Argus RA generated field description

Carter Bullard carter at qosient.com
Sun Jul 16 10:37:23 EDT 2017 

Hey An,
Please keep email on the list, if you don’t mind.
Are you using all these fields ??  That’s pretty cool if you are …

Many of these fields are/should be self explanatory, as they are simple variations of other fields that are discussed.
Examples are SrcDur and DstDur.  These are the duration fields but specific to the source and dst sides of the flow.

Generally if it starts with an ’s' or ‘d', its the source and destination metric of something.  If it starts with a ‘p’, it is
almost always a “percent” metric.  If it has a [ ‘max’, ‘min’] its usually the max / min of a metric over the file/set of data.
If it has an “act’ or ‘idl’, these refer to active and idle times, which are reported in the Jitter support (packet dynamics),
and lastly If it has ‘dd’ or ‘ds’ the first ‘d’ is for ‘delta'.  These may be intended for apps like ratop., maybe not ra.1.
An example is ‘idle’, which needs state to be calculated.  Ratop.1 has the state to calculate that metric.

While Argus is used by a large number of groups/sites/people, the open source project is not financially supported.
As a result, the work is always in progress.  If the fields are in the man pages, they are “done”, if they aren’t, 
it generally means that there is something missing in the implementation.  All of these fields are in (or are derivable) 
from the data in argus records, but we may not have complete support for printing, graphic, filtering, sorting, analyzing, etc …

You should be able to divine the meaning looking at the source code for many of these fields, unless they are placeholders.

Some of these fields are pretty esoteric, and may relate to specific protocols, like jdelay and ldelay.  These are
the ‘join delay’ and ‘leave delay’ for multicast IGMP.  See a request to join a multicast group, how long did it take
to see traffic from the multicast address ...

If you are just trying to put a face to all the names, please stick to the fields that are in the man pages.
If you are interested in helping, pick a few of the fields, ones you want to use, and we’ll can discuss,
unless you want to implement them, then we’ll be most grateful.

Hope all is most excellent,
Carter

> On Jul 16, 2017, at 7:09 AM, Tran, An - 0558 - MITLL <atran at ll.mit.edu> wrote:
> 
> Hi Carter,
>  
> Thank you for the quick response.  Below are the fields that I am unable to find the description for.  Perhaps I have missed it in the man page:
>  
> sEnc
> dEnc
> Bssid      
> Ssid
> SrcStartTime      
> SrcLastTime        
> SrcDur   
> DstDur  
> DstStartTime      
> DstLastTime       
> Usually zero
> RelTime                
> SIntPktMax        
> SIntPktMin
> DIntPktMax        
> SIntPktMin         
> SIPActMax          
> SIPActMin           
> DIPActMax         
> DIPActMin          
> SIPIdlMax            
> SIPIdlMin             
> DIPIdlMax           
> DIPIdlMin
> Response
> dlDur     
> dlsTime 
> dllTime 
> dsPkts   
> ddPkts  
> dsPkts   
> ddPkts  
> dsBytes 
> ddBytes               
> pdsPkt  
> pddPkt 
> pdsByte               
> pddByte
> JDelay   
> LDelay   
> Bins        
> STcpMax              
> DTcpMax
>  
> -------------
> An Tran
> MIT Lincoln Laboratory
> Group 58: Cyber Analytics & Decision Systems
> 781-981-8232 <tel:781-981-8232> (w)
> 781-879-0468 <tel:781-879-0468> (m)
> atran at ll.mit.edu <mailto:atran at ll.mit.edu>
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Saturday, July 15, 2017 5:21 PM
> To: Tran, An - 0558 - MITLL <atran at ll.mit.edu>
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus RA generated field description
>  
> Hey An,
> The man pages are pretty lengthy ... Is there something specific that you are interested in ???
> Carter
>  <http://qosient.com/>	
>  
> Carter Bullard  <mailto:carter at qosient.com>• CTO
> 150 E 57th Street Suite 12D
> New York, New York 10022-2795
> Phone +1.212.588.9133 • Mobile +1.917.497.9494
> 
> On Jul 15, 2017, at 4:34 PM, Tran, An - 0558 - MITLL <atran at ll.mit.edu <mailto:atran at ll.mit.edu>> wrote:
> 
> Hello,
>  
> I am wondering if there are detailed description on the fields that are generated from running RA?  I have checked the wiki and I see some fields that are documented but many are missing. 
>  
> Thanks,
>  
> --An 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20170716/e0e547ec/attachment.html>

More information about the argus mailing list