Manual for man records - MAR fields explained
elof2 at sentor.se
elof2 at sentor.se
Thu Jun 4 08:46:24 EDT 2015
Hi Carter.
6.
In the MAR records, StartTime and LastTime seem to be swapped.
StartTime = "2015-06-04T12:59:33.039562" LastTime =
"2015-06-04T12:58:33.010479"
StartTime = "2015-06-04T13:00:33.090726" LastTime =
"2015-06-04T12:59:33.039562"
Shouldn't they be the other way around?
/Elof
On Wed, 27 May 2015, elof2 at sentor.se wrote:
>
> Hi Carter.
>
> Ok, so I run the same command twice, once with xml and once without:
>
> # ra -Zb -M man xml -A -nr argus.log -
> <?xml version ="1.0" encoding="UTF-8"?>
> <!--Generated by ra(3.0.8) QoSient, LLC-->
> <ArgusDataStream
> xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
> xsi:noNamespaceSchemaLocation =
> "http://qosient.com/argus/Xml/ArgusRecord.3.0.xsd"
> BeginDate = "2015-05-26T10:39:41.298236" CurrentDate =
> "2015-05-27T11:46:10.400186"
> MajorVersion = "3" MinorVersion = "0" InterfaceType = "DLT_NULL"
> InterfaceStatus = "Up"
> ArgusSourceId = "10.200.17.10" NetAddr = "0.0.0.0" NetMask = "0.0.0.0">
>
> <ArgusManagementRecord StartTime = "2015-05-26T10:58:41.177579" Flags = "
> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
> "0" State = "STA"></ArgusManagementRecord>
> <ArgusManagementRecord StartTime = "2015-05-26T10:58:41.177511" Flags = "
> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
> "0" State = "CON"></ArgusManagementRecord>
> <ArgusManagementRecord StartTime = "2015-05-26T10:59:41.171511" Flags = "
> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
> "0" State = "CON"></ArgusManagementRecord>
> <ArgusManagementRecord StartTime = "2015-05-26T11:00:41.165508" Flags = "
> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
> "0" State = "CON"></ArgusManagementRecord>
> <ArgusManagementRecord StartTime = "2015-05-26T11:01:41.159511" Flags = "
> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
> "0" State = "CON"></ArgusManagementRecord>
> <ArgusManagementRecord StartTime = "2015-05-26T11:02:41.153510" Flags = "
> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
> "0" State = "CON"></ArgusManagementRecord>
> Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0 TotalPkts
> 0 TotalBytes 0
> </ArgusDataStream>
>
> # ra -Zb -M man -A -nr argus.log -
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport
> SrcPkts DstPkts SrcBytes DstBytes State
> 10:58:41.177579 man 0 0 0 0 0
> 0 0 0 STA
> 10:58:41.177511 man 0 0 26 1 0
> 0 0 0 CON
> 10:59:41.171511 man 0 0 25 1 0
> 0 0 0 CON
> 11:00:41.165508 man 0 0 25 1 0
> 0 0 0 CON
> 11:01:41.159511 man 0 0 25 1 0
> 0 0 0 CON
> 11:02:41.153510 man 0 0 25 1 0
> 0 0 0 CON
> Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0 TotalPkts
> 0 TotalBytes 0
>
>
> In the xml output I understand the values.
> So I guess the problem here is how (and what) ra output in standard mode.
>
> In xml we have 8 values:
> StartTime = "2015-05-26T11:02:41.153510"
> Flags = " "
> Proto = "man"
> PktsRcvd = "0"
> Records = "0"
> BytesRcvd = "0"
> PktsDropped = "0"
> State = "CON"
>
> But in normal ra output we have more, in my example:
> 11:02:41.153510
> " "
> man
> 0
> 0 25
> 1
> 0
> 0
> 0
> 0
> CON
>
>
> The sniffer interface see no traffic at all, so the xml output show all
> zeroes. Good.
> I expect all zeroes in the normal ra output as well, but it is not.
> Confusing.
