Audit Record Generation and Utilization System (Argus) is a fixed-model real-time flow monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream, doing that by that categorizing IP packets which match the Boolean expression into a protocol-specific network transaction model. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.
Argus is used by many universities, corporations and government enterprises to establish an audit of all network traffic to supplement traditional Intrusion detection system (IDS) based network security. These sites use contemporary IDS technology like snort and/or Bro to generate events and alarms, and then use the Argus network audit data to provide context for those alarms to decide if the alarms are real problems. Argus can be used to analyze and report on the contents of packet capture files or it can run as a continuous monitor, examining data from a live interface; generating an audit log of all the network activity seen in the packet stream. Argus can be deployed to monitor individual end-systems, or an entire enterprise's network activity. As a continuous monitor, Argus provides both push and pull data handling models, to allow flexible strategies for collecting network audit data. Argus data clients support a range of operations, such as sorting, aggregation, archival and reporting. There is XML support for Argus data, which makes handling Argus data a bit easier.
Typically it is used on Unix/Linux but it only depends on libpcap.