argus_parse.c questions
Nick Giordano
ngiordano at mitre.org
Wed Feb 23 14:54:30 EST 2005
I was looking through the argus_parse.c file that comes with my
argus-clients bundle and I had some questions about some of the
configuration options that don't seem to be used or don't work.
This is the list of configuration options I get from ra -h:
Ra Version 2.0.6.fixes.1
usage: ra
usage: ra [options] -S remoteServer [- filter-expression]
usage: ra [options] -r argusDataFile [- filter-expression]
options: -a print record summaries on termination.
-A print application bytes.
-b dump packet-matching code.
-C treat the remote source as a Cisco Netflow
source.
-d <bytes> print number of <bytes> from user data
capture buffer.
format: num | s<num> | d<num> | s<num>:d<num>
-e <encode> convert user data using <encode> method.
Supported types are <Ascii> and <Encode64>.
-E <file> write records that are rejected by the
filter into <file>
-F <conffile> read configuration from <conffile>.
-h print help.
-n don't convert numbers to names.
-p <digits> print fractional time with <digits> precision.
-q quiet mode. don't print record outputs.
-r <file> read argus data <file>. '-' denotes stdin.
-R print out response data when availabile.
-s [-][+[#]]field specify fields to print.
fields: startime, lasttime, count, dur, avgdur,
saddr, daddr, proto, sport, dport, ipid,
stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
pkts, spkts, dpkts, load, loss, rate,
srcid, ind, mac, dir, jitter, status, user,
win, trans, seq, vlan, mpls.
-S <host[:port]> specify remote argus <host> and optional
port number.
-t <timerange> specify <timerange> for reading records.
format: timeSpecification[-timeSpecification]
timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
[yyyy/]mm/dd
-%d{yMdhms}
-T <secs> attach to remote server for T seconds.
-u print time in Unix time format.
-w <file> write output to <file>. '-' denotes stdout.
-z print Argus TCP state changes.
-Z <s|d|b> print actual TCP flag values.<'s'rc | 'd'st
| 'b'oth>
Here are the options that clearRaConfiguration alters in argus_parse.c:
aflag = 0;
Aflag = 0;
Argusdflag = 0;
bflag = 0;
Bflag = 0;
cflag = 0;
Cflag = 0;
dflag = 0;
Dflag = 0;
eflag = 0;
Eflag = 0;
estr = NULL;
fflag = 0;
Fflag = 0;
gflag = 0;
Gflag = 0;
hfield = 15;
Hflag = 0;
Hstr = NULL;
idflag = 0;
jflag = 0;
lflag = 0;
Lflag = 0;
mflag = 0;
Mflag = NULL;
Netflag = 0;
nflag = 0;
Nflag = 0;
Normflag = 0;
notNetflag = 0;
Oflag = 0;
pfield = 5;
pflag = 0;
Pflag = 0;
qflag = 0;
sflag = NULL;
tflag = 0;
uflag = 0;
Wflag = 0;
Uflag = 6;
vflag = 0;
Vflag = 0;
iflag = 0;
Iflag = 0;
Tflag = 0;
rflag = 0;
Rflag = 0;
Sflag = 0;
xflag = 0;
Xflag = 0;
XMLflag = 0;
zflag = 0;
Zflag = 0;
Some of these are set but never used and some of these are used but not
documented (at least anywhere I could find). -x for example isn't used
in ra but it has some use for ragator ( if (xflag && (srv->status ==
RA_SVCFAILED) ) and rahistogram but I couldn't find an explanation.
The flag that I am most interested in is the -X flag, which in argus
seems to clear out any previous configuration. It looks like it is
supposed to do the same thing in ra but doesn't seem to work. The other
configuration question I have is if it would be possible to add sabytes
and dabytes to the options for -s flag instead of having the -A flag?
This would enable users to get output including both source and
destionation bytes as well as source and destination application bytes
at the same time.
Thanks,
Nick
More information about the argus
mailing list