>
> 1.
> What is the "25" and the "1" values? Just random garbage?
>
> 2. I don't know if there is anything to figure out for v3.0.9.
> Couldn't you just list which MAR field is mapped to what what FAR field? Then
> we have a conversion map for the few times we need it.
>
> 3.
> Please then copy this MAR->FAR field conversion map into the ra manual.
>
> 4.
> When ra operates in normal output mode, couldn't you please make it print
> blanks in all non-mapped fields on MAR rows? Blank values better indicates
> that there are no information there to be found than zeroes (or random
> garbage).
>
> 5.
> Apart from adding the MAR->FAR field conversion map to the ra manual, I think
> you should also add the following notes to the -M section:
>
> man - print management records. Xml output mode is recommended
> (-M man xml), but if using normal output mode, see the
> MAR->FAR field conversion map below.
>
> /Elof
>
>
> On Tue, 26 May 2015, Carter Bullard wrote:
>
>> If you printed the records out in xml, you should get a bit of an
>> explanation.
>> ra -M man xml
>> The man records have quite a bit of information, but the fields don't
>> necessarily conform to the standard fields for FAR records. Saddr, sport,
>> etc ... What are the equivalents in the MAR records ??? Nothing really, so
>> we haven't described what the fields are suppose to mean, as it's a bit up
>> in the air since argus-3.0.6 when we made significant changes and changed
>> the default output.
>>
>> Something we should figure out for 3.0.9 ???
>>
>> Carter
>>
>>
>>> On May 26, 2015, at 11:23 AM, elof2 at sentor.se wrote:
>>>
>>>
>>> Hi Carter!
>>>
>>> In the ra manual I find:
>>>
>>> -M man = print management records
>>>
>>>
>>> ...but nowhere can I find any documentation as to what the values in the
>>> MAR records mean.
>>>
>>>
>>> Example:
>>> ra -AZb -nr out.log -M man
>>> StartTime Flgs Proto SrcAddr Sport Dir
>>> DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State
>>> 10:53:41.106578 man 0 0
>>> 0 0 0 0 0 0 STA
>>> 10:53:41.106508 man 0 0
>>> 31 1 0 0 0 0 CON
>>> 10:54:41.201507 man 0 0
>>> 30 1 0 0 0 0 CON
>>> 10:55:41.195511 man 0 0
>>> 29 1 0 0 0 0 CON
>>> Totalrecords 4 TotalMarRecords 5 TotalFarRecords 0
>>> TotalPkts 0 TotalBytes 0
>>>
>>> I removed the out.log file and waited 6 minutes before running the command
>>> again.
>>>
>>> ra -AZb -nr out.log -M man
>>> StartTime Flgs Proto SrcAddr Sport Dir
>>> DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State
>>> 11:08:41.117577 man 0 0
>>> 0 0 0 0 0 0 STA
>>> 11:08:41.117510 man 0 0
>>> 25 1 0 0 0 0 CON
>>> 11:09:41.111507 man 0 0
>>> 25 1 0 0 0 0 CON
>>> 11:10:41.105505 man 0 0
>>> 25 1 0 0 0 0 CON
>>> 11:11:41.200512 man 0 0
>>> 25 1 0 0 0 0 CON
>>> 11:12:41.194504 man 0 0
>>> 25 1 0 0 0 0 CON
>>> Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0
>>> TotalPkts 0 TotalBytes 0
>>>
>>> Argus is monitoring a NIC that currently has no link, so zero packets has
>>> been seen.
>>>
>>> MAR records are generated, just as they should.
>>>
>>> I'm curious as to what the 31, 30, 29 and 25, 25, 25, 25, 25 might be.
>>> And 1, 1, 1, 1, 1 in the Dport field...
>>> ...and why they are not all 0, since argus see no packets at all.
>>>
>>>
>>> Could you please explain all the fields (and then paste the explaination
>>> into the ra manpage)? :-)
>>>
>>> /Elof
>>>
>>
>
More information about the argus
mailing list