ARGUS
C. Bullard, http://qosient.com/argus
The Argus Open Project is focused on developing network activity measurement and audit strategies that can do real work for the network architect, administrator, and network user. Argus is a fixed-model real-time flow monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application-/protocol-specific information. Argus is well suited to monitoring and measuring the same network event at multiple points in a network.
Argus can be used to analyze and report on the contents of packet capture files (tcpdump, snoop, and tsh formats) or it can run as a continuous monitor, examining data from a live interface and generating an audit log of all the network activity seen in the packet stream. Argus can be deployed to monitor individual end systems or an entire enterprise's network activity. As a continuous monitor, Argus provides both push and pull data handling models, to allow flexible strategies for collecting network audit data. Argus data clients support a range of operations, such as sorting, aggregation, archival, and reporting. There is XML support for Argus data, which makes handling Argus data straightforward.
The network transaction audit data Argus generates has been used for a wide range of tasks including security management, network billing and accounting, network operations management, and performance analysis and research. Argus currently runs on Linux, Solaris, FreeBSD, OpenBSD, and NetBSD, and its client programs have also been ported to Windows (Cygwin). The ARGUS Website provides source code, binaries, and documentation, and a mailing list is available for technical support.
BRITE
A. Medina, A. Lakhina, I. Matta, and J. Byers, http://www.cs.bu.edu/brite
BRITE is an extensible Internet topology generation framework. It offers a library of topology generation models for both router and autonomous system (AS) levels. These generation models aim at reproducing observed power-law relationships and small-world properties in Internet topologies. New generation models aimed at capturing other properties of the Internet can easily be added to BRITE. Furthermore, topologies can be imported from AS-level mapping efforts such as the NLANR archives, or from router-level maps such as those obtained from CAIDA's Skitter infrastructure or the SCAN project's Mercator tool. Topologies can also be imported from other available generators such as GT-ITM or Inet. Topologies can be combined to produce unified Internet-like topologies.
BRITE provides an easy way to obtain representative topologies and export them to simulation software such as ns or SSF. BRITE also provides the infrastructure to develop topology generation models and verify that they capture known invariants of the Internet. To this end, BRIANA, the BRITE Analysis Engine, provides a repository of metrics and routines for topology analysis. BRIANA features an extensible graphical interface that automatically detects new routines. It is also language-independent, so routines may be added in any programming language.
BRITE is open source, and has been implemented in Java and C++ and tested on Linux, Solaris, and Windows. Documentation is available on the Website, and there is a mailing list for technical support.
WinPcap
L. Degioanni http://netgroup.polito.it/WinPcap/
WinPcap provides a set of components for packet capture and network analysis for the Microsoft Windows 32 bit platforms. WinPcap started as the porting of Unix tool libpcap and the BPF (Berkeley Packet Filter) on the Win32 platform but provides now additional features. Like libpcap/BPF, WinPcap includes a kernel-level packet filter (NPF, Netgroup Packet Filter) and a high-level and system-independent library. The filter allows to select, capture in a buffer and send raw data from a network card. The library exports a set of primitives for sniffing (to capture the packets, dump packets to file, read off-line captures) and includes accessories such as a high-level compiler for filter generation (e.g., "select all the IP packets").
WinPcap also offers packet monitoring and packet generation features by means of kernel-level capabilities and a new set of system calls. Packet monitoring is highly efficient because all tasks are performed directly by the NPF. Packet generation is optimized and provides a simpler and more portable interface than the raw sockets interface. WinPcap can be used to recompile immediately on Win32 UNIX applications that rely to libpcap and is now a de-facto standard on Win32. WinPcap is widely used especially by network analyzers (Ethereal, Analyzer), monitoring tools (ntop), security tools (snort, LC3), and so on. The WinPcap distribution includes source code and documentation, and technical support is available on a voluntary basis.