argus option review

Carter Bullard carter at qosient.com
Thu Jan 25 18:02:41 EST 2001 

Gentle people,
   I'm going over the options that argus() supports and I'm
going to finalize the flag definitions and default behaviors.
ra() options will come next week.

The current options as they stand in "U" are:

Argus Version 2.0
usage: argus [options] [-i interface] [filter-expression] 
usage: argus [options]  -r packetfile [filter-expression] 

options: -b                   dump filter compiler output.
         -d                   run Argus in daemon mode.
         -D <level>           set debug reporting <level>.
         -e <value>           specify Argus Identifier <value>.
         -h                   print help.
         -F <conffile>        read configuration from <conffile>.
         -M <secs>            set MAR Status Report Time Interval
(300s).
         -m                   turn off MAC Layer Reporting.
         -O                   turn off filter optimizer.
         -p                   don't go into promiscuous mode.
         -P <portnum>         specify remote access <port> (561).
         -R                   generate response time data.
         -S <secs>            set FAR Status Report Time Interval (60s).
         -w <file ["filter"]> write output to <file>, or '-', for
stdout,
                              against optional filter expression.
         -X                   reset argus configuration.

There is an option that we support that does not have a command line
flag and that is ARGUS_GENERATE_JITTER_DATA.  I'll put in a 'J'
option to support this feature.  This generates interpacket arrival
time data for performance analysis.  Nice but a little esoteric.

Notice that I changed the "-d" and "-D" options.  Hopefully this will
not cause any heartache.  The "-d" option is now "run as daemon" and the
"-D" option is the debug option.

The biggest one is "-p".  Should we be in promiscuous mode by default?
My bet is no.  Do we have any other votes/opinions?

The next is the "-P" option.  This specifies the port that we will
listen on for remote access.  You set this to 0 (zero) to turn this
feature off.  Should we turn this on or off by default?  Should you
have to explicitly turn on remote access by configuring the port
number?   I'm leaning toward not turning it on unless you
specify it, but then getting a common number, like 561, will not
be easy.  (this may eliminate some surprises?)

The next is "-R" and the new "-J".  These generate useful information,
but should it be the default behavior?  The "-R" option forces argus to
produce records for ICMP and UDP traffic when the src pkt and dst pkt
counts are both == 1.  This allows for response time determinatios, but
generates a lot more argus records.  The "-J" data is not a problem
but it will make the output records 16-32 bytes larger.
My guess on this on is off by default?

These are on my hot list.  If you have some that you want to add,
delete,
modify, now is the time to get your opinions in.

Please send your opinions/attitude/reactions/flames/whatever.  It is
important!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3699 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010125/b284af82/attachment.bin>

More information about the argus mailing list