Re: Linux network monitoring (fwd)

Mustafa Akgul (akgul@Bilkent.EDU.TR)
Sun, 5 May 1996 12:50:42 +0400 (EET DST)

Forwarded message:
>From firewalls-owner@GreatCircle.COM Sun May 5 06:45:13 1996
Date: Sat, 4 May 1996 21:30:00 -0500 (CDT)
From: Chip Coy <>
Cc: Firewalls <firewalls@GreatCircle.COM>
Subject: Re: Linux network monitoring
In-Reply-To: <>
Message-Id: <>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

(Personally, I use Doug Hughes' klaxon, but that's not the tool you

Sounds like you're looking for Argus, (to quote the announce) "a generic
IP network transaction auditing tool. Argus runs as an application level
daemon, promiscuously reading network datagrams from a specified
interface, and generates network traffic status records for the network
activity that it encounters".

It's from CMU, it's built on top of libpcap (the low-level library used
by tcpdump).

Argus is a bit of a cpu hog on linux at the moment (all packets come up to
the application, rather than being filtered in the kernel as on UNIX
systems with the Berkley Packet Filter in the kernel).

See ftp:// for more information.


On Sat, 4 May 1996 wrote:
> What I would really like is a tool like one I saw in use a
> while back, but have been unable to locate. It could detect attempted
> connections on any ports, giving it the ability to effectively detect port
> scans in any port range, while *not* accepting any connections. In other
> words, whoever attempted to connect would *not* have the connection accepted,
> but it would still be logged as a connection attempt.

Chip Coy
"Do not mistake composure for ease." - Tuvok