1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
|
/*
* Copyright (c) 2000-2004 QoSient, LLC
* All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
*
*/
Argus How To File
1. How do I join the Argus mailing list?
2. How do I report bugs?
3. How do I compile Argus?
4. How do I install Argus?
5. How do I configure Argus?
6. How do I run Argus?
7. How do you run argus on your systems?
8. How do I audit my web servers?
9. How do I audit the traffic between my corporate network and my ISP?
10. Who are the 10 top talkers on my network?
11. How can I log all http GET and POST requests to my web servers?
12. How do I log intrusion attempts into my network?
22. What is the performance of my DNS services?
1. How do I join the Argus mailing list?
Send "subscribe argus" in the body of a piece of mail
to majordomo@lists.andrew.cmu.edu
2. How do I report bugs?
Use the tool ./bin/argusbug to send your bug report
to the argus mailing list. Argusbug will present you
with a bug reporting form, that includes some system
information. If you are unhappy providing the information
supplied by Argusbug, you are free to delete it.
Send any comments/fixes/opinions/whatever to the
mailing list. Someone will send a reply.
3. How do I compile Argus?
Building specifics for argus are described in the ./INSTALL file.
The quick method is:
% ./configure
% make
4. How do I install Argus?
Detail installation instructions are in the ./INSTALL file.
But the fast an easy way is to:
make install
5. How do I configure Argus?
For most uses, Argus will require only a few simple
configuration variable set to do work. For the
custom minded, Argus supports a large number of options.
Argus is generally configured using the .argusrc file that
is normally found in $ARGUSHOME. The variables that are
set by this file can be overriden by the use of command
line switches or an alternative configuration file
that is specified using the "-F configfile" option.
See ./example/.argusrc for a description of options and
their default settings. This sample file sets most of
the common options.
6. How do I run Argus?
Argus is run either as a persistant daemon, reading live
packets from a network interface, or as a program,
reading packets from a packet capture file. The default,
i.e. when it is run without any configuration, is to run
as a daemon.
The only real question to answer is where do you want
argus to send its output. The basic options are to write
to a file, or to offer remote access via a socket, or both.
Most installations will run configure argus to write its
output to a file. To do this, run argus as:
# argus -w outputfile
This will cause Argus to run as a daemon, reading packets
from the first available network interface, and writing
its output to an outputfile.
If you intend to remotely attach to this argus, you'll need to
tell argus what port to put a listen down on. The default
port for clients is port 561. We recommend using this port
number.
# argus -P 561 -w outputfile
In order to configure argus to read packets from a packet
capture file, use the "-r" option.
% argus -r ./packetfile
Argus has a large number of options, which can be set
through an .argusrc file, the use of command line options,
or through a separate configuration file that is specifed
at run time. These options are designed to specify things
like, what type of information Argus should capture, how
often it should generate output records, whether it should
put the network interface in promiscuous mode when run,
should it create a pid file, etc... The complete list is
described int the argus.8 man page.
7. How do you run argus on your systems?
argus -e `hostname` -P 561 -U128 -mRS 30 -w $ARGUSHOME/argus.out
8. How do I audit my web servers?
Argus can be deployed either on the network using a tapping
strategy that captures all the packets destined to and from
the target web server, or Argus can be deployed on the web
server itself. In any case, if the desire is to measure
web performance itself, Argus should be deployed as close
to the server as physically possible.
Deploying Argus on the server itself is my preferred
strategy as it solves some basic problems with monitoring
multi-interface load balanced servers. Some sites will
be concerned with the cycles used by Argus and stability
issues, but for the majority of servers in use in the
Internet today, this will be the right strategy, as it
is the least expensive.
+-----------+ +-----------+
| +-+ | | +-+ |
| | | | | | | +------
| | | +-------+ | | |
| | | | | | | +------
| +-+ | | +-+ |
+-----------+ +-----------+
Web Back End Web Front End
with resident with resident
Argus Argus
Figure 1.
When off server deployment is indicated, Argus can be
deployed any where in the network where there is access
to packets of interest. Usually using a switch or
hub that is inline with the target packet data is the
way to go.
+-----------+ Switch
| | Hub
| | +---+
| +-----+ +-------
| | +-+-+
| | |
+-----------+ |
Web Server +---+---+
| Argus |
+-------+
Figure 2.
