man records in 3.0
Carter Bullard
carter at qosient.com
Fri Sep 19 16:08:46 EDT 2008
Hey Peter,
Thanks!!!!!!! I'll add it to argus-clients-3.0.1.beta.1 and any
changes to
argus-3.0.1.beta.3.tar.gz and I'll put them up on Monday.
Just as additional information, we have a magic(5) entry in the
./support directory that allows the Unix file(1) command to print
out the correct file type and version number. This is found
in ./support/System/magic, in either the argus or clients dist.
Carter
On Sep 19, 2008, at 2:43 PM, Peter Van Epp wrote:
> Below is a patch which copies the version number of the input stream
> (to tell the difference between 2.0 and 3.0 data) and prints the
> version number
> in the dir field of a 3.0 mar record (which was blank). Because of
> the change
> to the dir field between 2 and 3 my traffic perl scripts need to
> know which
> version the input file is (and its desirable to be able to process
> both 2.0.6
> or 3.0 records with the 3.0 client which currently seems to work
> fine).
> Remaining is to figure out how to cause 3.0 to print the start man
> record. It
> currently looks to process it but not print it. For this to work I
> need the
> start mar record so I know which version the data is. I also see
> that the
> argusID isn't in the mar data, while I don't need it, if someone
> does now would
> be a good time to speak up :-).
> Since you can't tell the players without a program here is a partial
> conversion chart from 2.0.6 man records to 3.0 (the format has
> changed and
> grown substantially):
>
> argus mar format 3.0
>
> printable field name argus_util.c routine that prints it what
> it prints.
>
> stime ArgusPrintStartDate argus_mar.now.tv_sec
> ltime ArgusPrintLastDate src.start.tv_sec
> ArgusGetIndicatorString blanks
> flgs ArgusPrintFlags blanks
> proto ArgusPrintProto "man"
> saddr ArgusPrintSrcAddr argus_mar.queue
> sport ArgusPrintSrcPort argus_mar.dropped
> dir ArgusPrintDir blanks (now version number)
> daddr ArgusPrintDstAddr argus_mar.bufs
> dport ArgusPrintDstPort argus_mar.clients
> spkts ArgusPrintSrcPackets argus_mar.pktsRcvd
> dpkts ArgusPrintDstPackets argus_mar.records
> sbytes ArgusPrintSrcBytes argus_mar.bytesRcvd
> dbytes ArgusPrintDstBytes argus_mar.bytes
> state ArgusPrintState state (current?)
>
> 2.0.6
>
> starttime ArgusPrintStartDate argus_mar.startime
> lasttime ArgusPrintLastDate argus_mar.now
> trans ArgusPrintTransactions blanks
> dur ArgusPrintDuration argus_mar.startime
> avgdur ArgusPrintAvgDuration argus_mar.startime
> snet ArgusPrintSrcAddr argus_mar.argusid
> addr ArgusPrintSrcAddr argus_mar.argusid
> dnet ArgusPrintDstAddr argus_mar.nextMrSequenceNum
> daddr ArgusPrintDstAddr argus_mar.nextMrSequenceNum
> proto ArgusPrintProto " man "
> sport ArgusPrintSrcPort argus_mar.major_version,
> dport ArgusPrintDstPort argus_mar.flows
> stos ArgusPrintSrcTOS argus_far.attr_ip.stos (not MAR specific)
> dtos ArgusPrintDstTOS argus_far.attr_ip.dtos (not MAR specific)
> sttl ArgusPrintSrcTTL argus_far.attr_ip.sttl
> dttl ArgusPrintDstTTL argus_far.attr_ip.dttl
> sbytes ArgusPrintSrcBytes argus_mar.bytesRcvd
> dbytes ArgusPrintDstBytes argus_far.dst.bytes (not MAR specific?)
> spkts ArgusPrintSrcPackets argus_mar.pktsRcvd
> dpkts ArgusPrintDstPackets argus_mar.pktsDrop
> sload ArgusPrintSrcLoad Not MAR specific
> dload ArgusPrintDstLoad` Not MAR specific
> loss ArgusPrintLoss blanks?
