[ARGUS] Argus Data Struct's

Glenn MacGregor gtm at highstreetnetworks.com
Tue May 4 14:59:57 EDT 2004 

Carter,
Thanks for all the info. I will try to use the libraries. argus_common.a and 
argus_parse.a

Not sure if I am missing something...but I have create a simple test.c which 
just defines all the functions in ratemplate and prints a message to standard 
out in each. I got it to compile but it fails to link saying undefined 
references:

ld -o ra ra.o ./argus_common.a ./argus_parse.a -lm
ld: warning: cannot find entry symbol _start; defaulting to 08048ee0
./argus_parse.a(argus_parse.o): In function `argus_parse_init':
/tmp/argus-2.0.5/common/argus_parse.c:168: undefined reference to `ArgusCalloc'
/tmp/argus-2.0.5/common/argus_parse.c:171: undefined reference to `ArgusCalloc'
/tmp/argus-2.0.5/common/argus_parse.c:172: undefined reference to `ArgusLog'
...

I have created a new directory and copied in ra.c and ran the exact gcc lines 
that the makefile runs. I also copied the libraries into that directory. Is 
there something wrong with this approach?

 Thanks
   Glenn 



Quoting Carter Bullard <carter at qosient.com>:

> Hey Glen,
>    If you use the ratemplate.c with the ./clients library,
> you will be able to parse the binary records very easily,
> without dealing with ascii.
> 
>    The way the client library works, it expands out
> wireline records into a canonical argus struct, which is
> fixed length (~500 bytes?) where all the various TLV's
> have been expanded, and all the data has been corrected
> for endianess.  The library then uses the canonical
> record for operations like integrity checking (are the bytes
> less than the packet count, etc...) and filtering.
> The library handles whether the data is off the wire
> (encrypted or non-encrypted) or from a file (uncompressed or
> compressed using gzip or b2zip) or whatever.
> 
> The library then calls a few routines that you provide, such
> as RaProcessRecord (struct ArgusRecord *).  There is a global
> pointer that references the canonical record and a global
> array that contains the pointers to the various TLV headers,
> if you're interested in those.
> 
> The engine also calls a routine, ArgusClientTimeout(), which
> gives you control every second (its is configurable at run
> time) so if you want to do something every now and then, no
> problem.
> 
> Really, try to figure out the client libraries, rather than
> trying to figure out how to read FARs.
> 
> If you want to write out some records after processing, there
> are routines that take the canonical record and writes
> out a compressed argus record back as a stream or into a file.
> 
> There are plenty of examples of how programs can use
> the client libraries to do stuff.
> 
>    But, if you still want to parse FAR records, forget about
> reading in an argus.argus_far struct.  Read the whole record
> in, and then parse out the various TLV's that are in the
> record.   So, read the first 16 bytes to get the length,
> and then read in that number of bytes (minus the header)
> into a buffer.  From that buffer, find the argus_far struct
> and parse that and any other TLV that is there.  For
> every TLV, be sure and call ntoh[sl]() on any data values
> so you can get the formats correct.  The user data TLV is
> the most annoying, because the TLV length counter is the
> number of long words, rather than bytes, so be sure and make
> that exception.  The argus_parse.c routines do a good job
> at this, so just grab the routine ArgusReadStream() to see
> how to do it.
> 
> Carter
> 
> 
> 
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn MacGregor
> Sent: Tuesday, May 04, 2004 8:51 AM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus Data Struct's
> 
> Carter,
> 
> I was trying to avoid having the client program parse the file then I
> have to parse the text coming out of the client. Seems like quite a bit
> of wasted time.
> 
> That is what I was trying to do, I read the length from the header and
> subtract the size of the header from that length. Then I was trying to
> read directly into the argus.argus_far struct (read(fd,
> &argus.argus_far, size)). This obviously causes all kinds of problems
> because the sizeof(argus.argus_far) is 72 while I am trying to read way
> more data then that. So I see you actually read into a unsigned char
> array of 4k then just cast that to a ArgusRecord *. Forgive me for
> sounding ignorant, but how would that work? If I can't read into it how
> can I cast it?
> 
> 	Thanks
> 
> 		Glenn
> 
> Carter Bullard wrote:
> 
> > Hey Glenn,
> >    Reading FAR records can be slightly confusing, because there
> > are 3 versions of records that may need to be parsed.  While the
> > version 3.x data records are the easiest to read, there are still
> > some issues in parsing them.  And when you add the fact that
> > the server may want to encrypt records on the wire, it probably
> > would be best to use the argus-clients strategy to read records.
> >
> >    If you want to try to read the FARs yourself, first check out
> > ./include/argus_out.h and ./include/argus_def.h.  These files
> > define the TLV's that are in the FAR argus record.  Here are some hints.
> > The initial MAR will be 128 bytes long, regardless of what version
> > of argus you're dealing with.  The last 2 bytes of the MAR will tell
> > you the length of the FAR records.  A -1 means that there are variable
> > length records in the stream.
> >
> >    For variable length records, you need to read the 16 byte Argus
> > record header, do a ntohs() on the record length field and then read
> > that many (bytes - 16) the header length.  This is the total record
> > length.  The FAR record is a collection of Argus DSR's, which are
> > TLV's (type/length/value structs).  Most have a FAR struct, but not
> > all, so you need to parse them out pretty carefully.
> >
> >    The ./common/argus_parse.c routine does everything, so take
> > a look at what its doing, and try to use ./clients/ratemplate.c
> > to write your own argus client programs.
> >
> > Hope this helps!!!!
> >
> > Carter
> >
> >
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn
> MacGregor
> > Sent: Monday, May 03, 2004 9:01 PM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: [ARGUS] Argus Data Struct's
> >
> > Hi All,
> >
> > I am new to argus, great app! I want to write a program which reads in
> the
> > argus
> > file and processes the data, builds a nice screen, etc. I am looking at
> the
> > code
> > which reads the "argus.out" file, it seems more complicated that
> necessary
> > (to
> > me).
> >
> > I am having a bit of trouble reading the FAR records in. The MAR records
> > seem to
> > be fine. I forst read the header (16 bytes) which has a length, I use
> that
> > length - sizeof(header) the get the amount of data to read for the data
> > (body).
> > This is correct in the case of the MAR record, 112 bytes and
> sizeof(argus.
> > argus_mar) is 112 bytes. In the case of the FAR record that I am dealing
> > with I
> > have a length of 104, that - 16 is 88. The size of the FAR struct is 72
> (88
> > -16
> > again).
> >
> > Am I missing something simple here? Any input would be great!
> >
> >   Thanks
> >
> >     Glenn
> >
> > Glenn MacGregor
> > HighStreet Networks
> >
> > -------------------------------------------------
> > This mail sent through IMP: http://horde.org/imp/
> >
> >
> >
> 
> 
> 
> 
> 


Glenn MacGregor
HighStreet Networks

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

More information about the argus mailing list