There are situations where the effects of load balancers
will want to be monitored. In this case, multiple Argi
can be deployed to monitor pre and post load balanced
flow data.
Switch Switch
+-------+ Hub +-------+ Hub
| | +---+ | | +---+
| +-----+ +------+ +------+ +------
| | +-+-+ | | +-+-+
+-------+ | +-------+ |
Web Server | Load Balancer |
+---+---+ +---+---+
| Argus | | Argus |
+-------+ +-------+
Figure 3.
9. How do I audit the traffic between my corporate network and my ISP?
The trick here is to deploy Argus such that it can see
all the packets between the corp network and the Internet.
In many networks there is a network ethernet DMZ. This is the
ideal location to place Argus, a common link that is physically
accessible that can have complete cover over all the packets.
This is especially true when there are multiple ISP links being
used by the corporation.
A Switch or a Hub can be used to tap into the DMZ so that
the Argus host can see the full duplex channel between the
two routers, as shown below.
Switch +-----------+
+------+ Hub | +------- ISP
| | +-----+ | |
corp ------+ +----+ +----+ Router +------- ISP
| | +--+--+ | |
+------+ | | +------- ISP
router | +-----------+
+---+---+
| Argus |
+-------+
Figure 4.
If you can't insert a switch or a hub into the link as
shown in Figure 4, then you've got a bit of a puzzle.
In some cases you can configure your router to "port steer"
or port copy the packets that you are interested in to a
common monitoring port. When a switch or hub cannot be
installed on the DMZ link, this would be the next likely
strategy.
+-----------+ B
| +------- ISP
A | Router | C
Corp -----+ Switch +------- ISP
| | D
| +------- ISP
+-----+-----+
| E
+---+---+
| Argus |
+-------+
If the router/switch can be configured to copy both
incoming and outgoing packets from Interface A to
Interface E, then the problem is solved, as this
will get all the packets (assuming you don't support
routing between interfaces B, C or D).
Interface E should have the bandwidth needed to handle
the full load of the traffic. In our example above,
If interface A is a 10 Mbps ethernet link, interface
E should be a 100Mpbs interface, so that it can handle
the 20 Mbps of total load interface A can support.
If the device does not support full duplex port copy,
then a strategy that copies all the incoming interfaces
of the router/switch to a common monitor interface will
also get all the packets.
If none of the above is possible, then ~here are WAN
probe taps available that will support packet capture
from ISP links. These are pretty expensive, sometimes
more than the entire cost of the Argus probe itself,
but they are available.
10. How do I determine the top talkers on my network?
To get top talker type data, use ramon, with the
TopN option.
ramon -M TopN -r * - filter
If you want top pairs of talkers, use ramon with the
Matrix option.
ramon -M Matrix -r * - filter
11. How can I log all http GET and POST requests to my web servers?
12. How do I log intrusion attempts into my network?
24. How do I generate near real-time link byte and packet counts
every 10 seconds from a remote argus server?
ragator() is the tool of choice here. But getting a 10 sec
interval statistic will require that you to make some changes
to the runtime configuration of argus. The ragator
configuration file needed to do this described below.
The problem is that Argus outputs microflow audit records
based on state and a time interval. The -S option specifies
what that time interval will be. The default is setup so
that the maximum time duration of any argus audit record
is 60 seconds. With this type of granular data, deriving
a usable 10 second status counter is not possible.
The best you could do would be a 180 second status counter
(3 * (minimum period)). In order to get 10 second
link stats, you will need to lower the status reporting
timer run Argus to 2-3 seconds, using the -S option.
Depending on your traffic loads, this may or may not be
a lot of records.
If you want to go for 10 second stats, run
argus -S 2 [raoptions]
And then use ragator to collect the microflow data from
the above argus, using the flowmodel.conf file that is
described below.
ragator -S remoteargus -f flowmodel.conf
Where this is the contents of flowmodel.conf
#
#label id SrcCIDRAddr DstCIDRAddr Proto SrcPort DstPort ModelList Duration
Flow 106 * * * * * 100 10
# label id SrcAddrMask DstAddrMask Proto SrcPort DstPort
Model 100 0.0.0.0 0.0.0.0 no no no
If you want to do the same thing but count based on IP protocol, put a "yes"
in the proto field of Model 100. Anyway, read the ./examples/fmodel.conf
file for suggestions on configuring ragator().
|
