argus documentation
frequently asked questions






Argus Record Format

All Argus Records have a common Type Length Value (TLV) structure. Each of them share a common 16 byte header, as specified by the C structure below:
struct ArgusRecord {
   unsigned char type, cause;
   unsigned short length;
   unsigned int status;
   unsigned int argusid;
   unsigned int seqNumber;
   union {
      struct ArgusMarStruct mar;
      struct ArgusFarStruct far;
   } ar_union;
};

The type field specifies the type of Argus record. There are two general types of Argus records, the Management Audit Record (MAR), and the Flow Activity Record (FAR).
The cause field specifies what conditions were met in the argus that caused the record to be generated. Each of these two record types can be generated because of Start, Status or Stop conditions regarding the flow.
The length is the length of the entire ArgusRecord.
The status field is a complex bit flag that acts to identify general conditions regarding the flow. These conditions apply to the generic transaction model that Argus uses for packet transaction classification, and provide indications such as connectivity status, transitition states that the flow may have undergone while being tracked, encapsulation types and protocol formats used seen in the packet stream.
The argusid is a unique identifier for the source argus that generated the record. This can be encoded as an IP address or an unsigned integer.
All ArgusRecords have a seqNumber, that help to support integrity assurance of the ArgusRecord stream

The Management Audit Record (MAR) provides information about Argus itself, and a Start MAR must be the first record in an ArgusRecord stream. Status MARs are generated by Argus periodically so that client reading programs can have some sense as to the health of the Argus that generated the data. An optional Stop MAR should be the last record in a well formed Argus data stream.

struct ArgusMarStruct {
    struct timeval startime, now;
    unsigned char major_version, minor_version;
    unsigned char interfaceType, interfaceStatus;
    unsigned short reportInterval, argusMrInterval;
    unsigned int argusid, localnet, netmask, nextMrSequenceNum;
    unsigned long long pktsRcvd, bytesRcvd;
    unsigned int pktsDrop, flows, flowsClosed;
    unsigned int actIPcons, cloIPcons;
    unsigned int actICMPcons, cloICMPcons;
    unsigned int actIGMPcons, cloIGMPcons;
    unsigned int actFRAGcons, cloFRAGcons;
    unsigned int actSECcons, cloSECcons;
    int record_len;
};

The Flow Activity Record (FAR) provides information about network transaction flows that Argus tracks. The FAR are generated either because of state, i.e. the transaction started (Start FAR) or stopped (Stop FAR), or because of time (Status FAR). If the life of a given flow extends beyond the Flow Status Timer, which is normally 60 seconds, then Argus will generate a FAR Status record, so that you will know that the flow is there and is active. Argus can support a minimum Flow Status Timer of 1 second. The format of the Argus FAR is:



struct ArgusFarStruct {
   unsigned char type, length;
   unsigned short status;
 
   unsigned int ArgusTransRefNum;
   struct ArgusTimeDesc time;
   struct ArgusFlow flow;
   struct ArgusAttributes attr;
   struct ArgusMeter src, dst;
};

struct ArgusTimeDesc {
   struct timeval start;
   struct timeval last;
};

struct ArgusFlow {
   union {
      struct ArgusIPFlow     ip;
      struct ArgusICMPFlow icmp;
      struct ArgusMACFlow   mac;
      struct ArgusArpFlow   arp;
      struct ArgusRarpFlow rarp;
      struct ArgusESPFlow   esp;
  } flow_union;
};

struct ArgusIPAttributes {
   unsigned short soptions, doptions;
   unsigned char sttl, dttl;
   unsigned char stos, dtos;
};

struct ArgusARPAttributes {
   unsigned char response[8];
};

struct ArgusAttributes {
   union {
      struct ArgusIPAttributes   ip;
      struct ArgusARPAttributes arp;
   } attr_union;
};

struct ArgusMeter {
   unsigned int count, bytes, appbytes;
};

struct ArgusIPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned short sport, dport;
   unsigned short ip_id;
};

struct ArgusICMPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned char type, code;
   unsigned short id, ip_id;
};

struct ArgusMACFlow {
   struct ether_header ehdr;
   unsigned char dsap, ssap;
};

struct ArgusArpFlow {
   unsigned int arp_spa;
   unsigned int arp_tpa;
   unsigned char etheraddr[6];
   unsigned short pad;
};
 
struct ArgusRarpFlow {
   unsigned int arp_tpa;
   unsigned char srceaddr[6];
   unsigned char tareaddr[6];
};
 
struct ArgusESPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned short pad;
   unsigned int spi;
};

The general format of the argus(8) data stream is that it is a well formed collection of Argus records.

The first record in any Argus stream must be a Start MAR, or initial management record. This record provides information regarding the type of argus that is generating the stream, its version numbers, and any interesting information, like its interface network addresses, etc.... From then on the stream is composed of any combination of MAR and FAR records.

   Argus File Format:
      START MAR Argus Record
      FAR Argus Record
           .
           .
      STATUS MAR Argus Record (optional)
      FAR Argus Record
           .
           .
      STOP MAR Argus Record (optional)

 

faq  +  how-to  +  manuals  +  credits  +  license  +  copyright

changes  +  cvs +  wish list  +  registration  +  mailing lists


© Copyright 2000 - 2006 QoSient, LLC. All rights reserved.