Getting Started
The best way to get started using argus, is to get the argus and client software from here, compile it on one of your Mac OS X, Linux, Unix or Cygwin enabled Windows systems, and play around with analyzing a few packet streams, to see how it basically works. Usually, just those first steps get you thinking as to how you can use argus to solve one of your problems. If you feel like just starting on one of the basic projects that sites are doing, this page should point you in the right direction.
Argus is supplied as source code, so to really get started you need to compile and install the software onto a ported system. Argus has been ported to all flavors of Linux, and most Unixes that are available, including Solaris. How to compile and install is described in the distribution file INSTALL that is in each package.
Analysing Packet Files
Argus processes packet data and generates summary network flow data. If you have packets, and want to know something about whats going on, argus() is a great way of looking at aspects of the data that you can't readily get from packet analyzers. How many hosts are talking, who is talking to whom, how often, is one address sending all the traffic, are they doing the bad thing? Argus is designed to generate network flow status information that can answer these and a lot more questions that you might have.
If your running argus for the first few times, get a packet file from one of the IP packet repositories, such as pcapr and process them with argus(). Once you have both the server and client programs and a packet file, run:
argus -r packet.pcap -w packet.argus
ra -r packet.argus
Compare the output of argus() with tcpdump() or wireshark. You should see something completely different. Instead of individual packets, you'll see flow status records. To see an example of the two side by side, here is an example.
Analysing Network Streams
Many sites use argus to generate audits from their live networks. argus can run in an end-system, auditing all the network traffic that the host generates and receives, and it can run as a stand-alone probe, running in promiscuous mode, auditing a packet stream that is being captured and transmitted to one of the systems network interfaces. This is how most universities and enterprises use argus, monitoring a port mirrored stream of packets to audit all the traffic between the enterprise and the Internet. The data is collected to another machine using radium() and then the data is stored in what we describe as an argus archive, or a MySQL database. From there, the data is available for forensic analysis, or anything else you many want to do with the data, such as performance analysis, or operational network management.
Once you have both the server and client programs installed, this usually works:
argus -P 561 -d
argus will open the first interface it finds (just like tcpdump), process packets and make its data available via port 561, running as a background daemon.
You can access the data using ratop(), the tool of choice for browsing argus data, like so:
ratop -S localhost:561