[ARGUS] Argus Data Struct's

Carter Bullard carter at qosient.com
Tue May 4 12:02:59 EDT 2004 

Hey Glen,
   Assuming that you are using the argus-clients package,
there are three libraries.  You know I never use the loader
by itself, try this:

   gcc -o ra ra.o ../lib/argus_parse.a ../lib/argus_common.a
../lib/argus_client.a -lsasl -lm

The easiest is to look in the Makefile.in and where there is an
entry for rasort (just as an example), copy the entry using the
name of your routine.  There should be three, in the $SRC definition,
the $PROGS, and for the actual make dependancy.  Once you have updated
the Makefile.in, the rerun ./configure to rebuild the Makefiles.

If you are not using the argus-clients package, then stop
and get the argus-clients package:
ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.6.tar.gz

Carter




-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn MacGregor
Sent: Tuesday, May 04, 2004 3:00 PM
To: Carter Bullard
Cc: argus-info at lists.andrew.cmu.edu
Subject: RE: [ARGUS] Argus Data Struct's

Carter,
Thanks for all the info. I will try to use the libraries. argus_common.a and

argus_parse.a

Not sure if I am missing something...but I have create a simple test.c which

just defines all the functions in ratemplate and prints a message to
standard
out in each. I got it to compile but it fails to link saying undefined
references:

ld -o ra ra.o ./argus_common.a ./argus_parse.a -lm
ld: warning: cannot find entry symbol _start; defaulting to 08048ee0
./argus_parse.a(argus_parse.o): In function `argus_parse_init':
/tmp/argus-2.0.5/common/argus_parse.c:168: undefined reference to
`ArgusCalloc'
/tmp/argus-2.0.5/common/argus_parse.c:171: undefined reference to
`ArgusCalloc'
/tmp/argus-2.0.5/common/argus_parse.c:172: undefined reference to `ArgusLog'
...

I have created a new directory and copied in ra.c and ran the exact gcc
lines
that the makefile runs. I also copied the libraries into that directory. Is
there something wrong with this approach?

 Thanks
   Glenn



Quoting Carter Bullard <carter at qosient.com>:

