question about Argus Data Specific Records (DSR) headerformat

Carter Bullard carter at qosient.com
Wed Jan 16 08:48:32 EST 2008 

Hey Mel,
The bit in question, is the first bit of the DSR.  This is labeled bit 0 in the diagram, and in all the examples has a value of 0.  But, the left most bit in a byte, which is the most significant bit in network order, is also the 8th bit in host order (if you start numbering using 1) . Doesn't help that if this is the only bit set in a byte, its value is 0x80. ;o)

Wierd conventions, and possibly a bad description.  I'll look to make the wording a bit clearer.  But MSB (most significant bit) is the left most bit in a byte.

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: mel <mel at hackinthebox.org>

Date: Wed, 16 Jan 2008 14:53:46 
To:Argus <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] question about Argus Data Specific Records (DSR) header
	format


Hi Carter,

In include/argus_def.h, the DSR header is like the one below:

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0|    Type     |0|  SubType    |   Qualifier   |     Length    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                                                               |
    |                         Argus DSR Data                        |
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I pretty much understand the Type, SubType, Qualifier, Length and the
various DSR data and their format. Also, from include/argus_def.h:

       There are two types of DSR, 1) a Type Value (TV) record
       with an explicit length of 4 bytes, and 2) a Type Length
       Value (TLV) record, that is longer than 4 bytes and supports
       variable length records.

       The fixed length record is distinquished from the variable
       length records with the most significant bit of the Type
       Field set to 1 (>= 0x80).

However, looking deeper at the code, I found:

     ARGUS_FLOW_CLASSIC5TUPLE
     TYPE=ARGUS_FLOW   SubType=ARGUS_CLASSIC5TUPLE
     Qual=ARGUS_TYPE_IPV4

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0|   0x02      |1|D|  0x01     |     0x01      |      0x06     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


     ARGUS_FLOW_CLASSIC5TUPLE
     TYPE=FLOW   SubType=ARGUS_CLASSIC5TUPLE    Qual=ARGUS_TYPE_ARP
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0|   0x02      |1|0|    0x01   |      0x07     |      0x06     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

     TYPE=FLOW   SubType=ARGUS_FLOW_MATRIX    Qual=ARGUS_TYPE_IPV4
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |0|   0x02      |K|D|    0x02   |      0x01     |      0x03     |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

and so on.


It seems like the 8th and 9th bit have different values other than 1 or 
0. Can you please explain?


Cheers,

--mel

More information about the argus mailing list