Argus can be used to generate flow status records for the contents
of packet capture files. This is how Argus is tested for accuracy
and protocol tracking correctness.
Argus can be used to give a quick "view" or "summary"
of the contents of large packet capture files. Modifications to
Argus have been used to generate flow indexes for captured packets,
to allow for fast lookup of intra-flow packets. This can be very
useful when the packet capture files are quite large, where searching
for network anomalies or correlating interdependent network events
is a complex task.
Argus packet capture file summaries have been used to communicate
between groups descriptions of network management events. This is
useful in network forensic analysis among groups, when packet capture
files are the only evidence.
Argus can process 3 different packet capture file formats when using
the "-r packet_file" option.
Tcpdumpand
Snoop
Tcpdump and Snoop
(RFC1761) packet capture files are automatically detected by
Argus and are parsed appropriately. Argus uses the libpcap
packet capture facility for portability, and so tcpdump is the native
packet capture format for Argus. Snoop is the packet capture facility
supported on Sun platforms.
Moat Time Sequenced Header (tsh)
Argus can read Moat
Time Sequence Header (tsh) packet capture files, using the "-t"
option. Tsh packet capture files are generated by CAIDACoralReef
monitors. This allows Argus to process packet
traces collected by organizations like the NLANR,
who provide packet capture files collected from monitoring points
in several large scale Internet networks.