> Hey Glen,
>    If you use the ratemplate.c with the ./clients library,
> you will be able to parse the binary records very easily,
> without dealing with ascii.
>
>    The way the client library works, it expands out
> wireline records into a canonical argus struct, which is
> fixed length (~500 bytes?) where all the various TLV's
> have been expanded, and all the data has been corrected
> for endianess.  The library then uses the canonical
> record for operations like integrity checking (are the bytes
> less than the packet count, etc...) and filtering.
> The library handles whether the data is off the wire
> (encrypted or non-encrypted) or from a file (uncompressed or
> compressed using gzip or b2zip) or whatever.
>
> The library then calls a few routines that you provide, such
> as RaProcessRecord (struct ArgusRecord *).  There is a global
> pointer that references the canonical record and a global
> array that contains the pointers to the various TLV headers,
> if you're interested in those.
>
> The engine also calls a routine, ArgusClientTimeout(), which
> gives you control every second (its is configurable at run
> time) so if you want to do something every now and then, no
> problem.
>
> Really, try to figure out the client libraries, rather than
> trying to figure out how to read FARs.
>
> If you want to write out some records after processing, there
> are routines that take the canonical record and writes
> out a compressed argus record back as a stream or into a file.
>
> There are plenty of examples of how programs can use
> the client libraries to do stuff.
>
>    But, if you still want to parse FAR records, forget about
> reading in an argus.argus_far struct.  Read the whole record
> in, and then parse out the various TLV's that are in the
> record.   So, read the first 16 bytes to get the length,
> and then read in that number of bytes (minus the header)
> into a buffer.  From that buffer, find the argus_far struct
> and parse that and any other TLV that is there.  For
> every TLV, be sure and call ntoh[sl]() on any data values
> so you can get the formats correct.  The user data TLV is
> the most annoying, because the TLV length counter is the
> number of long words, rather than bytes, so be sure and make
> that exception.  The argus_parse.c routines do a good job
> at this, so just grab the routine ArgusReadStream() to see
> how to do it.
>
> Carter
>
>
>
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn
MacGregor
> Sent: Tuesday, May 04, 2004 8:51 AM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus Data Struct's
>
> Carter,
>
> I was trying to avoid having the client program parse the file then I
> have to parse the text coming out of the client. Seems like quite a bit
> of wasted time.
>
> That is what I was trying to do, I read the length from the header and
> subtract the size of the header from that length. Then I was trying to
> read directly into the argus.argus_far struct (read(fd,
> &argus.argus_far, size)). This obviously causes all kinds of problems
> because the sizeof(argus.argus_far) is 72 while I am trying to read way
> more data then that. So I see you actually read into a unsigned char
> array of 4k then just cast that to a ArgusRecord *. Forgive me for
> sounding ignorant, but how would that work? If I can't read into it how
> can I cast it?
>
> 	Thanks
>
> 		Glenn
>
> Carter Bullard wrote:
>
> > Hey Glenn,
> >    Reading FAR records can be slightly confusing, because there
> > are 3 versions of records that may need to be parsed.  While the
> > version 3.x data records are the easiest to read, there are still
> > some issues in parsing them.  And when you add the fact that
> > the server may want to encrypt records on the wire, it probably
> > would be best to use the argus-clients strategy to read records.
> >
> >    If you want to try to read the FARs yourself, first check out
> > ./include/argus_out.h and ./include/argus_def.h.  These files
> > define the TLV's that are in the FAR argus record.  Here are some hints.
> > The initial MAR will be 128 bytes long, regardless of what version
> > of argus you're dealing with.  The last 2 bytes of the MAR will tell
> > you the length of the FAR records.  A -1 means that there are variable
> > length records in the stream.
> >
> >    For variable length records, you need to read the 16 byte Argus
> > record header, do a ntohs() on the record length field and then read
> > that many (bytes - 16) the header length.  This is the total record
> > length.  The FAR record is a collection of Argus DSR's, which are
> > TLV's (type/length/value structs).  Most have a FAR struct, but not
> > all, so you need to parse them out pretty carefully.
> >
> >    The ./common/argus_parse.c routine does everything, so take
> > a look at what its doing, and try to use ./clients/ratemplate.c
> > to write your own argus client programs.
> >
> > Hope this helps!!!!
> >
> > Carter
> >
> >
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Glenn
> MacGregor
> > Sent: Monday, May 03, 2004 9:01 PM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: [ARGUS] Argus Data Struct's
> >
> > Hi All,
> >
> > I am new to argus, great app! I want to write a program which reads in
> the
> > argus
> > file and processes the data, builds a nice screen, etc. I am looking at
> the
> > code
> > which reads the "argus.out" file, it seems more complicated that
> necessary
> > (to
> > me).
> >
> > I am having a bit of trouble reading the FAR records in. The MAR records
> > seem to
> > be fine. I forst read the header (16 bytes) which has a length, I use
> that
> > length - sizeof(header) the get the amount of data to read for the data
> > (body).
> > This is correct in the case of the MAR record, 112 bytes and
> sizeof(argus.
> > argus_mar) is 112 bytes. In the case of the FAR record that I am dealing
> > with I
> > have a length of 104, that - 16 is 88. The size of the FAR struct is 72
> (88
> > -16
> > again).
> >
> > Am I missing something simple here? Any input would be great!
> >
> >   Thanks
> >
> >     Glenn
> >
> > Glenn MacGregor
> > HighStreet Networks
> >
> > -------------------------------------------------
> > This mail sent through IMP: http://horde.org/imp/
> >
> >
> >
>
>
>
>
>


Glenn MacGregor
HighStreet Networks

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

More information about the argus mailing list