>
> and finally a patch to argus-clients-3.0.0 (I think the latest
> version) that
> copies the version number from the input mar records (do we need a
> flag that
> indicates this is a 3.0 client that processed the 2.0 data for
> anything? Again
> if so speak up now :-)). Carter will probably want to clean this up
> and may
> want to move the fields around if there is a scheme for what goes
> where, I
> picked a field that I was printing that was already blanks and
> butchered until
> the compiler was happy with the structures.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> *** common/argus_util.c.orig Fri Sep 19 09:51:06 2008
> --- common/argus_util.c Fri Sep 19 10:50:11 2008
> ***************
> *** 5205,5224 ****
> void
> ArgusPrintDir (struct ArgusParserStruct *parser, char *buf, struct
> ArgusRecordStruct *argus, int len)
> {
> if (argus->hdr.type & ARGUS_MAR) {
> if (parser->ArgusPrintXml) {
> } else
> if ((parser->RaFieldDelimiter != ' ') && (parser-
> >RaFieldDelimiter != '\0')) {
> switch (parser->RaFieldWidth) {
> case RA_FIXED_WIDTH:
> ! sprintf (buf, "%*.*s%c", len, len, " ", parser-
> >RaFieldDelimiter);
> break;
> default:
> ! sprintf (buf, "%c", parser->RaFieldDelimiter);
> break;
> }
> } else {
> ! sprintf (buf, "%*.*s ", len, len, " ");
> }
>
> } else {
> --- 5205,5230 ----
> void
> ArgusPrintDir (struct ArgusParserStruct *parser, char *buf, struct
> ArgusRecordStruct *argus, int len)
> {
> + char marVersionBuf[32];
> +
> if (argus->hdr.type & ARGUS_MAR) {
> + struct ArgusRecord *rec = (struct ArgusRecord *) &argus-
> >canon;
> +
> + sprintf (marVersionBuf, " v%d.%d", rec-
> >argus_mar.major_version,
> + rec->argus_mar.minor_version);
> if (parser->ArgusPrintXml) {
> } else
> if ((parser->RaFieldDelimiter != ' ') && (parser-
> >RaFieldDelimiter != '\0')) {
> switch (parser->RaFieldWidth) {
> case RA_FIXED_WIDTH:
> ! sprintf (buf, "%*.*s%c", len, len, marVersionBuf,
> parser->RaFieldDelimiter);
> break;
> default:
> ! sprintf (buf, "%s%c", marVersionBuf, parser-
> >RaFieldDelimiter);
> break;
> }
> } else {
> ! sprintf (buf, "%*.*s ", len, len, marVersionBuf);
> }
>
> } else {
> ***************
> *** 16348,16355 ****
> argus->argus_mar.startime = argus2-
> >argus_mar.startime;
> argus->argus_mar.now = argus2-
> >argus_mar.now;
>
> ! argus->argus_mar.major_version = VERSION_MAJOR;
> ! argus->argus_mar.minor_version = VERSION_MINOR;
> argus->argus_mar.reportInterval = argus2-
> >argus_mar.reportInterval;
> argus->argus_mar.argusMrInterval = argus2-
> >argus_mar.argusMrInterval;
>
> --- 16354,16361 ----
> argus->argus_mar.startime = argus2-
> >argus_mar.startime;
> argus->argus_mar.now = argus2-
> >argus_mar.now;
>
> ! argus->argus_mar.major_version = argus2-
> >argus_mar.major_version;
> ! argus->argus_mar.minor_version = argus2-
> >argus_mar.minor_version;
> argus->argus_mar.reportInterval = argus2-
> >argus_mar.reportInterval;
> argus->argus_mar.argusMrInterval = argus2-
> >argus_mar.argusMrInterval;
>
>
>
>
>
More information about the argus
mailing list