Capture session data with Argus on FreeBSD

I wrote an article about capture session data with Argus on FreeBSD for the BSD Mag back in 2012. BSD Mag does not publish new (BSD) magazines anymore, unfortunately. You can find the issue with my article here.

This post summarizes my article and continues with more advanced queries on the captured session data!

Requirements

The following requirements have to be in place to be able to implement and do what is described in this post:

• an up to date FreeBSD system version 11.2
• at least 1 network interface of your FreeBSD system connected to a span port or a network tab
• run Argus as a daemon (as described in the article)

Assumptions

The following assumptions apply to this blog post:

• two monitoring network interfaces (connected to a span port or network tap) are used on the FreeBSD Argus system: vtnet1 monitors the client network and vtnet2 monitors the DMZ
• argus stores its data in the directory /nsm/argus/logfiles
• the format of the argus logfiles is: YYYYMMDD-000000.interface.arg, where interface is either vtnet1 or vtnet2
• the logfiles used in the examples are /nsm/argus/logfiles/20181219-000000.vtnet1.arg and /nsm/argus/logfiles/20181219-000000.vtnet2.arg
• the subnet of the network where the clients reside is 10.101.102.0/24
• the subnet of the DMZ network is 81.128.155.216/29 (be aware: this is made up for this blog post! I do not own this!)

Install the Argus

We install the Argus software on the FreeBSD system first:

# pkg install argus
# pkg install argus-clients

For detailed information on the files installed and there location see my article. The article also describes how to run Argus as a daemon, process or service.

More Argus query examples

My article from 2012 only touched some basic Argus client query examples. Some more examples are presented below! Most of these examples are done with the racluster Argus client which can agrregate data. This makes it really powerfull. You can find a link to racluster examples in the Resources section at the end of this post. And you can also always read the racluster manual page on your FreeBSD system!

Total amounts per protocol

I find it nice to know the brakedown per protocol (TCP, UDP and ICMP) on my Argus monitored interfaces. You can select what you want show in your brakedown. Below the number of transactions, total number of packets and total bytes are shown for my client network Argus interface:

$ cd /nsm/argus/logfiles
$ racluster -m proto -r 20181219-000000.vtnet1.arg -w - | \
   rasort -m proto -s proto trans pkts bytes - \
   tcp or udp or icmp

The output of this query looks like:

Proto  Trans  TotPkts   TotBytes
  udp   7656     7716    1173930
  tcp  46256  2759042 3783981946
 icmp   5463     7469     810802

Top sources based on bytes

Would it be nice to know what your top talkers (clients) are? Argus can provide it to you!

$ cd /nsm/argus/logfiles
$ racluster -M correct -m saddr -nr 20181219-000000.vtnet1.arg -w - | \
  rasort -m bytes -w - | \
  ra -L0 -N 10 -s saddr trans pkts bytes - \
  src net 10.101.102.0/24

The output of this query looks like:

             SrcAddr  Trans  TotPkts   TotBytes
       10.101.102.31    899  1186755 1772442560
      10.101.102.177   2216   883123 1295079640
      10.101.102.141  14633   348375  411253969
      10.101.102.102   9426   228092  221088240
      10.101.102.146   1625    30251   24749967
      10.101.102.116   1053    19013   17608288
      10.101.102.112   2831     9329    2053673
        10.101.102.1    914     1356     139616
      10.101.102.211    172      706     120135
        10.101.102.2      6      105     107564

Protocol overview for destination subnet

For my DMZ I like to know what traffic I get to each of my hosts in my DMZ:

$ cd /nsm/argus/logfiles
$ racluster -M correct -m daddr proto -n -r 20181219-000000.vtnet1.arg -w - | \
  rasort -m trans -w - | \
  ra -L0 -N 10 -s daddr proto trans bytes - \
  dst net 81.128.155.216/29

The output of this query looks like:

           DstAddr  Proto  Trans   TotBytes
    81.128.155.221    esp  14569   95086322
    81.128.155.218    udp   5831     714258
    81.128.155.218    tcp   4756    1475141
    81.128.155.221    tcp   4432    1901028
    81.128.155.220    tcp   4367     979168
    81.128.155.222    tcp   3885    1123722
    81.128.155.219    tcp   3369     352667
    81.128.155.219    udp   2232     265451
    81.128.155.220   icmp   1392      90726
    81.128.155.222   icmp   1387      90492

Protocol summary for destination host

To show a protocol summary for a destination (DMZ) host we use:

$ cd /nsm/argus/logfiles
$ racluster -M correct -m daddr proto -n -r 20181219-000000.vtnet2.arg -w - | \
  rasort -m trans -w - | \
  ra -L0 -N 10 -s daddr proto trans bytes - \
  dst host 81.128.155.218

The output of this query looks like:

           DstAddr  Proto  Trans   TotBytes
    81.128.155.218    udp   5831     714258
    81.128.155.218    tcp   4756    1475141
    81.128.155.218   icmp    244      21679

Service overview for destination host

We can also show more details for a DMZ host, i.e. show some figures per destination port/protocol:

$ cd /nsm/argus/logfiles
$ racluster -M correct -m daddr dport -n -r 20181219-000000.vtnet2.arg -w - | \
  rasort -m trans -w - | \
  ra -L0 -N 10 -s daddr dport trans bytes - \
  dst host 81.128.155.218

The output of this query looks like:

           DstAddr  Dport  Trans   TotBytes
    81.128.155.218.domain   1701     149815
    81.128.155.218.smtp     1392    1122269
    81.128.155.218.telnet    336      20696
    81.128.155.218.domain    296      76726
    81.128.155.218.ms-sq*    225      22140
    81.128.155.218.micro*    162      10356
    81.128.155.218.http      101       7186
    81.128.155.218.ntp        92       8388
    81.128.155.218.8080       63       3882
    81.128.155.218.ssh        55       3634

Resources

Some (other) resources about this subject:

• BSD Mag October 2012 from Slideshare
• BSD Mag October 2012 from this blog
• racluster examples
• argus manuals

Updated: January 4, 2019