Argus 2.0 Record Changes

Tue Jul 11 11:33:53 EDT 2000

> 
> A proposed flowStruct would include the link, network, and
> transport layer flow descriptors, and any MPLS or VLAN tags
> that maybe around.

	VLAN tags would be a good thing that I hadn't thought of. We are 
replacing our ATM backbone with 803.1Q VLANs (with some loss of functionality)
and having Argus recognize VLAN tags would be a good thing (not least for those
cases where there isn't a member of the VLAN on the physical port presenting
a VLAN tag ...).


> 
> struct flowStruct {
>    union {
>       struct  etherStruct ether;
>       struct  fddiStruct  fddi;
>       struct  atmStruct   atm;
>       struct  pppStruct   ppp;
>    } arg_link_descriptor;
> 
>    union {
>       struct  mplsStruct  mpls;
>       struct  vlanPStruct vlan;
>    } arg_tag_descriptor;
> 
>    union {
>       struct  ipV4Struct ipV4;
>       struct  ipV6Struct ipV6;
>       struct  arpStruct  arp;
>       struct  dhcpStruct dhcp;
>    } arg_network_descriptor;

	V6 is another good addition, it is in FreeBSD but we haven't had any
time to play ...

> 
>    union {
>       struct  tcpStruct  tcp;
>       struct  udpStruct  udp;
>       struct icmpStruct icmp;
>       struct igmpStruct igmp;
>       struct fragStruct frag;
>    } arg_transport_descriptor;
> };
> 
> And the meterStruct would contain all the data values.
> 
> struct meterStruct {
>    struct flowMeterStruct src, dst;
> };
> 
> struct flowMeterStruct {
>    uint32 pkts, bytes;
>    uint32 droppkts, dropbytes; /* this may be retransmitted or dropped */
>    struct ArgusStat activetime, idletime; 
> };
> 

	Although I'm not sure how to do it, I'd like to see a utilization 
field (which may be stats below here) that counts all bytes coming by (IP and
otherwise) and gives some indication of the current busyness of the link 
(perhaps enabled by a command line option because I expect it to chew disk 
space, perhaps with a file name where the data will be written). Its possible 
this would be better done with an rmon probe, but if I can get everything I 
want in one tool so much the better! Essentially a field that says "in the 
last minute the link was %90 utilized" so that we can see the extent of traffic 
peaks after the fact. As I say there are other tools that will do this, but 
being able to do it in a single box and record that traffic flows were active
at the time would be (I think) unique. It would allow dropping an argus box on 
a segment and finding both traffic peaks and what caused the peak over extended
periods of time (which rmon probes won't do because of a lack of flow 
compression and memory if they are capturing packets).


> struct ArgusStat {
>    uint32 min, max, mean;
>    
> };
>