Manual for man records - MAR fields explained
elof2 at sentor.se
elof2 at sentor.se
Wed May 27 07:43:58 EDT 2015
Hi Carter.
Ok, so I run the same command twice, once with xml and once without:
# ra -Zb -M man xml -A -nr argus.log -
<?xml version ="1.0" encoding="UTF-8"?>
<!--Generated by ra(3.0.8) QoSient, LLC-->
<ArgusDataStream
xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation =
"http://qosient.com/argus/Xml/ArgusRecord.3.0.xsd"
BeginDate = "2015-05-26T10:39:41.298236" CurrentDate =
"2015-05-27T11:46:10.400186"
MajorVersion = "3" MinorVersion = "0" InterfaceType = "DLT_NULL"
InterfaceStatus = "Up"
ArgusSourceId = "10.200.17.10" NetAddr = "0.0.0.0" NetMask =
"0.0.0.0">
<ArgusManagementRecord StartTime = "2015-05-26T10:58:41.177579" Flags =
" " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0"
PktsDropped = "0" State = "STA"></ArgusManagementRecord>
<ArgusManagementRecord StartTime = "2015-05-26T10:58:41.177511" Flags =
" " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0"
PktsDropped = "0" State = "CON"></ArgusManagementRecord>
<ArgusManagementRecord StartTime = "2015-05-26T10:59:41.171511" Flags =
" " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0"
PktsDropped = "0" State = "CON"></ArgusManagementRecord>
<ArgusManagementRecord StartTime = "2015-05-26T11:00:41.165508" Flags =
" " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0"
PktsDropped = "0" State = "CON"></ArgusManagementRecord>
<ArgusManagementRecord StartTime = "2015-05-26T11:01:41.159511" Flags =
" " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0"
PktsDropped = "0" State = "CON"></ArgusManagementRecord>
<ArgusManagementRecord StartTime = "2015-05-26T11:02:41.153510" Flags =
" " Proto = "man" PktsRcvd = "0" Records = "0" BytesRcvd = "0"
PktsDropped = "0" State = "CON"></ArgusManagementRecord>
Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0
TotalPkts 0 TotalBytes 0
</ArgusDataStream>
# ra -Zb -M man -A -nr argus.log -
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State
10:58:41.177579 man 0 0
0 0 0 0 0 0 STA
10:58:41.177511 man 0 0
26 1 0 0 0 0 CON
10:59:41.171511 man 0 0
25 1 0 0 0 0 CON
11:00:41.165508 man 0 0
25 1 0 0 0 0 CON
11:01:41.159511 man 0 0
25 1 0 0 0 0 CON
11:02:41.153510 man 0 0
25 1 0 0 0 0 CON
Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0
TotalPkts 0 TotalBytes 0
In the xml output I understand the values.
So I guess the problem here is how (and what) ra output in standard mode.
In xml we have 8 values:
StartTime = "2015-05-26T11:02:41.153510"
Flags = " "
Proto = "man"
PktsRcvd = "0"
Records = "0"
BytesRcvd = "0"
PktsDropped = "0"
State = "CON"
But in normal ra output we have more, in my example:
11:02:41.153510
" "
man
0
0
25
1
0
0
0
0
CON
The sniffer interface see no traffic at all, so the xml output show
all zeroes. Good.
I expect all zeroes in the normal ra output as well, but it is not.
Confusing.
1.
What is the "25" and the "1" values? Just random garbage?
2.
I don't know if there is anything to figure out for v3.0.9.
Couldn't you just list which MAR field is mapped to what what FAR field?
Then we have a conversion map for the few times we need it.
3.
Please then copy this MAR->FAR field conversion map into the ra manual.
4.
When ra operates in normal output mode, couldn't you please make it print
blanks in all non-mapped fields on MAR rows? Blank values better indicates
that there are no information there to be found than zeroes (or random
garbage).
5.
Apart from adding the MAR->FAR field conversion map to the ra manual,
I think you should also add the following notes to the -M section:
man - print management records. Xml output mode is recommended
(-M man xml), but if using normal output mode, see the
MAR->FAR field conversion map below.
/Elof
On Tue, 26 May 2015, Carter Bullard wrote:
> If you printed the records out in xml, you should get a bit of an explanation.
> ra -M man xml
> The man records have quite a bit of information, but the fields don't necessarily conform to the standard fields for FAR records. Saddr, sport, etc ... What are the equivalents in the MAR records ??? Nothing really, so we haven't described what the fields are suppose to mean, as it's a bit up in the air since argus-3.0.6 when we made significant changes and changed the default output.
>
> Something we should figure out for 3.0.9 ???
>
> Carter
>
>
>> On May 26, 2015, at 11:23 AM, elof2 at sentor.se wrote:
>>
>>
>> Hi Carter!
>>
>> In the ra manual I find:
>>
>> -M man = print management records
>>
>>
>> ...but nowhere can I find any documentation as to what the values in the MAR records mean.
>>
>>
>> Example:
>> ra -AZb -nr out.log -M man
>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State
>> 10:53:41.106578 man 0 0 0 0 0 0 0 0 STA
>> 10:53:41.106508 man 0 0 31 1 0 0 0 0 CON
>> 10:54:41.201507 man 0 0 30 1 0 0 0 0 CON
>> 10:55:41.195511 man 0 0 29 1 0 0 0 0 CON
>> Totalrecords 4 TotalMarRecords 5 TotalFarRecords 0 TotalPkts 0 TotalBytes 0
>>
>> I removed the out.log file and waited 6 minutes before running the command again.
>>
>> ra -AZb -nr out.log -M man
>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State
>> 11:08:41.117577 man 0 0 0 0 0 0 0 0 STA
>> 11:08:41.117510 man 0 0 25 1 0 0 0 0 CON
>> 11:09:41.111507 man 0 0 25 1 0 0 0 0 CON
>> 11:10:41.105505 man 0 0 25 1 0 0 0 0 CON
>> 11:11:41.200512 man 0 0 25 1 0 0 0 0 CON
>> 11:12:41.194504 man 0 0 25 1 0 0 0 0 CON
>> Totalrecords 6 TotalMarRecords 7 TotalFarRecords 0 TotalPkts 0 TotalBytes 0
>>
>> Argus is monitoring a NIC that currently has no link, so zero packets has been seen.
>>
>> MAR records are generated, just as they should.
>>
>> I'm curious as to what the 31, 30, 29 and 25, 25, 25, 25, 25 might be.
>> And 1, 1, 1, 1, 1 in the Dport field...
>> ...and why they are not all 0, since argus see no packets at all.
>>
>>
>> Could you please explain all the fields (and then paste the explaination into the ra manpage)? :-)
>>
>> /Elof
>>
>
More information about the argus
mailing list