[ARGUS] ArgusOpenInputPacketFile(all.pcap) unsupported device type 117

Carter Bullard carter at qosient.com
Sat Mar 28 13:05:57 EDT 2020 

Thing about pflog files is that they don’t have any link layer headers … they have an interface id and direction indicators in their packet strut and things like rule that caused the packet to be captured etc ... … seems that we can put that stuff in the argus record, not sure if anyone would be interested …

Would you want to know what interface the packets coming in and out of ???
Carter

> On Mar 28, 2020, at 11:42 AM, mike tancsa <mike at sentex.ca> wrote:
> 
> Thank you very much Carter! This is now working for me.   I tried it out
> on FreeBSD 12.1 from the port build-- make extract, patch, make install
> and the conversion works as expected.  The pflog files are just pf
> firewall counters in pcap format.  My purpose is to convert the pcap to
> argus so I can keep track of all the hosts certain endpoints talk to /
> try to talk to and flag any new hosts after a baseline.
> 
> 
>     ---Mike
> 
> 
> File to patch: ^C2(nano12)# patch -p1 < p
> Hmm...  Looks like a unified diff to me...
> The text leading up to this was:
> --------------------------
> |diff --git a/argus/ArgusSource.c b/argus/ArgusSource.c
> |index 529dcba..2fecef1 100644
> |--- a/argus/ArgusSource.c
> |+++ b/argus/ArgusSource.c
> --------------------------
> Patching file argus/ArgusSource.c using Plan A...
> Hunk #1 succeeded at 2960 (offset -3 lines).
> Hmm...  The next patch looks like a unified diff to me...
> The text leading up to this was:
> --------------------------
> |diff --git a/argus/ArgusSource.h b/argus/ArgusSource.h
> |index 13436f9..5de307c 100644
> |--- a/argus/ArgusSource.h
> |+++ b/argus/ArgusSource.h
> --------------------------
> Patching file argus/ArgusSource.h using Plan A...
> Hunk #1 succeeded at 760.
> Hunk #2 succeeded at 841 (offset -1 lines).
> Hmm...  Ignoring the trailing garbage.
> 
> 
> On 3/28/2020 10:43 AM, Carter Bullard wrote:
>> Hey Mike,
>> Here you go … Need to update ArgusSource.h and ArgusSource.c to add
>> the DLT_PFLOG handler.
>> I’ve included a patchfile from git, and copies of ArgusSource.h and
>> ArgusSource.c …
>> You can just replace these two files and things should work …
>> 
>> This decodes the file you supplied to some localhost DNS requests
>> without replies …
>> Send some status if you get a chance to check it out ….
>> Carter
>>  
>> 
>> 
>> 
>> 
>>> On Mar 27, 2020, at 7:30 PM, Carter Bullard <carter at qosient.com
>>> <mailto:carter at qosient.com <mailto:carter at qosient.com>>> wrote:
>>> 
>>> Hmmmmm,
>>> I'll take a look at it tomorrow ... bug me if I don't back sooner
>>> than later !!
>>> Carter
>>> 
>>> QoSient <http://qosient.com/ <http://qosient.com/>> 	  	
>>> Carter Bullard  <mailto:carter at qosient.com <mailto:carter at qosient.com>>• Founder
>>> 150 E 57th Street Suite 12D
>>> New York, New York 10022-2795
>>> Phone +1.212.588.9133 • Mobile +1.917.497.9494
>>> 
>>> 
>>>> On Mar 27, 2020, at 6:46 PM, mike tancsa <mike at sentex.ca <mailto:mike at sentex.ca>
>>>> <mailto:mike at sentex.ca <mailto:mike at sentex.ca>>> wrote:
>>>> 
>>>> On 3/27/2020 6:29 PM, Carter Bullard wrote:
>>>>> Hey Mike,
>>>>> What version of libpcap are you using with argus ???
>>>> 
>>>> Hi Carter,
>>>> 
>>>>     Whatever is on releng11 and 12 of FreeBSD.  Looks like
>>>> 
>>>> tcpdump version 4.9.3
>>>> libpcap version 1.9.1
>>>> 
>>>>     ---Mike
>>>> 
>>>>> Carter
>>>>>  
>>>>> 
>>>>>> On Mar 27, 2020, at 5:53 PM, John Gerth
>>>>>> <gerth at graphics.stanford.edu <mailto:gerth at graphics.stanford.edu> <mailto:gerth at graphics.stanford.edu <mailto:gerth at graphics.stanford.edu>>
>>>>>> <mailto:gerth at graphics.stanford.edu <mailto:gerth at graphics.stanford.edu>>> wrote:
>>>>>> 
>>>>>> I had to convert pcapng files once and used the "editcap" commnd in
>>>>>> Wireshark 1.10 but that was awhile back.
