Argus 2.0 Record Changes

Carter Bullard carter at qosient.com
Tue Jul 11 08:10:05 EDT 2000 

Gentle people,
   I would like to start talking about the fundamental
changes in the record formats for Argus-2.0.  Consider
this a starting point for discussion, as these structures
etc... should not be considered complete.  Please feel
free to make any statements, comments, suggestions,
outbursts, whatever.

Currently Argus records have this basic format:

struct WriteStruct {
   arg_uint32 status;
   union {
      struct   ipWriteStruct ip;
      struct  arpWriteStruct arp;
      struct   manInitStruct man_init;
      struct   manStatStruct man_stat;
   } ws_trans_union;
};


I would like to propose extending it to:

struct ArgusStruct {
   uint32  sourceId;        /* Originating Argi (can be an IP address) */
   uint32  seqNumber;       /* Sequence number */
   uint32  status;          /* Argus record status indications */
   
   union {
      struct  manArgusStruct man;
      struct dataArgusStruct data;    
   } ws_trans_union;
};

The sourceId is needed so we can know who/what generated the Argus
record, the seqNumber gives us some reliability in transport,
and the status answers the questions what type of record and
why was it generated.

I'd like to focus on the data records for this discussion.

struct dataArgusStruct {
   timeval startTime;       /* Flow report start time in secs, microsecs */
   uint32  duration;        /* duration in microseconds */
   uint32  transactionId;   /* Argus tracking ID number */

   struct  flowStruct;      /* Argus flow descriptor */
   struct  meterStruct;     /* Argus meter values (bytes, pkts, etc) */
   struct  userDataStruct;  /* Snapshot (first X bytes) of User data */
};


A proposed flowStruct would include the link, network, and
transport layer flow descriptors, and any MPLS or VLAN tags
that maybe around.

struct flowStruct {
   union {
      struct  etherStruct ether;
      struct  fddiStruct  fddi;
      struct  atmStruct   atm;
      struct  pppStruct   ppp;
   } arg_link_descriptor;

   union {
      struct  mplsStruct  mpls;
      struct  vlanPStruct vlan;
   } arg_tag_descriptor;

   union {
      struct  ipV4Struct ipV4;
      struct  ipV6Struct ipV6;
      struct  arpStruct  arp;
      struct  dhcpStruct dhcp;
   } arg_network_descriptor;

   union {
      struct  tcpStruct  tcp;
      struct  udpStruct  udp;
      struct icmpStruct icmp;
      struct igmpStruct igmp;
      struct fragStruct frag;
   } arg_transport_descriptor;
};

And the meterStruct would contain all the data values.

struct meterStruct {
   struct flowMeterStruct src, dst;
};

struct flowMeterStruct {
   uint32 pkts, bytes;
   uint32 droppkts, dropbytes; /* this may be retransmitted or dropped */
   struct ArgusStat activetime, idletime; 
};

struct ArgusStat {
   uint32 min, max, mean;
   
};

More information about the argus mailing list