[ARGUS] Argus Data Struct's

Carter Bullard carter at qosient.com
Tue May 4 10:59:42 EDT 2004 

Hey Glen,
   If you use the ratemplate.c with the ./clients library,
you will be able to parse the binary records very easily,
without dealing with ascii.

   The way the client library works, it expands out
wireline records into a canonical argus struct, which is
fixed length (~500 bytes?) where all the various TLV's
have been expanded, and all the data has been corrected
for endianess.  The library then uses the canonical
record for operations like integrity checking (are the bytes
less than the packet count, etc...) and filtering.
The library handles whether the data is off the wire
(encrypted or non-encrypted) or from a file (uncompressed or
compressed using gzip or b2zip) or whatever.

The library then calls a few routines that you provide, such
as RaProcessRecord (struct ArgusRecord *).  There is a global
pointer that references the canonical record and a global
array that contains the pointers to the various TLV headers,
if you're interested in those.

The engine also calls a routine, ArgusClientTimeout(), which
gives you control every second (its is configurable at run
time) so if you want to do something every now and then, no
problem.

Really, try to figure out the client libraries, rather than
trying to figure out how to read FARs.

If you want to write out some records after processing, there
are routines that take the canonical record and writes
out a compressed argus record back as a stream or into a file.

There are plenty of examples of how programs can use
the client libraries to do stuff.

   But, if you still want to parse FAR records, forget about
reading in an argus.argus_far struct.  Read the whole record
in, and then parse out the various TLV's that are in the
record.   So, read the first 16 bytes to get the length,
and then read in that number of bytes (minus the header)
into a buffer.  From that buffer, find the argus_far struct
and parse that and any other TLV that is there.  For
every TLV, be sure and call ntoh[sl]() on any data values
so you can get the formats correct.  The user data TLV is
the most annoying, because the TLV length counter is the
number of long words, rather than bytes, so be sure and make
that exception.  The argus_parse.c routines do a good job
at this, so just grab the routine ArgusReadStream() to see
how to do it.

Carter



-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn MacGregor
Sent: Tuesday, May 04, 2004 8:51 AM
To: Carter Bullard
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Argus Data Struct's

Carter,

I was trying to avoid having the client program parse the file then I
have to parse the text coming out of the client. Seems like quite a bit
of wasted time.

That is what I was trying to do, I read the length from the header and
subtract the size of the header from that length. Then I was trying to
read directly into the argus.argus_far struct (read(fd,
&argus.argus_far, size)). This obviously causes all kinds of problems
because the sizeof(argus.argus_far) is 72 while I am trying to read way
more data then that. So I see you actually read into a unsigned char
array of 4k then just cast that to a ArgusRecord *. Forgive me for
sounding ignorant, but how would that work? If I can't read into it how
can I cast it?

	Thanks

		Glenn

Carter Bullard wrote:

> Hey Glenn,
>    Reading FAR records can be slightly confusing, because there
> are 3 versions of records that may need to be parsed.  While the
> version 3.x data records are the easiest to read, there are still
> some issues in parsing them.  And when you add the fact that
> the server may want to encrypt records on the wire, it probably
> would be best to use the argus-clients strategy to read records.
>
>    If you want to try to read the FARs yourself, first check out
> ./include/argus_out.h and ./include/argus_def.h.  These files
> define the TLV's that are in the FAR argus record.  Here are some hints.
> The initial MAR will be 128 bytes long, regardless of what version
> of argus you're dealing with.  The last 2 bytes of the MAR will tell
> you the length of the FAR records.  A -1 means that there are variable
> length records in the stream.
>
>    For variable length records, you need to read the 16 byte Argus
> record header, do a ntohs() on the record length field and then read
> that many (bytes - 16) the header length.  This is the total record
> length.  The FAR record is a collection of Argus DSR's, which are
> TLV's (type/length/value structs).  Most have a FAR struct, but not
> all, so you need to parse them out pretty carefully.
>
>    The ./common/argus_parse.c routine does everything, so take
> a look at what its doing, and try to use ./clients/ratemplate.c
> to write your own argus client programs.
>
> Hope this helps!!!!
>
> Carter
>
>
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn
MacGregor
> Sent: Monday, May 03, 2004 9:01 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] Argus Data Struct's
>
> Hi All,
>
> I am new to argus, great app! I want to write a program which reads in the
> argus
> file and processes the data, builds a nice screen, etc. I am looking at
the
> code
> which reads the "argus.out" file, it seems more complicated that necessary
> (to
> me).
>
> I am having a bit of trouble reading the FAR records in. The MAR records
> seem to
> be fine. I forst read the header (16 bytes) which has a length, I use that
> length - sizeof(header) the get the amount of data to read for the data
> (body).
> This is correct in the case of the MAR record, 112 bytes and sizeof(argus.
> argus_mar) is 112 bytes. In the case of the FAR record that I am dealing
> with I
> have a length of 104, that - 16 is 88. The size of the FAR struct is 72
(88
> -16
> again).
>
> Am I missing something simple here? Any input would be great!
>
>   Thanks
>
>     Glenn
>
> Glenn MacGregor
> HighStreet Networks
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
>
>
>

More information about the argus mailing list