[ARGUS] ArgusOpenInputPacketFile(all.pcap) unsupported device type 117

mike tancsa mike at sentex.ca
Sat Mar 28 11:42:02 EDT 2020


Thank you very much Carter! This is now working for me.   I tried it out
on FreeBSD 12.1 from the port build-- make extract, patch, make install
and the conversion works as expected.  The pflog files are just pf
firewall counters in pcap format.  My purpose is to convert the pcap to
argus so I can keep track of all the hosts certain endpoints talk to /
try to talk to and flag any new hosts after a baseline.


    ---Mike


File to patch: ^C2(nano12)# patch -p1 < p
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/argus/ArgusSource.c b/argus/ArgusSource.c
|index 529dcba..2fecef1 100644
|--- a/argus/ArgusSource.c
|+++ b/argus/ArgusSource.c
--------------------------
Patching file argus/ArgusSource.c using Plan A...
Hunk #1 succeeded at 2960 (offset -3 lines).
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/argus/ArgusSource.h b/argus/ArgusSource.h
|index 13436f9..5de307c 100644
|--- a/argus/ArgusSource.h
|+++ b/argus/ArgusSource.h
--------------------------
Patching file argus/ArgusSource.h using Plan A...
Hunk #1 succeeded at 760.
Hunk #2 succeeded at 841 (offset -1 lines).
Hmm...  Ignoring the trailing garbage.


