Argus is designed based on a few principal goals.
In order to provide comprehensive network flow data, Argus cannot be statistical. When utilities MUST know what is going on in a network, the data source can't provide a statistical look. This complete accounting of all the packets observed is an primary goal of Argus and its data, and differentiates it from other flow systems.
Supporting operations, performance and security management analytics means that Argus data need to have the attributes that are needed for these tasks. Reachability indicators for operations management, loss detection for performance measurements, and content for security analytics, are just a few examples.
The world of network security has really advanced in the last 10 years, and Argus has kept pace, providing the richest general network flow data available today. Its comprehensive (non-statistical) transaction model is designed to support the complete NIST Cyber Security Framework, Identify, Protect, Detect, Respond and Recover. Advanced comprehensive network flow data, with metadata enhancements, embedded protocol verifications + payload capture provides the information needed to find network evidence of the bad thing, intrusion, exploitation, exfiltration, shadow IT. Whether the network activity reflects malware attempting to discover nodes in the local network, attempts to break into adjacent systems, stepping stone behavior, Argus data is rich enough to provide the basic information needed to identify and detect bad actor behavior in the network.
The argus sensor is first and foremost, a network flow monitor. This is in contrast to IPFIX, netflow V5,9, Jflow, Qflow, which are IP network flow monitors. Argus generates flow data for most Layer 2 network protocols including Ethernet, Infiniband, ATM, FDDI, Frame Relay, USB, PPP, ARP, HDLC, L2TP, SLIP, VLAN, Token Ring and generates flow data regardless of the type of Layer 3 protocol that is being used. This is what makes Argus a good choice for Cyber Security, as you never know what protocols the attacker may want to use, and covert channels are an everyday occurrence.
The second biggest thing about Argus is that it is a bi-directional network flow monitor. The monitor correlates both directions of a network flow and reports on its state, ... for whatever flow is being tracked. This is accomplished through careful packet classification and cache management strategies, to track packets in both directions. Because of asymmetric routing, Argus may not see both sides of every connection, when it doesn't it still tracks the bi-directional flow state, so you can still get status on reachability, connectivity and availability.
And third, Argus is a near-realtime end-to-end transport layer flow monitor. The transport layer has all the end-to-end goodies that are important for operations, performance and security. The transport layer is transitional in nature, which is huge for the theory of audit and its use in anomaly and fraud detection, and it has all the network state, network and performance metrics, so you can figure it out.
Argus is a multi-threaded packet processor that relies on native operating system support to process live network packet streams, or to read packets from named pipes or files. It parses all network headers, until it finds the end-to-end Layer 3 Transport header, and then tracks the transport state until it times out due to an idle state.