Printing information from management (MAR) records

Carter Bullard carter at qosient.com
Tue Feb 12 18:23:35 EST 2013 

Hey Doug,
Some things are a work in progress, and I try to get to things as needed.
If you look at ./include/argus_out.h, the management struct is defined there.  If there is something you would like to see, send some email here, and I'll add it.

The problem is that we try to map the management fields to the data fields when we print a default record output, and they dont map very well.

The printing routine for the management records, is in ./common/argus_util.c and you can see what we're trying to do.

Attempting / trying to convey things like number of clients attatched to this argus, records in the flow queue, packets processed, bytes processed, pcap drops, etc... 

I'll add all the fields to the XML output, but your right, how do you refer to the fields when you have to specify them using spkts and dpkts.

Carter

Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

On Feb 12, 2013, at 10:58 AM, Douglas Pichardo <dpichard at cisco.com> wrote:

> I'm trying to determine what information is available in management records (MARs), and I'm left uncertain about the significance of several of the values being printed by "ra" because they aren't annotated or explained anywhere I see.  When I use "ra" to print out the management records ("ra -r eth0.argus -M man"), there are several mystery numbers printed for this example record:
> 
>      StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State 
> 15:25:55.190780        man      0.     0        117.     1     237 10119936   CON
> 
> For this example MAR:
> - "0." is in the SrcAddr column, and is printed for all MARs in this file
> - "0" is in the Sport column, also printed for all MARs
> - "117." is in the DstAddr column, and is different for every MAR in the file... it's always less than the value for TotPkts though
> - "1" is in the Dport column, and printed the same for all MARs
> - "237" is in the TotPkts column, and I assume to be the number of packets seen during the reporting interval
> - "10119936" is in the TotBytes column, and I assume to be the total number of bytes seen during the reporting interval
> 
> This can be partially correlated with the XML version of the output (ra -r eth0.argus -M man -M xml), which only shows two fields in the management records by default:
> 
> <ArgusManagementRecord  StartTime = "2013-02-07T15:25:55.190780" Flags = "         " Proto = "man" Pkts = "237" Bytes = "10119936" State = "CON"></ArgusManagementRecord>
> 
> 
> I can see in the source code, argus/ArgusOutput.c ArgusGenerateStatusMarRecord(), that a lot of information is being put into a MAR, but how do I get correct labels printed for these other fields, particularly by getting them added to the XML output?  I made some guesses for the field types ("-s +loss,+ploss,+dur,+dpkts,+load") to see if "117" reared its head, but it hasn't, while a new "Records" field appears to be printed for "dpkts":
> 
> <ArgusManagementRecord  StartTime = "2013-02-07T15:25:55.190780" Flags = "         " Proto = "man" Pkts = "237" Bytes = "10119936" State = "CON" Loss = "0" PctLoss = "0.000000" Duration = "0.000000" Records = "82" Load = "0.000000"></ArgusManagementRecord>
> 
> Is there a decoder ring for this available anywhere I haven't looked yet?
> 
> Thanks,
> Doug
>

More information about the argus mailing list