Argus-2.0 Progress

Carter Bullard carter at qosient.com
Wed Aug 16 17:21:10 EDT 2000 

Gentle people,
   I have made good progress on Argus-2.0 and have
some basic questions.  Please respond/commit/suggest/
flame/whatever at you earliest convenience.

   Non IP (non ARP) flow support.
      Currently I am using the src, dst addresses,
ethertype and snap header contents, if present, to
categorize flows that are not IP or ARP flows. This
is working well and allows us to finally account for all
packets in the stream.  Sample ra() support that I
currently have looks like this:

ra -gncr /tmp/argus-2.0.outfile not ip
       119.050106      loop      0:90:27:2b:e9:de  ->           Broadcast
120    0       5520      0   INT
       116.593608      well        0:0:a2:d3:84:1  ->      0:0:a2:d3:84:1
23     0       1058      0   INT
       119.049987      loop      0:90:27:16:f0:da  ->           Broadcast
120    0       5520      0   INT

The differences from IP traffic are that you'll have
MAC addresses in the src & dst fields, and the "proto"
field will have the ethertype decoded.  This does it
for me.  We get the "Broadcast" string for free from
the etheraddr_string() function we are using.  It
would normally be ff:ff:ff:ff:ff:ff.

The list of known ethertypes is quite large
and we support all the ones that the IANA supports.
I've included the file that describes the ethertypes
that we will decode.  Even with this type of support
I still encounter a lot of packets that have
unknown ethertypes, especially snap encapsulated packets.
How do we want ra() to print them?

I can suggest "unkn" as a tag, and if you go with the -nn
option, well print out the number.  Is this reasonable?

Do we want to report contents of the snap header?  The complete
snap header is in the Argus record, along with the original
ether addresses when the snap encapsulates another ethernet
header.  I can recommend something like a "S" in the field
like we had in earlier versions of ra().

Regardless of the argusprintf() function, we still need
a default ra() output format.  Should we talk about that
now?

Carter


Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ethernames.txt
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000816/ba5ca059/attachment.txt>

More information about the argus mailing list