man records in 3.0
Carter Bullard
carter at qosient.com
Mon Sep 22 22:08:18 EDT 2008
Hey Peter,
Just a few questions on these changes. Not sure why you are preserving
the 2.x version numbers in the management records since the stream has
been converted to 3.0. Is there value in knowing that its history
involves
converting from 2.x to 3.0?
We worked hard to get the 3.0 clients to print the 2.x fields using
the same
format, so is there something specific to 2.x output that the 3.0 code
is not
doing?
When we print mar records, all the fields should have values or
blanks, so
that the format is the same as the far records. Do we need to specify
these
other fields to have values rather than blanks?
Printing the starting mar is not a problem (need to insert the call to
print
the initial mar in the ArgusReadConnection() routine). So if the
ARGUS_PRINT_MAR variable is set in the .rarc, then we'll print the
starting
mar record?
I'll wait to upload the new code until we hash some these out.
Hope all is most excellent,
Carter
On Sep 19, 2008, at 2:43 PM, Peter Van Epp wrote:
> Below is a patch which copies the version number of the input stream
> (to tell the difference between 2.0 and 3.0 data) and prints the
> version number
> in the dir field of a 3.0 mar record (which was blank). Because of
> the change
> to the dir field between 2 and 3 my traffic perl scripts need to
> know which
> version the input file is (and its desirable to be able to process
> both 2.0.6
> or 3.0 records with the 3.0 client which currently seems to work
> fine).
> Remaining is to figure out how to cause 3.0 to print the start man
> record. It
> currently looks to process it but not print it. For this to work I
> need the
> start mar record so I know which version the data is. I also see
> that the
> argusID isn't in the mar data, while I don't need it, if someone
> does now would
> be a good time to speak up :-).
> Since you can't tell the players without a program here is a partial
> conversion chart from 2.0.6 man records to 3.0 (the format has
> changed and
> grown substantially):
>
> argus mar format 3.0
>
> printable field name argus_util.c routine that prints it what
> it prints.
>
> stime ArgusPrintStartDate argus_mar.now.tv_sec
> ltime ArgusPrintLastDate src.start.tv_sec
> ArgusGetIndicatorString blanks
> flgs ArgusPrintFlags blanks
> proto ArgusPrintProto "man"
> saddr ArgusPrintSrcAddr argus_mar.queue
> sport ArgusPrintSrcPort argus_mar.dropped
> dir ArgusPrintDir blanks (now version number)
> daddr ArgusPrintDstAddr argus_mar.bufs
> dport ArgusPrintDstPort argus_mar.clients
> spkts ArgusPrintSrcPackets argus_mar.pktsRcvd
> dpkts ArgusPrintDstPackets argus_mar.records
> sbytes ArgusPrintSrcBytes argus_mar.bytesRcvd
> dbytes ArgusPrintDstBytes argus_mar.bytes
> state ArgusPrintState state (current?)
>
> 2.0.6
>
> starttime ArgusPrintStartDate argus_mar.startime
> lasttime ArgusPrintLastDate argus_mar.now
> trans ArgusPrintTransactions blanks
> dur ArgusPrintDuration argus_mar.startime
> avgdur ArgusPrintAvgDuration argus_mar.startime
> snet ArgusPrintSrcAddr argus_mar.argusid
> addr ArgusPrintSrcAddr argus_mar.argusid
> dnet ArgusPrintDstAddr argus_mar.nextMrSequenceNum
> daddr ArgusPrintDstAddr argus_mar.nextMrSequenceNum
> proto ArgusPrintProto " man "
> sport ArgusPrintSrcPort argus_mar.major_version,
> dport ArgusPrintDstPort argus_mar.flows
> stos ArgusPrintSrcTOS argus_far.attr_ip.stos (not MAR specific)
> dtos ArgusPrintDstTOS argus_far.attr_ip.dtos (not MAR specific)
> sttl ArgusPrintSrcTTL argus_far.attr_ip.sttl
> dttl ArgusPrintDstTTL argus_far.attr_ip.dttl
> sbytes ArgusPrintSrcBytes argus_mar.bytesRcvd
> dbytes ArgusPrintDstBytes argus_far.dst.bytes (not MAR specific?)
