The newest development version of argus-clients is on the server. This version provides fixes for IPv6 netflow V9 IPv6 support, has more updates for color ratop(), has new parsing engines for rapolicy() to support more ACL strategies, and fixes a number of bugs related to labels. Now all ra* clients can read netflow v1-9, and convert them to argus 3.0 records. The netflow v9 support is still in testing. So please download argus-clients-126.96.36.199 and give it a try. As always, if you do run into problems, please don't hesitate to send a note to the argus developers mailing list.
The current set of stable source code can be grabbed from these links:
We presented to the Stanford SDN testbed team last week (Jan 24th), at Stanford University. We had a great set of meetings regarding control plane / data plane monitoring in high performance SDNs and Clouds, and look forward to working with the testbed in 2013.
Argus-3.0.6 is now being used to drive some really great network visualizations for GLORIAD, the advanced science interent network that connects US, Russia, China, Korea, Canada, The Netherlands, India, Egypt, Singapore and Nordic scientists with Advanced Cyberinfrastructure. Checkout the various visualizations, including GLORIAD Earth.
Welcome to Argus, the network Audit Record Generation and Utilization System. The Argus Project is focused on developing network activity audit strategies and prototype technology to support Network Operations, Performance and Security Management. If you look at packets to solve problems, or you need to know what is going on in your network, right now or way back then, you should find Argus a useful tool.
The Argus sensor processes packets (either capture files or live packet data) and generates detailed status reports of the 'flows' that it detects in the packet stream. The flow reports that Argus generates capture much of the semantics of every flow, but with a great deal of data reduction, so you can store, process, inspect or analyze large amounts of network data in a short period of time. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission, and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indications, etc...
Argus is used by many sites to establish network activity audits, which are then used to supplement traditional IDS based network security. These sites use contemporary IDS technology like snort and/or Bro to generate events and alarms, and then use the Argus network audit data to provide context for those alarms to decide if the alarms are real problems. In many DIY efforts, snort, Bro and argus run on the same high performance device. The audit data that Argus generates is great for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting very slow scans, and supporting Zero day events. The network transaction audit data that Argus generates has also been used for a wide range of other tasks including Network Billing and Accounting, Operations Management and Performance Analysis.
Argus can be considered an implementation of the architecture described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and the project has actively contributed to the IPFIX effort, however, Argus technology should be considered a superset of the IPFIX architecture, providing "proof of concept" implementations for most aspects of the IPFIX applicability statement. Argus technology can read and process Cisco Netflow data, and many sites develop audits using a mixture of Argus and Netflow records.
Argus is an Open Source project and currently runs on Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt. The software should be portable to many other versions of Unix with little modification. Performance is such that auditing an entire enterprise's Internet activity can be accomplished using modest computing resources.
Page Last Modified: 20:28:17 EDT 18 Apr 2013 © Copyright 2000 - 2013 QoSient, LLC. All Rights Reserved.