Man Linux: Main Page and Category List


       argus - audit record generation and utilization system


       argus [ options ] [ filter expression ]


       Copyright (c) 2000-2004 QoSient, LLC All rights reserved.


       Argus  is  an  IP transaction auditing tool that categorizes IP packets
       which match the boolean expression  into  a  protocol-specific  network
       transaction   model.    Argus  reports  on  the  transactions  that  it
       discovers, as they occur.

       Designed to run as a daemon, argus  generally  reads  packets  directly
       from a network interface, and writes the transaction status information
       to a log file or open socket connected to  an  argus  client  (such  as
       ra(1)).   Argus  can  also  read  packet  information from tcpdump(1) ,
       snoop(1) or NLANRs Moat Time Sequence Header raw packet files.   Argus
       can also be configured to write its transaction logs to stdout.

       Argus  provides access control for its socket connection facility using
       tcp_wrapper technology.  Please refer to the  tcp_wrapper  distribution
       for a complete description.


       -b   Dump  the  compiled packet-matching code to stdout and stop.  This
            is used to debug filter expressions.

       -B   Only bind to the specified  IP  address  (remote  access  must  be
            enabled by a non-zero port).

       -c   Generate  system  pid file.  This will cause argus to create a pid
            file that can be used to control the number of argi running  on  a
            system.    The   default  pid  file  directory  is  /var/run,  and
            $ARGUSHOME, when the OS does not suppor /var/run.

       -d   Run argus as a daemon.  This will cause argus  to  do  the  things
            that  Unix  daemons  do  and return, if there were no errors, with
            argus running as a detached process.

       -D   <level> Print debug messages to stderr.  The  higher  the  <level>
            the more information printed.  Acceptable levels are 1-8.

       -e   <value>  Specify the source identifier for this argus.  Acceptable
            values are numbers, hostnames or ip address.

       -h   Print an explanation of all the arguments.

       -F   Use conffile as a source of  configuration  information.   Options
            set  in this file override any other specification, and so this is
            the last word on option values.

       -I   <number> Specify the <number> of instances that  are  concurrently
            allowed.  The default is 1.  This is impacts the pid file strategy
            for argus.

       -i   <interface>  Specify  the  physical  network  <interface>  to   be
            audited.   The  default  is the first network interface that is up
            and running.

       -J   Generate packet peformance data in each audit record.

       -M   <secs> Specify the interval in <secs>  of  argus  status  records.
            These  records  are  used  to  report the internal status of argus
            itself.  The default is 300 seconds.

       -m   Don’t provide MAC addresses information in argus records.

       -n   <directory> Specify the pid file directory.   This  overrides  the
            default  directory  location,  which is /var/run, or $ARGUSHOME if
            /var/run is not available.  This switch implies the -c switch.

       -O   Turn off Berkeley Packet Filter optimizer.  No reason to  do  this
            unless you think the optimizer generates bad code.

       -p   Do not set the physical network interface in promiscuous mode.  If
            the interface is already in promiscuous mode, this option may have
            no  effect.   Do this to audit only the traffic coming to and from
            the system argus is running on.

       -P   <portnum> Specifies the <portnum> for  remote  client  connection.
            The default is to not support remote access.  Setting the value to
            zero (0) will forceably turn off the facility.

       -r   Read from tcpdump(1) , snoop(1)  or  NLANRs  Moat  Time  Sequence
            Header  (tsh) packet capture files.  If the packet capture file is
            a tsh format file, then the -t option must also  be  used.   Argus
            will  read  from  only one input packet file at a time.  If the -r
            option is specified, argus  will  not  put  down  a  listen(2)  to
            support remote access.

       -R   Generate  argus  records  such  that response times can be derived
            from transaction data.

       -S   <secs> Specify the status reporting interval  in  <secs>  for  all
            traffic flows.

       -t   Indicate  that the expected packet capture input file is a NLANRs
            Moat Time Sequence Header (tsh) packet capture file.

       -U   Specify the number of user bytes to capture.

       -w   <file ["filter"] Write transaction status records to  output-file.
            An  output-file of ’-’ directs argus to write the resulting argus-
            file output to stdout.

       -X   Clear   existing   argus   configuration.    This   removes    any
            initialization  done  prior to encountering this flag.  Allows you
            to eliminate the effects  of  the  /etc/argus.conf  file,  or  any
            argus.conf files that may have been loaded.

            This  tcpdump(1)  expression  specifies which transactions will be
            selected.   If  no  expression  is  given,  all  transactions  are
            selected.   Otherwise,  only  transactions for which expression is
            ‘true’  will  be  dumped.   For  a  complete   expression   format
            description, please refer to the tcpdump(1) man page.


       Argus  catches a number of signal(3) events.  The three signals SIGHUP,
       SIGINT, and SIGTERM  cause  argus  to  exit,  writing  TIMEDOUT  status
       records for all currently active transactions.  The signal SIGUSR1 will
       turn on debug reporting, and subsequent SIGUSR1 signals, will increment
       the  debug-level.  The  signal SIGUSR2 will cause argus to turn off all
       debug reporting.


       $ARGUSHOME - Argus Root directory


       /etc/argus.conf        - argus daemon configuration file
       /var/run/  - default PID file nameing convention


       Run argus as a daemon, writing all its transaction  status  reports  to
       output-file.  This is the typical mode.
              argus -d -ehostname-w output-file

       If  ICMP  traffic  is  not  of interest to you, you can filter out ICMP
       packets on input.
              argus -w output-file - ip and not icmp

       Argus supports both input filtering and  output  filtering,  and  argus
       supports  multiple  output  streams,  each  with  their own independant

       If you are interested in tracking IP traffic only  (input  filter)  and
       want  to  report  ICMP  traffic  in  one  output file, and all other IP
       traffic in another file.
              argus -w outfile1 "icmp" -w outfile2 "not icmp" - ip

       Audit the network activity that is  flowing  between  the  two  gateway
       routers,   whose   ethernet   addresses   are   00:08:03:2D:42:01   and
       00:00:0C:18:29:F1.  Without specifying an output-file,  it  is  assumed
       that the transaction status reports will be written to a remote client.
       In this case we have changed the port that the remote client  will  use
       to port 430/tcp.
              argus -P 430 ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1) &

       Audit  each individual ICMP ECHO transaction.  You would do this gather
       Round Trip Time data within your network.  Write the output to  output-
              argus -R -w output-file "echo" - icmp

       Audit all NFS transactions involving the server fileserver and increase
       the  reporting  interval  to  3600  seconds  (to  provide   high   data
       reduction).  Write the output to output-file.
              argus -S 3600 -w output-file udp and port 2049 &


       Carter Bullard (


       argus.conf(5), hosts_access(5), hosts_options(5), tcpd(8), tcpdump(1)

                               10 November 2000