NAME
argus - IP Network Auditing Facility
COPYRIGHT
Copyright (c) 2000-2004 QoSient. All rights reserved.
SYNOPSIS
#include <[argus_dir]/include/argus_def.h>
#include <[argus_dir]/include/argus_out.h>
DESCRIPTION
The format of the argus(8) data stream is most succinctly described
through the structures defined in the header file, but the general
format is as follows:
Argus File Format:
Argus_Datum Initial_Management_Record
Argus_Datum
.
.
Argus_Datum Management_Statistics
Argus_Datum
.
.
where the individual data fields are defined as follows:
struct ArgusRecord {
unsigned char type, cause;
unsigned short length;
unsigned int status;
unsigned int argusid;
unsigned int seqNumber;
union {
struct ArgusMarStruct mar;
struct ArgusFarStruct far;
} ar_union;
};
struct ArgusMarStruct {
struct timeval startime, now;
unsigned char major_version, minor_version;
unsigned char interfaceType, interfaceStatus;
unsigned short reportInterval, argusMrInterval;
unsigned int argusid, localnet, netmask, nextMrSequenceNum;
unsigned long long pktsRcvd, bytesRcvd;
unsigned int pktsDrop, flows, flowsClosed;
unsigned int actIPcons, cloIPcons;
unsigned int actICMPcons, cloICMPcons;
unsigned int actIGMPcons, cloIGMPcons;
unsigned int actFRAGcons, cloFRAGcons;
unsigned int actSECcons, cloSECcons;
int record_len;
};
struct ArgusFarStruct {
unsigned char type, length;
unsigned short status;
unsigned int ArgusTransRefNum;
struct ArgusTimeDesc time;
struct ArgusFlow flow;
struct ArgusAttributes attr;
struct ArgusMeter src, dst;
};
struct ArgusTimeDesc {
struct timeval start;
struct timeval last;
};
struct ArgusFlow {
union {
struct ArgusIPFlow ip;
struct ArgusICMPFlow icmp;
struct ArgusMACFlow mac;
struct ArgusArpFlow arp;
struct ArgusRarpFlow rarp;
struct ArgusESPFlow esp;
} flow_union;
};
struct ArgusIPAttributes {
unsigned short soptions, doptions;
unsigned char sttl, dttl;
unsigned char stos, dtos;
};
struct ArgusARPAttributes {
unsigned char response[8];
};
struct ArgusAttributes {
union {
struct ArgusIPAttributes ip;
struct ArgusARPAttributes arp;
} attr_union;
};
struct ArgusMeter {
unsigned int count, bytes, appbytes;
};
struct ArgusIPFlow {
unsigned int ip_src, ip_dst;
unsigned char ip_p, tp_p;
unsigned short sport, dport;
unsigned short ip_id;
};
struct ArgusICMPFlow {
unsigned int ip_src, ip_dst;
unsigned char ip_p, tp_p;
unsigned char type, code;
unsigned short id, ip_id;
};
struct ArgusMACFlow {
struct ether_header ehdr;
unsigned char dsap, ssap;
};
struct ArgusArpFlow {
unsigned int arp_spa;
unsigned int arp_tpa;
unsigned char etheraddr[6];
unsigned short pad;
};
struct ArgusRarpFlow {
unsigned int arp_tpa;
unsigned char srceaddr[6];
unsigned char tareaddr[6];
};
struct ArgusESPFlow {
unsigned int ip_src, ip_dst;
unsigned char ip_p, tp_p;
unsigned short pad;
unsigned int spi;
};
SEE ALSO
argus(8),
23 June 2000