On 3/28/2020 10:43 AM, Carter Bullard wrote:
> Hey Mike,
> Here you go … Need to update ArgusSource.h and ArgusSource.c to add
> the DLT_PFLOG handler.
> I’ve included a patchfile from git, and copies of ArgusSource.h and
> ArgusSource.c …
> You can just replace these two files and things should work …
>
> This decodes the file you supplied to some localhost DNS requests
> without replies …
> Send some status if you get a chance to check it out ….
> Carter
>  
>
>
>
>
>> On Mar 27, 2020, at 7:30 PM, Carter Bullard <carter at qosient.com
>> <mailto:carter at qosient.com>> wrote:
>>
>> Hmmmmm,
>> I'll take a look at it tomorrow ... bug me if I don't back sooner
>> than later !!
>> Carter
>>
>> QoSient <http://qosient.com/> 	  	
>> Carter Bullard  <mailto:carter at qosient.com>• Founder
>> 150 E 57th Street Suite 12D
>> New York, New York 10022-2795
>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>
>>
>>> On Mar 27, 2020, at 6:46 PM, mike tancsa <mike at sentex.ca
>>> <mailto:mike at sentex.ca>> wrote:
>>>
>>> On 3/27/2020 6:29 PM, Carter Bullard wrote:
>>>> Hey Mike,
>>>> What version of libpcap are you using with argus ???
>>>
>>> Hi Carter,
>>>
>>>     Whatever is on releng11 and 12 of FreeBSD.  Looks like
>>>
>>> tcpdump version 4.9.3
>>> libpcap version 1.9.1
>>>
>>>     ---Mike
>>>
>>>> Carter
>>>>  
>>>>
>>>>> On Mar 27, 2020, at 5:53 PM, John Gerth
>>>>> <gerth at graphics.stanford.edu <mailto:gerth at graphics.stanford.edu>
>>>>> <mailto:gerth at graphics.stanford.edu>> wrote:
>>>>>
>>>>> I had to convert pcapng files once and used the "editcap" commnd in
>>>>> Wireshark 1.10 but that was awhile back.
>>>>>
>>>>> Here's a Wireshark guide which does mention pflog for editcap (but I
>>>>> have not tried it)
>>>>>   https://www.wireshark.org/docs/wsug_html/
>>>>> --
>>>>> John Gerth      gerth at graphics.stanford.edu
>>>>> <mailto:gerth at graphics.stanford.edu>
>>>>> <mailto:gerth at graphics.stanford.edu>  Gates 164   (650) 725-3273
>>>>>
>>>>> On 3/27/20 2:25 PM, mike tancsa wrote:
>>>>>> Hi All,
>>>>>>
>>>>>>     I am trying to convert pflog formatted pcap files to argus,
>>>>>> but it
>>>>>> does not seem to be recognized.  Does anyone have any work arounds /
>>>>>> tips ? I would like to put it in Argus format so I can then run
>>>>>> all the
>>>>>> handy/dandy tools on the data set.
>>>>>>
>>>>>> tcpdump (on freebsd) reads them just fine of course. 
>>>>>>
>>>>>>  argus -r all.pcap -w all.arg 
>>>>>>     ArgusError: 27 Mar 20 17:21:55.560712
>>>>>> ArgusOpenInputPacketFile(all.pcap) unsupported device type 117
>>>>>>
>>>>>>
>>>>>>
>>>>>> % tcpdump -nr all.pcap | head
>>>>>> reading from file all.pcap, link-type PFLOG (OpenBSD pflog file)
>>>>>> 17:30:10.343359 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags
>>>>>> [S], seq
>>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale
>>>>>> 8,nop,nop,sackOK],
>>>>>> length 0
>>>>>> 17:30:13.359187 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags
>>>>>> [S], seq
>>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale
>>>>>> 8,nop,nop,sackOK],
>>>>>> length 0
>>>>>> 17:30:19.374874 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags
>>>>>> [S], seq
>>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale
>>>>>> 8,nop,nop,sackOK],
>>>>>> length 0
>>>>>>
>>>>>>  file all.pcap
>>>>>> all.pcap: pcapng capture file - version 1.0
>>>>>>
>>>>>>  hexdump -C all.pcap | head -20
>>>>>> 00000000  0a 0d 0d 0a 70 00 00 00  4d 3c 2b 1a 01 00 00 00 
>>>>>> |....p...M<+.....|
>>>>>> 00000010  ff ff ff ff ff ff ff ff  03 00 13 00 46 72 65 65 
>>>>>> |............Free|
>>>>>> 00000020  42 53 44 20 31 32 2e 31  2d 53 54 41 42 4c 45 00  |BSD
>>>>>> 12.1-STABLE.|
>>>>>> 00000030  04 00 34 00 4d 65 72 67  65 63 61 70 20 28 57 69 
>>>>>> |..4.Mergecap (Wi|
>>>>>> 00000040  72 65 73 68 61 72 6b 29  20 33 2e 32 2e 32 20 28  |reshark)
>>>>>> 3.2.2 (|
>>>>>> 00000050  47 69 74 20 63 6f 6d 6d  69 74 20 61 33 65 66 65  |Git
>>>>>> commit
>>>>>> a3efe|
>>>>>> 00000060  63 65 33 64 36 34 30 29  00 00 00 00 70 00 00 00 
>>>>>> |ce3d640)....p...|
>>>>>> 00000070  01 00 00 00 14 00 00 00  75 00 00 00 74 00 00 00 
>>>>>> |........u...t...|
>>>>>> 00000080  14 00 00 00 06 00 00 00  94 00 00 00 00 00 00 00 
>>>>>> |................|
>>>>>> 00000090  b4 a1 05 00 bf d9 a9 92  74 00 00 00 74 00 00 00 
>>>>>> |........t...t...|
>>>>>> 000000a0  3d 02 01 00 76 6c 61 6e  32 00 00 00 00 00 00 00 
>>>>>> |=...vlan2.......|
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> argus mailing list
>>>>> argus at qosient.com <mailto:argus at qosient.com>
>>>>> <mailto:argus at qosient.com>
>>>>> https://pairlist1.pair.net/mailman/listinfo/argus
>>>>
>>>
>> _______________________________________________
>> argus mailing list
>> argus at qosient.com <mailto:argus at qosient.com>
>> https://pairlist1.pair.net/mailman/listinfo/argus
>


More information about the argus mailing list