man records in 3.0
Peter Van Epp
vanepp at sfu.ca
Fri Sep 19 14:43:51 EDT 2008
Below is a patch which copies the version number of the input stream
(to tell the difference between 2.0 and 3.0 data) and prints the version number
in the dir field of a 3.0 mar record (which was blank). Because of the change
to the dir field between 2 and 3 my traffic perl scripts need to know which
version the input file is (and its desirable to be able to process both 2.0.6
or 3.0 records with the 3.0 client which currently seems to work fine).
Remaining is to figure out how to cause 3.0 to print the start man record. It
currently looks to process it but not print it. For this to work I need the
start mar record so I know which version the data is. I also see that the
argusID isn't in the mar data, while I don't need it, if someone does now would
be a good time to speak up :-).
Since you can't tell the players without a program here is a partial
conversion chart from 2.0.6 man records to 3.0 (the format has changed and
grown substantially):
argus mar format 3.0
printable field name argus_util.c routine that prints it what it prints.
stime ArgusPrintStartDate argus_mar.now.tv_sec
ltime ArgusPrintLastDate src.start.tv_sec
ArgusGetIndicatorString blanks
flgs ArgusPrintFlags blanks
proto ArgusPrintProto "man"
saddr ArgusPrintSrcAddr argus_mar.queue
sport ArgusPrintSrcPort argus_mar.dropped
dir ArgusPrintDir blanks (now version number)
daddr ArgusPrintDstAddr argus_mar.bufs
dport ArgusPrintDstPort argus_mar.clients
spkts ArgusPrintSrcPackets argus_mar.pktsRcvd
dpkts ArgusPrintDstPackets argus_mar.records
sbytes ArgusPrintSrcBytes argus_mar.bytesRcvd
dbytes ArgusPrintDstBytes argus_mar.bytes
state ArgusPrintState state (current?)
2.0.6
starttime ArgusPrintStartDate argus_mar.startime
lasttime ArgusPrintLastDate argus_mar.now
trans ArgusPrintTransactions blanks
dur ArgusPrintDuration argus_mar.startime
avgdur ArgusPrintAvgDuration argus_mar.startime
snet ArgusPrintSrcAddr argus_mar.argusid
addr ArgusPrintSrcAddr argus_mar.argusid
dnet ArgusPrintDstAddr argus_mar.nextMrSequenceNum
daddr ArgusPrintDstAddr argus_mar.nextMrSequenceNum
proto ArgusPrintProto " man "
sport ArgusPrintSrcPort argus_mar.major_version,
dport ArgusPrintDstPort argus_mar.flows
stos ArgusPrintSrcTOS argus_far.attr_ip.stos (not MAR specific)
dtos ArgusPrintDstTOS argus_far.attr_ip.dtos (not MAR specific)
sttl ArgusPrintSrcTTL argus_far.attr_ip.sttl
dttl ArgusPrintDstTTL argus_far.attr_ip.dttl
sbytes ArgusPrintSrcBytes argus_mar.bytesRcvd
dbytes ArgusPrintDstBytes argus_far.dst.bytes (not MAR specific?)
spkts ArgusPrintSrcPackets argus_mar.pktsRcvd
dpkts ArgusPrintDstPackets argus_mar.pktsDrop
sload ArgusPrintSrcLoad Not MAR specific
dload ArgusPrintDstLoad` Not MAR specific
loss ArgusPrintLoss blanks?
and finally a patch to argus-clients-3.0.0 (I think the latest version) that
copies the version number from the input mar records (do we need a flag that
indicates this is a 3.0 client that processed the 2.0 data for anything? Again
if so speak up now :-)). Carter will probably want to clean this up and may
want to move the fields around if there is a scheme for what goes where, I
picked a field that I was printing that was already blanks and butchered until
the compiler was happy with the structures.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
*** common/argus_util.c.orig Fri Sep 19 09:51:06 2008
--- common/argus_util.c Fri Sep 19 10:50:11 2008
***************
*** 5205,5224 ****
void
ArgusPrintDir (struct ArgusParserStruct *parser, char *buf, struct ArgusRecordStruct *argus, int len)
{
if (argus->hdr.type & ARGUS_MAR) {
if (parser->ArgusPrintXml) {
} else
if ((parser->RaFieldDelimiter != ' ') && (parser->RaFieldDelimiter != '\0')) {
switch (parser->RaFieldWidth) {
case RA_FIXED_WIDTH:
! sprintf (buf, "%*.*s%c", len, len, " ", parser->RaFieldDelimiter);
break;
default:
! sprintf (buf, "%c", parser->RaFieldDelimiter);
break;
}
} else {
! sprintf (buf, "%*.*s ", len, len, " ");
}
} else {
--- 5205,5230 ----
void
ArgusPrintDir (struct ArgusParserStruct *parser, char *buf, struct ArgusRecordStruct *argus, int len)
{
+ char marVersionBuf[32];
+
if (argus->hdr.type & ARGUS_MAR) {
+ struct ArgusRecord *rec = (struct ArgusRecord *) &argus->canon;
+
+ sprintf (marVersionBuf, " v%d.%d", rec->argus_mar.major_version,
+ rec->argus_mar.minor_version);
if (parser->ArgusPrintXml) {
} else
if ((parser->RaFieldDelimiter != ' ') && (parser->RaFieldDelimiter != '\0')) {
switch (parser->RaFieldWidth) {
case RA_FIXED_WIDTH:
! sprintf (buf, "%*.*s%c", len, len, marVersionBuf, parser->RaFieldDelimiter);
break;
default:
! sprintf (buf, "%s%c", marVersionBuf, parser->RaFieldDelimiter);
break;
}
} else {
! sprintf (buf, "%*.*s ", len, len, marVersionBuf);
}
} else {
***************
*** 16348,16355 ****
argus->argus_mar.startime = argus2->argus_mar.startime;
argus->argus_mar.now = argus2->argus_mar.now;
! argus->argus_mar.major_version = VERSION_MAJOR;
! argus->argus_mar.minor_version = VERSION_MINOR;
argus->argus_mar.reportInterval = argus2->argus_mar.reportInterval;
argus->argus_mar.argusMrInterval = argus2->argus_mar.argusMrInterval;
--- 16354,16361 ----
argus->argus_mar.startime = argus2->argus_mar.startime;
argus->argus_mar.now = argus2->argus_mar.now;
! argus->argus_mar.major_version = argus2->argus_mar.major_version;
! argus->argus_mar.minor_version = argus2->argus_mar.minor_version;
argus->argus_mar.reportInterval = argus2->argus_mar.reportInterval;
argus->argus_mar.argusMrInterval = argus2->argus_mar.argusMrInterval;
More information about the argus
mailing list