argus-eye GUI

[Carter Bullard]

Phillip,
The code is @   ftp://qosient.com/dev/argus-3.0.
its still pre-release, but its 90% there in my opinion.

You may want to allocate as many rows as you can display, that
way your display device is using only the resources it needs to get
it on the screen.    Up/down buttons could be pagers to get the next
rows needed for the display.   If your just using perl to drive ra*
based ASCII row generation, then you can parse the whole file,
generating strings, and then hold the strings in a perl array,
and load them into your gui tables as needed.

For the curses version of ratop(), we only generate strings for
the records that are visible, and as you move around ('j','k',...)
we swap out the strings.

We can do also do something like " ra -N x-y " which could
enable a faster, dumber gui, (this is a topic of an earlier
email on the list).  If thats not fast enough, we can use file  
offsets to
pick up the next set of records to parse.

The argus record output file is designed to allow you to start reading
records at some arbitrary file offset (assuming that its a record
boundary), which is much different than say an IPFIX stream, which
makes that type of parsing impossible.

Hmmmm, protocol names, we can print out all the names in the
/etc/protocols file, as well as all the ethertypes, which are listed
in the clients ./include/ethernames.h file.

If anyone sends any files with interesting values, I'll generate a
repository on the website.  If you have packet files that can be
used to generate the argus files, that would be great as well!!!!

Carter



On Nov 6, 2006, at 8:22 AM, Philipp Letschert wrote:

> Thanks for your replies,
>
>
> first of all I don't feel like re-inventing the wheel, because no  
> GUI exists,
> that
> - is designated solely to the argus-suite
> - is open source and released under a free license
> - has all the features I would like to use
>
> I've tried NVisionIP, looks impressive but supports only 2.0.5,  
> there is no
> source available and the project looks dormant as the SIFT tools.
>
> The Gtk GUI will support argus 3.0, because it is just a frontend  
> to the ra*
> tools. But to test this, it would be nice to have a 3.0 release,  
> which I haven't
> found on the web...
> Carter, can you set up a CVS account for me?
>
> At moment the only source is file-input, but I plan to have ra and/ 
> or ratop live
> clients as supported source as well, but this will take a while...
>
> Currently I'm doing the column configuration dialog, because the stock
> GtkTreeView is performing bad in building a table with ten- 
> thousands of rows and
> 40 columns :(
>
> I guess performance will cause some headaches, when it comes to  
> real world data,
> I will post an initial release at the end of the week, so you can  
> test your
> *big* files.
>
>
> Finally some question:
> What protocols can show up in the 'proto' field of ra? I had a  
> quick look at the
> 2.0.6 source but didn't find the answer (3.0?). Currently I am  
> aware of:
>
> tcp
> rtp
> rtcp
> udp
> icmp
> man
>
> Do you have some (small!) samples of other transactions than the  
> above, so I can
> test the fields?
> e.g. vlan mpls - no cisco device at hand, pls donate ;)
>
>