Manual for man records - MAR fields explained
elof2 at sentor.se
elof2 at sentor.se
Wed Jun 17 10:07:10 EDT 2015
Hi Carter (and list).
Any answers/comments to 1 thru 6?
/Elof
On Thu, 4 Jun 2015, elof2 at sentor.se wrote:
>
> Hi Carter.
>
> 6.
> In the MAR records, StartTime and LastTime seem to be swapped.
>
> StartTime = "2015-06-04T12:59:33.039562" LastTime =
> "2015-06-04T12:58:33.010479"
> StartTime = "2015-06-04T13:00:33.090726" LastTime =
> "2015-06-04T12:59:33.039562"
>
> Shouldn't they be the other way around?
>
> /Elof
>
>
> On Wed, 27 May 2015, elof2 at sentor.se wrote:
>
>>
>> Hi Carter.
>>
>> Ok, so I run the same command twice, once with xml and once without:
>>
>> # ra -Zb -M man xml -A -nr argus.log -
>> <?xml version ="1.0" encoding="UTF-8"?>
>> <!--Generated by ra(3.0.8) QoSient, LLC-->
>> <ArgusDataStream
>> xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
>> xsi:noNamespaceSchemaLocation =
>> "http://qosient.com/argus/Xml/ArgusRecord.3.0.xsd"
>> BeginDate = "2015-05-26T10:39:41.298236" CurrentDate =
>> "2015-05-27T11:46:10.400186"
>> MajorVersion = "3" MinorVersion = "0" InterfaceType = "DLT_NULL"
>> InterfaceStatus = "Up"
>> ArgusSourceId = "10.200.17.10" NetAddr = "0.0.0.0" NetMask = "0.0.0.0">
>>
>> <ArgusManagementRecord StartTime = "2015-05-26T10:58:41.177579" Flags = "
>> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
>> "0" State = "STA"></ArgusManagementRecord>
>> <ArgusManagementRecord StartTime = "2015-05-26T10:58:41.177511" Flags = "
>> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
>> "0" State = "CON"></ArgusManagementRecord>
>> <ArgusManagementRecord StartTime = "2015-05-26T10:59:41.171511" Flags = "
>> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
>> "0" State = "CON"></ArgusManagementRecord>
>> <ArgusManagementRecord StartTime = "2015-05-26T11:00:41.165508" Flags = "
>> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
>> "0" State = "CON"></ArgusManagementRecord>
>> <ArgusManagementRecord StartTime = "2015-05-26T11:01:41.159511" Flags = "
>> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
>> "0" State = "CON"></ArgusManagementRecord>
>> <ArgusManagementRecord StartTime = "2015-05-26T11:02:41.153510" Flags = "
>> " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0" PktsDropped =
>> "0" State = "CON"></ArgusManagementRecord>
>> Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0
>> TotalPkts 0 TotalBytes 0
>> </ArgusDataStream>
>>
>> # ra -Zb -M man -A -nr argus.log -
>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr
>> Dport SrcPkts DstPkts SrcBytes DstBytes State
>> 10:58:41.177579 man 0 0 0 0
>> 0 0 0 0 STA
>> 10:58:41.177511 man 0 0 26 1
>> 0 0 0 0 CON
>> 10:59:41.171511 man 0 0 25 1
>> 0 0 0 0 CON
>> 11:00:41.165508 man 0 0 25 1
>> 0 0 0 0 CON
>> 11:01:41.159511 man 0 0 25 1
>> 0 0 0 0 CON
>> 11:02:41.153510 man 0 0 25 1
>> 0 0 0 0 CON
>> Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0
>> TotalPkts 0 TotalBytes 0
>>
>>
>> In the xml output I understand the values.
>> So I guess the problem here is how (and what) ra output in standard mode.
>>
>> In xml we have 8 values:
>> StartTime = "2015-05-26T11:02:41.153510"
>> Flags = " "
>> Proto = "man"
>> PktsRcvd = "0"
>> Records = "0"
>> BytesRcvd = "0"
>> PktsDropped = "0"
>> State = "CON"
>>
>> But in normal ra output we have more, in my example:
>> 11:02:41.153510
>> " "
>> man
>> 0
>> 0 25
>> 1
>> 0
>> 0
>> 0
>> 0
>> CON
>>
>>
>> The sniffer interface see no traffic at all, so the xml output show all
>> zeroes. Good.
