
>> On 3/27/2020 6:29 PM, Carter Bullard wrote:
>>> Hey Mike,
>>> What version of libpcap are you using with argus ???
>> 
>> Hi Carter,
>> 
>>     Whatever is on releng11 and 12 of FreeBSD.  Looks like
>> 
>> tcpdump version 4.9.3
>> libpcap version 1.9.1
>> 
>>     ---Mike
>> 
>>> Carter
>>>  
>>> 
>>>> On Mar 27, 2020, at 5:53 PM, John Gerth <gerth at graphics.stanford.edu
>>>> <mailto:gerth at graphics.stanford.edu>> wrote:
>>>> 
>>>> I had to convert pcapng files once and used the "editcap" commnd in
>>>> Wireshark 1.10 but that was awhile back.
>>>> 
>>>> Here's a Wireshark guide which does mention pflog for editcap (but I
>>>> have not tried it)
>>>>   https://www.wireshark.org/docs/wsug_html/
>>>> --
>>>> John Gerth      gerth at graphics.stanford.edu
>>>> <mailto:gerth at graphics.stanford.edu>  Gates 164   (650) 725-3273
>>>> 
>>>> On 3/27/20 2:25 PM, mike tancsa wrote:
>>>>> Hi All,
>>>>> 
>>>>>     I am trying to convert pflog formatted pcap files to argus, but it
>>>>> does not seem to be recognized.  Does anyone have any work arounds /
>>>>> tips ? I would like to put it in Argus format so I can then run all the
>>>>> handy/dandy tools on the data set.
>>>>> 
>>>>> tcpdump (on freebsd) reads them just fine of course. 
>>>>> 
>>>>>  argus -r all.pcap -w all.arg 
>>>>>     ArgusError: 27 Mar 20 17:21:55.560712
>>>>> ArgusOpenInputPacketFile(all.pcap) unsupported device type 117
>>>>> 
>>>>> 
>>>>> 
>>>>> % tcpdump -nr all.pcap | head
>>>>> reading from file all.pcap, link-type PFLOG (OpenBSD pflog file)
>>>>> 17:30:10.343359 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags [S], seq
>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK],
>>>>> length 0
>>>>> 17:30:13.359187 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags [S], seq
>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK],
>>>>> length 0
>>>>> 17:30:19.374874 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags [S], seq
>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK],
>>>>> length 0
>>>>> 
>>>>>  file all.pcap
>>>>> all.pcap: pcapng capture file - version 1.0
>>>>> 
>>>>>  hexdump -C all.pcap | head -20
>>>>> 00000000  0a 0d 0d 0a 70 00 00 00  4d 3c 2b 1a 01 00 00 00 
>>>>> |....p...M<+.....|
>>>>> 00000010  ff ff ff ff ff ff ff ff  03 00 13 00 46 72 65 65 
>>>>> |............Free|
>>>>> 00000020  42 53 44 20 31 32 2e 31  2d 53 54 41 42 4c 45 00  |BSD
>>>>> 12.1-STABLE.|
>>>>> 00000030  04 00 34 00 4d 65 72 67  65 63 61 70 20 28 57 69 
>>>>> |..4.Mergecap (Wi|
>>>>> 00000040  72 65 73 68 61 72 6b 29  20 33 2e 32 2e 32 20 28  |reshark)
>>>>> 3.2.2 (|
>>>>> 00000050  47 69 74 20 63 6f 6d 6d  69 74 20 61 33 65 66 65  |Git commit
>>>>> a3efe|
>>>>> 00000060  63 65 33 64 36 34 30 29  00 00 00 00 70 00 00 00 
>>>>> |ce3d640)....p...|
>>>>> 00000070  01 00 00 00 14 00 00 00  75 00 00 00 74 00 00 00 
>>>>> |........u...t...|
>>>>> 00000080  14 00 00 00 06 00 00 00  94 00 00 00 00 00 00 00 
>>>>> |................|
>>>>> 00000090  b4 a1 05 00 bf d9 a9 92  74 00 00 00 74 00 00 00 
>>>>> |........t...t...|
>>>>> 000000a0  3d 02 01 00 76 6c 61 6e  32 00 00 00 00 00 00 00 
>>>>> |=...vlan2.......|
>>>>> 
>>>>> 
>>>> _______________________________________________
>>>> argus mailing list
>>>> argus at qosient.com <mailto:argus at qosient.com>
>>>> https://pairlist1.pair.net/mailman/listinfo/argus
>>> 
>> 
> _______________________________________________
> argus mailing list
> argus at qosient.com
> https://pairlist1.pair.net/mailman/listinfo/argus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200328/4ed675ae/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ArgusSource.h
Type: application/octet-stream
Size: 35199 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200328/4ed675ae/attachment-0003.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200328/4ed675ae/attachment-0005.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ArgusSource.c
Type: application/octet-stream
Size: 154120 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200328/4ed675ae/attachment-0004.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200328/4ed675ae/attachment-0006.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pflog.patch
Type: application/octet-stream
Size: 3363 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200328/4ed675ae/attachment-0005.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200328/4ed675ae/attachment-0007.html>

More information about the argus mailing list