Wednesday, July 18, 2007

Argus: Anonymize the flows

After l have read the interesting example in secviz.org, I decide to try the argus graphing example using afterglow and graphviz tool, however I'm lazy to change the IPs in my pcap file that contains p2p traffic to protect the privacy, hence I decide to use one of the tool bundled in argus suite called ranonymize(the name tells the story), I converted my pcap file to argus file format so that it can be parsed by argus suite.

shell>argus -r p2p-suspect.pcap -w p2p-suspect.arg

Now I just need to use ranonymize to read the file and pipe it to other tools to generate the graph, I have afterglow source under ~/i-Apps and below is the full command line I use -

shell>ranonymize -r p2p-suspect.arg -w - | \
racluster -r - -m saddr daddr proto dport -c, -s saddr daddr | \ ~/i-Apps/afterglow/src/perl/graph/afterglow.pl -a -t -e 2 -c \ ~/i-Apps/afterglow/src/perl/parsers/color.properties | \
neato -Tgif -o p2p-anonymize.gif

Now you will have p2p-anonymize.gif file in the current directory and here's the simple graph. You can see all the IPs are already been anonymized but you get the idea of the flows.


Instead of reading pcap raw data, sometimes graph helps.

Enjoy ;]

1 comment:

Anonymous said...

Speaking of Argus, how is your book on it coming along?