Content-type: text/html Manpage of ARGUS

ARGUS

Section: File Formats (5)
Updated: 23 June 2000
Index Return to Main Contents
 

NAME

argus - IP Network Auditing Facility

 

SYNOPSIS

#include <[argus_dir]/include/argus_def.h>
#include <[argus_dir]/include/argus_out.h>

 

DESCRIPTION

The format of the argus(8) data stream is most succinctly described through the structures defined in the header file, but the general format is as follows:

Argus File Format:
   Argus_Datum Initial_Management_Record
   Argus_Datum
        .
        .
   Argus_Datum Management_Statistics
   Argus_Datum
        .
        .

where the individual data fields are defined as follows:

struct ArgusRecord {
   unsigned char type, cause;
   unsigned short length;
   unsigned int status;
   unsigned int argusid;
   unsigned int seqNumber;

   union {
      struct ArgusMarStruct  mar;
      struct ArgusFarStruct  far;
   } ar_union;
};

struct ArgusMarStruct {
   struct timeval startime, now;
   unsigned char  major_version, minor_version;
   unsigned char interfaceType, interfaceStatus;
   unsigned short reportInterval, argusMrInterval;
   unsigned int argusid, localnet, netmask, nextMrSequenceNum;
   unsigned long long pktsRcvd, bytesRcvd;
   unsigned int  pktsDrop, flows, flowsClosed;
   unsigned int actIPcons,  cloIPcons;
   unsigned int actICMPcons,  cloICMPcons;
   unsigned int actIGMPcons,  cloIGMPcons;
   unsigned int actFRAGcons,  cloFRAGcons;
   unsigned int actSECcons,  cloSECcons;
   int record_len;
};

struct ArgusFarStruct {
   unsigned char type, length;
   unsigned short status;
 
   unsigned int ArgusTransRefNum;
   struct ArgusTimeDesc time;
   struct ArgusFlow flow;
   struct ArgusAttributes attr;
   struct ArgusMeter src, dst;
};

struct ArgusTimeDesc {
   struct timeval start;
   struct timeval last;
};

struct ArgusFlow {
   union {
      struct ArgusIPFlow     ip;
      struct ArgusICMPFlow icmp;
      struct ArgusMACFlow   mac;
      struct ArgusArpFlow   arp;
      struct ArgusRarpFlow rarp;
      struct ArgusESPFlow   esp;
  } flow_union;
};

struct ArgusIPAttributes {
   unsigned short soptions, doptions;
   unsigned char sttl, dttl;
   unsigned char stos, dtos;
};

struct ArgusARPAttributes {
   unsigned char response[8];
};

struct ArgusAttributes {
   union {
      struct ArgusIPAttributes   ip;
      struct ArgusARPAttributes arp;
   } attr_union;
};


struct ArgusMeter {
   unsigned int count, bytes, appbytes;
};

struct ArgusIPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned short sport, dport;
   unsigned short ip_id;
};

struct ArgusICMPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned char type, code;
   unsigned short id, ip_id;
};

struct ArgusMACFlow {
   struct ether_header ehdr;
   unsigned char dsap, ssap;
};

struct ArgusArpFlow {
   unsigned int arp_spa;
   unsigned int arp_tpa;
   unsigned char etheraddr[6];
   unsigned short pad;
};
 
struct ArgusRarpFlow {
   unsigned int arp_tpa;
   unsigned char srceaddr[6];
   unsigned char tareaddr[6];
};
 
struct ArgusESPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned short pad;
   unsigned int spi;
};

 

SEE ALSO

argus(8),


 

Index

NAME
SYNOPSIS
DESCRIPTION
SEE ALSO

This document was created by man2html, using the manual pages.
Time: 23:40:57 GMT, March 15, 2001