argus_parse.c questions

Wed Feb 23 16:05:27 EST 2005

Hey Nick,
   There are a lot of options for the various programs that are
not documented.  They are generally features that are a bit complex
or don't work 100% of the time.  The -x option works in conjunction
with other options for ragator to act as a service availability
monitor.  Works most of the time, but under some constraints.
Something for those that are inquisitive enough to dig into the
source.

   So how does the -X option fail?

Carter

> From: Nick Giordano <ngiordano at mitre.org>
> Date: Wed, 23 Feb 2005 13:54:30 -0600
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] argus_parse.c questions
> 
> I was looking through the argus_parse.c file that comes with my
> argus-clients bundle and I had some questions about some of the
> configuration options that don't seem to be used or don't work.
> 
> This is the list of configuration options I get from ra -h:
> 
> Ra Version 2.0.6.fixes.1
> usage: ra
> usage: ra [options] -S remoteServer  [- filter-expression]
> usage: ra [options] -r argusDataFile [- filter-expression]
> 
> options: -a                 print record summaries on termination.
>          -A                 print application bytes.
>          -b                 dump packet-matching code.
>          -C                 treat the remote source as a Cisco Netflow
> source.
>          -d <bytes>         print number of <bytes> from user data
> capture buffer.
>                    format:  num | s<num> | d<num> | s<num>:d<num>
>          -e <encode>        convert user data using <encode> method.
>                             Supported types are <Ascii> and <Encode64>.
>          -E <file>          write records that are rejected by the
> filter into <file>
>          -F <conffile>      read configuration from <conffile>.
>          -h                 print help.
>          -n                 don't convert numbers to names.
>          -p <digits>        print fractional time with <digits> precision.
>          -q                 quiet mode. don't print record outputs.
>          -r <file>          read argus data <file>. '-' denotes stdin.
>          -R                 print out response data when availabile.
>          -s [-][+[#]]field  specify fields to print.
>                    fields:  startime, lasttime, count, dur, avgdur,
>                             saddr, daddr, proto, sport, dport, ipid,
>                             stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
>                             pkts, spkts, dpkts, load, loss, rate,
>                             srcid, ind, mac, dir, jitter, status, user,
>                             win, trans, seq, vlan, mpls.
>          -S <host[:port]>   specify remote argus <host> and optional
> port number.
>          -t <timerange>     specify <timerange> for reading records.
>                    format:  timeSpecification[-timeSpecification]
>                             timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
>                                                  [yyyy/]mm/dd
>                                                  -%d{yMdhms}
>          -T <secs>          attach to remote server for T seconds.
>          -u                 print time in Unix time format.
>          -w <file>          write output to <file>. '-' denotes stdout.
>          -z                 print Argus TCP state changes.
>          -Z <s|d|b>         print actual TCP flag values.<'s'rc | 'd'st
> | 'b'oth>
> 
> Here are the options that clearRaConfiguration alters in argus_parse.c:
>    aflag = 0;
>    Aflag = 0;
>    Argusdflag = 0;
>    bflag = 0;
>    Bflag = 0;
>    cflag = 0;
>    Cflag = 0;
>    dflag = 0;
>    Dflag = 0;
>    eflag = 0;
>    Eflag = 0;
>    estr = NULL;
>    fflag = 0;
>    Fflag = 0;
>    gflag = 0;
>    Gflag = 0;
>    hfield = 15;
>    Hflag = 0;
>    Hstr = NULL;
>    idflag = 0;
>    jflag = 0;
>    lflag = 0;
>    Lflag = 0;
>    mflag = 0;
>    Mflag = NULL;
>    Netflag = 0;
>    nflag = 0;
>    Nflag = 0;
>    Normflag = 0;
>    notNetflag = 0;
>    Oflag = 0;
>    pfield = 5;
>    pflag = 0;
>    Pflag = 0;
>    qflag = 0;
>    sflag = NULL;
>    tflag = 0;
>    uflag = 0;
>    Wflag = 0;
> 
>    Uflag = 6;
>    vflag = 0;
>    Vflag = 0;
>    iflag = 0;
> 
>    Iflag = 0;
>    Tflag = 0;
>    rflag = 0;
>    Rflag = 0;
>    Sflag = 0;
>    xflag = 0;
>    Xflag = 0;
>    XMLflag = 0;
> 
>    zflag = 0;
>    Zflag = 0;
> 
> Some of these are set but never used and some of these are used but not
> documented (at least anywhere I could find).  -x for example isn't used
> in ra but it has some use for ragator ( if (xflag && (srv->status ==
> RA_SVCFAILED) ) and rahistogram but I couldn't find an explanation.
> 
> The flag that I am most interested in is the -X flag, which in argus
> seems to clear out any previous configuration.  It looks like it is
> supposed to do the same thing in ra but doesn't seem to work.  The other
> configuration question I have is if it would be possible to add sabytes
> and dabytes to the options for -s flag instead of having the -A flag?
> This would enable users to get output including both source and
> destionation bytes as well as source and destination application bytes
> at the same time.
> 
> Thanks,
> 
> Nick
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 