Printing information from management (MAR) records

Douglas Pichardo dpichard at cisco.com
Tue Feb 12 10:58:33 EST 2013 

I'm trying to determine what information is available in management records (MARs), and I'm left uncertain about the significance of several of the values being printed by "ra" because they aren't annotated or explained anywhere I see.  When I use "ra" to print out the management records ("ra -r eth0.argus -M man"), there are several mystery numbers printed for this example record:

      StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State 
15:25:55.190780        man      0.     0        117.     1     237 10119936   CON

For this example MAR:
- "0." is in the SrcAddr column, and is printed for all MARs in this file
- "0" is in the Sport column, also printed for all MARs
- "117." is in the DstAddr column, and is different for every MAR in the file... it's always less than the value for TotPkts though
- "1" is in the Dport column, and printed the same for all MARs
- "237" is in the TotPkts column, and I assume to be the number of packets seen during the reporting interval
- "10119936" is in the TotBytes column, and I assume to be the total number of bytes seen during the reporting interval

This can be partially correlated with the XML version of the output (ra -r eth0.argus -M man -M xml), which only shows two fields in the management records by default:

<ArgusManagementRecord  StartTime = "2013-02-07T15:25:55.190780" Flags = "         " Proto = "man" Pkts = "237" Bytes = "10119936" State = "CON"></ArgusManagementRecord>


I can see in the source code, argus/ArgusOutput.c ArgusGenerateStatusMarRecord(), that a lot of information is being put into a MAR, but how do I get correct labels printed for these other fields, particularly by getting them added to the XML output?  I made some guesses for the field types ("-s +loss,+ploss,+dur,+dpkts,+load") to see if "117" reared its head, but it hasn't, while a new "Records" field appears to be printed for "dpkts":

<ArgusManagementRecord  StartTime = "2013-02-07T15:25:55.190780" Flags = "         " Proto = "man" Pkts = "237" Bytes = "10119936" State = "CON" Loss = "0" PctLoss = "0.000000" Duration = "0.000000" Records = "82" Load = "0.000000"></ArgusManagementRecord>

Is there a decoder ring for this available anywhere I haven't looked yet?

Thanks,
Doug

More information about the argus mailing list