>> I expect all zeroes in the normal ra output as well, but it is not.
>> Confusing.
>>
>> 1.
>> What is the "25" and the "1" values? Just random garbage?
>>
>> 2. I don't know if there is anything to figure out for v3.0.9.
>> Couldn't you just list which MAR field is mapped to what what FAR field?
>> Then we have a conversion map for the few times we need it.
>>
>> 3.
>> Please then copy this MAR->FAR field conversion map into the ra manual.
>>
>> 4.
>> When ra operates in normal output mode, couldn't you please make it print
>> blanks in all non-mapped fields on MAR rows? Blank values better indicates
>> that there are no information there to be found than zeroes (or random
>> garbage).
>>
>> 5.
>> Apart from adding the MAR->FAR field conversion map to the ra manual, I
>> think you should also add the following notes to the -M section:
>>
>> man - print management records. Xml output mode is recommended
>> (-M man xml), but if using normal output mode, see the
>> MAR->FAR field conversion map below.
>>
>> /Elof
>>
>>
>> On Tue, 26 May 2015, Carter Bullard wrote:
>>
>>> If you printed the records out in xml, you should get a bit of an
>>> explanation.
>>> ra -M man xml
>>> The man records have quite a bit of information, but the fields don't
>>> necessarily conform to the standard fields for FAR records. Saddr, sport,
>>> etc ... What are the equivalents in the MAR records ??? Nothing really,
>>> so we haven't described what the fields are suppose to mean, as it's a bit
>>> up in the air since argus-3.0.6 when we made significant changes and
>>> changed the default output.
>>>
>>> Something we should figure out for 3.0.9 ???
>>>
>>> Carter
>>>
>>>
>>>> On May 26, 2015, at 11:23 AM, elof2 at sentor.se wrote:
>>>>
>>>>
>>>> Hi Carter!
>>>>
>>>> In the ra manual I find:
>>>>
>>>> -M man = print management records
>>>>
>>>>
>>>> ...but nowhere can I find any documentation as to what the values in the
>>>> MAR records mean.
>>>>
>>>>
>>>> Example:
>>>> ra -AZb -nr out.log -M man
>>>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr
>>>> Dport SrcPkts DstPkts SrcBytes DstBytes State
>>>> 10:53:41.106578 man 0 0 0 0
>>>> 0 0 0 0 STA
>>>> 10:53:41.106508 man 0 0 31 1
>>>> 0 0 0 0 CON
>>>> 10:54:41.201507 man 0 0 30 1
>>>> 0 0 0 0 CON
>>>> 10:55:41.195511 man 0 0 29 1
>>>> 0 0 0 0 CON
>>>> Totalrecords 4 TotalMarRecords 5 TotalFarRecords 0
>>>> TotalPkts 0 TotalBytes 0
>>>>
>>>> I removed the out.log file and waited 6 minutes before running the
>>>> command again.
>>>>
>>>> ra -AZb -nr out.log -M man
>>>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr
>>>> Dport SrcPkts DstPkts SrcBytes DstBytes State
>>>> 11:08:41.117577 man 0 0 0 0
>>>> 0 0 0 0 STA
>>>> 11:08:41.117510 man 0 0 25 1
>>>> 0 0 0 0 CON
>>>> 11:09:41.111507 man 0 0 25 1
>>>> 0 0 0 0 CON
>>>> 11:10:41.105505 man 0 0 25 1
>>>> 0 0 0 0 CON
>>>> 11:11:41.200512 man 0 0 25 1
>>>> 0 0 0 0 CON
>>>> 11:12:41.194504 man 0 0 25 1
>>>> 0 0 0 0 CON
>>>> Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0
>>>> TotalPkts 0 TotalBytes 0
>>>>
>>>> Argus is monitoring a NIC that currently has no link, so zero packets has
>>>> been seen.
>>>>
>>>> MAR records are generated, just as they should.
>>>>
>>>> I'm curious as to what the 31, 30, 29 and 25, 25, 25, 25, 25 might be.
>>>> And 1, 1, 1, 1, 1 in the Dport field...
>>>> ...and why they are not all 0, since argus see no packets at all.
>>>>
>>>>
>>>> Could you please explain all the fields (and then paste the explaination
>>>> into the ra manpage)? :-)
>>>>
>>>> /Elof
>>>>
>>>
>>
>
More information about the argus
mailing list