> spkts ArgusPrintSrcPackets argus_mar.pktsRcvd
> dpkts ArgusPrintDstPackets argus_mar.pktsDrop
> sload ArgusPrintSrcLoad Not MAR specific
> dload ArgusPrintDstLoad` Not MAR specific
> loss ArgusPrintLoss blanks?
>
> and finally a patch to argus-clients-3.0.0 (I think the latest
> version) that
> copies the version number from the input mar records (do we need a
> flag that
> indicates this is a 3.0 client that processed the 2.0 data for
> anything? Again
> if so speak up now :-)). Carter will probably want to clean this up
> and may
> want to move the fields around if there is a scheme for what goes
> where, I
> picked a field that I was printing that was already blanks and
> butchered until
> the compiler was happy with the structures.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> *** common/argus_util.c.orig Fri Sep 19 09:51:06 2008
> --- common/argus_util.c Fri Sep 19 10:50:11 2008
> ***************
> *** 5205,5224 ****
> void
> ArgusPrintDir (struct ArgusParserStruct *parser, char *buf, struct
> ArgusRecordStruct *argus, int len)
> {
> if (argus->hdr.type & ARGUS_MAR) {
> if (parser->ArgusPrintXml) {
> } else
> if ((parser->RaFieldDelimiter != ' ') && (parser-
> >RaFieldDelimiter != '\0')) {
> switch (parser->RaFieldWidth) {
> case RA_FIXED_WIDTH:
> ! sprintf (buf, "%*.*s%c", len, len, " ", parser-
> >RaFieldDelimiter);
> break;
> default:
> ! sprintf (buf, "%c", parser->RaFieldDelimiter);
> break;
> }
> } else {
> ! sprintf (buf, "%*.*s ", len, len, " ");
> }
>
> } else {
> --- 5205,5230 ----
> void
> ArgusPrintDir (struct ArgusParserStruct *parser, char *buf, struct
> ArgusRecordStruct *argus, int len)
> {
> + char marVersionBuf[32];
> +
> if (argus->hdr.type & ARGUS_MAR) {
> + struct ArgusRecord *rec = (struct ArgusRecord *) &argus-
> >canon;
> +
> + sprintf (marVersionBuf, " v%d.%d", rec-
> >argus_mar.major_version,
> + rec->argus_mar.minor_version);
> if (parser->ArgusPrintXml) {
> } else
> if ((parser->RaFieldDelimiter != ' ') && (parser-
> >RaFieldDelimiter != '\0')) {
> switch (parser->RaFieldWidth) {
> case RA_FIXED_WIDTH:
> ! sprintf (buf, "%*.*s%c", len, len, marVersionBuf,
> parser->RaFieldDelimiter);
> break;
> default:
> ! sprintf (buf, "%s%c", marVersionBuf, parser-
> >RaFieldDelimiter);
> break;
> }
> } else {
> ! sprintf (buf, "%*.*s ", len, len, marVersionBuf);
> }
>
> } else {
> ***************
> *** 16348,16355 ****
> argus->argus_mar.startime = argus2-
> >argus_mar.startime;
> argus->argus_mar.now = argus2-
> >argus_mar.now;
>
> ! argus->argus_mar.major_version = VERSION_MAJOR;
> ! argus->argus_mar.minor_version = VERSION_MINOR;
> argus->argus_mar.reportInterval = argus2-
> >argus_mar.reportInterval;
> argus->argus_mar.argusMrInterval = argus2-
> >argus_mar.argusMrInterval;
>
> --- 16354,16361 ----
> argus->argus_mar.startime = argus2-
> >argus_mar.startime;
> argus->argus_mar.now = argus2-
> >argus_mar.now;
>
> ! argus->argus_mar.major_version = argus2-
> >argus_mar.major_version;
> ! argus->argus_mar.minor_version = argus2-
> >argus_mar.minor_version;
> argus->argus_mar.reportInterval = argus2-
> >argus_mar.reportInterval;
> argus->argus_mar.argusMrInterval = argus2-
> >argus_mar.argusMrInterval;
>
>
>
>
>
More information about the argus
mailing list