Argus is the first real-time network flow sensor, pre-dating Cisco's NetFlow by 10 years. The open source project is about generating network transaction summaries that can support network operations, performance and security management. And for the open source project, that means lots of data, lots of attributes and metrics, crammed into a single network flow data strategy, such that the data can be generated, collected, processed and analyzed in the best way (real-time) or not.
The current argus is both a real-time sensor, capable of running at 100Gbps on special purpose hardware, as well as a software packet processing tool that can convert a file of packets into useful information. Ported to over 25 platforms, Argus can generate network flow data just about anywhere, providing the same dense network data, no matter where its deployed.
The world of network security has really advanced in the last 10 years, and Argus has kept pace, providing the richest general network flow data available today, designed to support the complete NIST Cyber Security Framework, Identify, Protect, Detect, Respond and Recover. Advanced comprehensive network flow data, with metadata enhancements, embedded protocol verifications + payload capture provides the information needed to find network evidence of intrusion. Whether the network activity reflects malware attempting to discover nodes in the local network, or attempts to break into adjacent systems, Argus data is rich enough to provide the basic information needed to identify and detect bad actor behavior in the LAN.
The argus sensor is a multi-threaded packet processor that relies on native operating system support to process live network packet streams, or to read packets from named pipes or files. It parses all network headers, until it finds the end-to-end Layer 3 Transport header, and then tracks the transport state until it times out due to an idle state.
Keeping up with new modern encapsulations, such as those in NVO3, GUE, VXLAN are important to keeping argus relevant. If you're interested in theoretical models of network communications, get involved.
Argus is best used in large distributed deployments. Helping argus to be free of complex configuration issues, and to support massive scale deployment, is a real challenge. If you like this type of development, get involved.