argus(5) IP Network Auditing Facility

COPYRIGHT

Copyright (c) 2000-2004 QoSient. All rights reserved.

SYNOPSIS

#include <[argus_dir]/include/argus_def.h>
#include <[argus_dir]/include/argus_out.h>

DESCRIPTION

The format of the argus(8) data stream is most succinctly described through the structures defined in the header file, but the general format is as follows:

Argus File Format:
   Argus_Datum Initial_Management_Record
   Argus_Datum
        .
        .
   Argus_Datum Management_Statistics
   Argus_Datum
        .
        .

where the individual data fields are defined as follows: 

struct ArgusRecord {
   unsigned char type, cause;
   unsigned short length;
   unsigned int status;
   unsigned int argusid;
   unsigned int seqNumber;
   union {
      struct ArgusMarStruct  mar;
      struct ArgusFarStruct  far;
   } ar_union;
};
struct ArgusMarStruct {
   struct timeval startime, now;
   unsigned char  major_version, minor_version;
   unsigned char interfaceType, interfaceStatus;
   unsigned short reportInterval, argusMrInterval;
   unsigned int argusid, localnet, netmask, nextMrSequenceNum;
   unsigned long long pktsRcvd, bytesRcvd;
   unsigned int  pktsDrop, flows, flowsClosed;
   unsigned int actIPcons,  cloIPcons;
   unsigned int actICMPcons,  cloICMPcons;
   unsigned int actIGMPcons,  cloIGMPcons;
   unsigned int actFRAGcons,  cloFRAGcons;
   unsigned int actSECcons,  cloSECcons;
   int record_len;
};
struct ArgusFarStruct {
   unsigned char type, length;
   unsigned short status;
 
   unsigned int ArgusTransRefNum;
   struct ArgusTimeDesc time;
   struct ArgusFlow flow;
   struct ArgusAttributes attr;
   struct ArgusMeter src, dst;
};
struct ArgusTimeDesc {
   struct timeval start;
   struct timeval last;
};
struct ArgusFlow {
   union {
      struct ArgusIPFlow     ip;
      struct ArgusICMPFlow icmp;
      struct ArgusMACFlow   mac;
      struct ArgusArpFlow   arp;
      struct ArgusRarpFlow rarp;
      struct ArgusESPFlow   esp;
  } flow_union;
};
struct ArgusIPAttributes {
   unsigned short soptions, doptions;
   unsigned char sttl, dttl;
   unsigned char stos, dtos;
};
struct ArgusARPAttributes {
   unsigned char response[8];
};
struct ArgusAttributes {
   union {
      struct ArgusIPAttributes   ip;
      struct ArgusARPAttributes arp;
   } attr_union;
};
struct ArgusMeter {
   unsigned int count, bytes, appbytes;
};
struct ArgusIPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned short sport, dport;
   unsigned short ip_id;
};
struct ArgusICMPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned char type, code;
   unsigned short id, ip_id;
};
struct ArgusMACFlow {
   struct ether_header ehdr;
   unsigned char dsap, ssap;
};
struct ArgusArpFlow {
   unsigned int arp_spa;
   unsigned int arp_tpa;
   unsigned char etheraddr[6];
   unsigned short pad;
};
 
struct ArgusRarpFlow {
   unsigned int arp_tpa;
   unsigned char srceaddr[6];
   unsigned char tareaddr[6];
};
 
struct ArgusESPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned short pad;
   unsigned int spi;
};

SEE ALSO

LAST SEARCHED