"man" protocol?

Peter Van Epp vanepp at sfu.ca
Mon Jan 2 19:21:16 EST 2006

On Mon, Jan 02, 2006 at 05:27:48PM -0600, Tim Lavoie wrote:
> Hi all,
> I've just started looking at Argus in earnest, so I'm new, but
> generally familiar with other networking tools.
> Most of the traffic that I've looked at so far seems pretty normal, at
> least in that I understand what it is, and the reporting of it from
> tools like "ra". Some of it appears to highlight some gaps in what I know.
> The ones which are strangest are those like the following. I'm fine
> with tcp, udp, arp etc., but haven't found what the "man" protocol
> means. Naturally, googling gives me countless links to man pages. In
> any case, the format of these is slightly different from the rest, and
> all apparently from a single IP (6000+ records, from December 12 to
> present).
> 12-12-05 15:26:52.669222           man       v2.0                                     1 0          0        0         0            0           STA
> 12-12-05 15:26:52.670329           man       v2.0                                    16 7          233      0         49530        4           CON
> 12-12-05 15:31:52.183189           man       v2.0                                    36 6          65       0         4419         5           CON
> 12-12-05 15:36:52.035605           man       v2.0                                    53 5          60       0         3772         1           CON
> Any ideas?
>     Thanks,
>     Tim

	Yep, management records about the argus process. Luckily last I had
to figure it out I dumped the fields from the source (I was fixing some 
formatting problems at the time) because as far as I know they aren't 
documented except in the source:

startime: mar.start 
lasttime: mar.now 
proto: man 
saddr: argusid 
sport: version# 
daddr: nextseq# 
dport: #flows 
spkts: RcvdPackets 
dpkts: droppedpackets 
sbytes: rcvdbytes 
dbytes: flows_closed 
status: man_status 

	The first line is fairly obvious (looks like you too don't have an IP
assigned to the interface so the sensor IP is whatever happens to be there).
The next line of numbers starts with the # of flows, then packets received,
packets dropped (by pcap, there are other sources of drop as well), bytes
received, number of flows closed and status (which I think is always con)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list