"man" protocol?

[Tim Lavoie]

On Mon, Jan 02, 2006 at 04:21:16PM -0800, Peter Van Epp wrote:

> 	Yep, management records about the argus process. Luckily last I had
> to figure it out I dumped the fields from the source (I was fixing some 
> formatting problems at the time) because as far as I know they aren't 
> documented except in the source:
> 
> 
> startime: mar.start 
> lasttime: mar.now 
> proto: man 
> saddr: argusid 
> sport: version# 
> daddr: nextseq# 
> dport: #flows 
> spkts: RcvdPackets 
> dpkts: droppedpackets 
> sbytes: rcvdbytes 
> dbytes: flows_closed 
> status: man_status 
> 
> 	The first line is fairly obvious (looks like you too don't have an IP
> assigned to the interface so the sensor IP is whatever happens to be there).
> The next line of numbers starts with the # of flows, then packets received,
> packets dropped (by pcap, there are other sources of drop as well), bytes
> received, number of flows closed and status (which I think is always con)


Hi Peter,

Thanks for the info. That does help, though it does lead to a bit of a
puzzle still. This is actually my primary desktop system, and it does
have an IP statically bound to eth0, where argus is listening. The
address in the file though, isn't it. It's none of the IPs on my
internal network, though now that I have looked, argus reports the
same IP on my router/firewall box. That same IP fails to make sense
there too, and does not resolve to anything.

Both systems are Debian linux systems, with 2.0.6.fixes.1-10 of the
argus-server package from Debian. I did just check on a system at work
on which I had installed argus before Christmas, and it reports its
own host name in the saddr field, which does make sense. Could this be
more of a Debian package bug?

     Thanks,
     Tim