Manual for man records - MAR fields explained

Carter Bullard carter at qosient.com
Tue May 26 16:49:47 EDT 2015 

If you printed the records out in xml, you should get a bit of an explanation.
     ra -M man xml
The man records have quite a bit of information, but the fields don't necessarily conform to the standard fields for FAR records.  Saddr, sport, etc ... What are the equivalents in the MAR records ???  Nothing really, so we haven't described what the fields are suppose to mean, as it's a bit up in the air since argus-3.0.6 when we made significant changes and changed the default output.

Something we should figure out for 3.0.9 ???

Carter


> On May 26, 2015, at 11:23 AM, elof2 at sentor.se wrote:
> 
> 
> Hi Carter!
> 
> In the ra manual I find:
> 
> -M man  =  print management records
> 
> 
> ...but nowhere can I find any documentation as to what the values in the MAR records mean.
> 
> 
> Example:
> ra -AZb -nr out.log -M man
>      StartTime      Flgs  Proto            SrcAddr  Sport Dir            DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes         State
> 10:53:41.106578              man                  0      0                      0      0        0        0            0            0           STA
> 10:53:41.106508              man                  0      0                     31      1        0        0            0            0           CON
> 10:54:41.201507              man                  0      0                     30      1        0        0            0            0           CON
> 10:55:41.195511              man                  0      0                     29      1        0        0            0            0           CON
> Totalrecords 4         TotalMarRecords 5         TotalFarRecords 0        TotalPkts 0        TotalBytes 0
> 
> I removed the out.log file and waited 6 minutes before running the command again.
> 
> ra -AZb -nr out.log -M man
>      StartTime      Flgs  Proto            SrcAddr  Sport Dir            DstAddr  Dport  SrcPkts  DstPkts     SrcBytes     DstBytes         State
> 11:08:41.117577              man                  0      0                      0      0        0        0            0            0           STA
> 11:08:41.117510              man                  0      0                     25      1        0        0            0            0           CON
> 11:09:41.111507              man                  0      0                     25      1        0        0            0            0           CON
> 11:10:41.105505              man                  0      0                     25      1        0        0            0            0           CON
> 11:11:41.200512              man                  0      0                     25      1        0        0            0            0           CON
> 11:12:41.194504              man                  0      0                     25      1        0        0            0            0           CON
> Totalrecords 6         TotalMarRecords 7         TotalFarRecords 0        TotalPkts 0        TotalBytes 0
> 
> Argus is monitoring a NIC that currently has no link, so zero packets has been seen.
> 
> MAR records are generated, just as they should.
> 
> I'm curious as to what the 31, 30, 29 and 25, 25, 25, 25, 25 might be.
> And 1, 1, 1, 1, 1 in the Dport field...
> ...and why they are not all 0, since argus see no packets at all.
> 
> 
> Could you please explain all the fields (and then paste the explaination into the ra manpage)? :-)
> 
> /Elof
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150526/7a86da5f/attachment.html>

More information about the argus mailing list