>>>>>> 
>>>>>> Here's a Wireshark guide which does mention pflog for editcap (but I
>>>>>> have not tried it)
>>>>>>   https://www.wireshark.org/docs/wsug_html/ <https://www.wireshark.org/docs/wsug_html/>
>>>>>> --
>>>>>> John Gerth      gerth at graphics.stanford.edu <mailto:gerth at graphics.stanford.edu>
>>>>>> <mailto:gerth at graphics.stanford.edu <mailto:gerth at graphics.stanford.edu>>
>>>>>> <mailto:gerth at graphics.stanford.edu <mailto:gerth at graphics.stanford.edu>>  Gates 164   (650) 725-3273
>>>>>> 
>>>>>> On 3/27/20 2:25 PM, mike tancsa wrote:
>>>>>>> Hi All,
>>>>>>> 
>>>>>>>     I am trying to convert pflog formatted pcap files to argus,
>>>>>>> but it
>>>>>>> does not seem to be recognized.  Does anyone have any work arounds /
>>>>>>> tips ? I would like to put it in Argus format so I can then run
>>>>>>> all the
>>>>>>> handy/dandy tools on the data set.
>>>>>>> 
>>>>>>> tcpdump (on freebsd) reads them just fine of course. 
>>>>>>> 
>>>>>>>  argus -r all.pcap -w all.arg 
>>>>>>>     ArgusError: 27 Mar 20 17:21:55.560712
>>>>>>> ArgusOpenInputPacketFile(all.pcap) unsupported device type 117
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> % tcpdump -nr all.pcap | head
>>>>>>> reading from file all.pcap, link-type PFLOG (OpenBSD pflog file)
>>>>>>> 17:30:10.343359 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags
>>>>>>> [S], seq
>>>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale
>>>>>>> 8,nop,nop,sackOK],
>>>>>>> length 0
>>>>>>> 17:30:13.359187 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags
>>>>>>> [S], seq
>>>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale
>>>>>>> 8,nop,nop,sackOK],
>>>>>>> length 0
>>>>>>> 17:30:19.374874 IP 10.99.6.235.59056 > 166.230.63.40.80: Flags
>>>>>>> [S], seq
>>>>>>> 4168153933, win 64240, options [mss 1460,nop,wscale
>>>>>>> 8,nop,nop,sackOK],
>>>>>>> length 0
>>>>>>> 
>>>>>>>  file all.pcap
>>>>>>> all.pcap: pcapng capture file - version 1.0
>>>>>>> 
>>>>>>>  hexdump -C all.pcap | head -20
>>>>>>> 00000000  0a 0d 0d 0a 70 00 00 00  4d 3c 2b 1a 01 00 00 00 
>>>>>>> |....p...M<+.....|
>>>>>>> 00000010  ff ff ff ff ff ff ff ff  03 00 13 00 46 72 65 65 
>>>>>>> |............Free|
>>>>>>> 00000020  42 53 44 20 31 32 2e 31  2d 53 54 41 42 4c 45 00  |BSD
>>>>>>> 12.1-STABLE.|
>>>>>>> 00000030  04 00 34 00 4d 65 72 67  65 63 61 70 20 28 57 69 
>>>>>>> |..4.Mergecap (Wi|
>>>>>>> 00000040  72 65 73 68 61 72 6b 29  20 33 2e 32 2e 32 20 28  |reshark)
>>>>>>> 3.2.2 (|
>>>>>>> 00000050  47 69 74 20 63 6f 6d 6d  69 74 20 61 33 65 66 65  |Git
>>>>>>> commit
>>>>>>> a3efe|
>>>>>>> 00000060  63 65 33 64 36 34 30 29  00 00 00 00 70 00 00 00 
>>>>>>> |ce3d640)....p...|
>>>>>>> 00000070  01 00 00 00 14 00 00 00  75 00 00 00 74 00 00 00 
>>>>>>> |........u...t...|
>>>>>>> 00000080  14 00 00 00 06 00 00 00  94 00 00 00 00 00 00 00 
>>>>>>> |................|
>>>>>>> 00000090  b4 a1 05 00 bf d9 a9 92  74 00 00 00 74 00 00 00 
>>>>>>> |........t...t...|
>>>>>>> 000000a0  3d 02 01 00 76 6c 61 6e  32 00 00 00 00 00 00 00 
>>>>>>> |=...vlan2.......|
>>>>>>> 
>>>>>>> 
>>>>>> _______________________________________________
>>>>>> argus mailing list
>>>>>> argus at qosient.com <mailto:argus at qosient.com> <mailto:argus at qosient.com <mailto:argus at qosient.com>>
>>>>>> <mailto:argus at qosient.com <mailto:argus at qosient.com>>
>>>>>> https://pairlist1.pair.net/mailman/listinfo/argus <https://pairlist1.pair.net/mailman/listinfo/argus>
>>>>> 
>>>> 
>>> _______________________________________________
>>> argus mailing list
>>> argus at qosient.com <mailto:argus at qosient.com> <mailto:argus at qosient.com <mailto:argus at qosient.com>>
>>> https://pairlist1.pair.net/mailman/listinfo/argus <https://pairlist1.pair.net/mailman/listinfo/argus>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20200328/a2319114/attachment-0001.html>

More information about the argus mailing list