argus

Langue: en

Version: 23 June 2000 (mandriva - 22/10/07)

Autres sections - même nom

Section: 5 (Format de fichier)

Sommaire

NAME

argus - IP Network Auditing Facility Copyright (c) 2000-2004 QoSient. All rights reserved.

SYNOPSIS

 #include <[argus_dir]/include/argus_def.h>
 #include <[argus_dir]/include/argus_out.h>

DESCRIPTION

The format of the argus(8) data stream is most succinctly described through the structures defined in the header file, but the general format is as follows:
Argus File Format:
   Argus_Datum Initial_Management_Record
   Argus_Datum
        .
        .
   Argus_Datum Management_Statistics
   Argus_Datum
        .
        .

where the individual data fields are defined as follows:

 struct ArgusRecord {
    unsigned char type, cause;
    unsigned short length;
    unsigned int status;
    unsigned int argusid;
    unsigned int seqNumber;
 
    union {
       struct ArgusMarStruct  mar;
       struct ArgusFarStruct  far;
    } ar_union;
 };
 
 struct ArgusMarStruct {
    struct timeval startime, now;
    unsigned char  major_version, minor_version;
    unsigned char interfaceType, interfaceStatus;
    unsigned short reportInterval, argusMrInterval;
    unsigned int argusid, localnet, netmask, nextMrSequenceNum;
    unsigned long long pktsRcvd, bytesRcvd;
    unsigned int  pktsDrop, flows, flowsClosed;
    unsigned int actIPcons,  cloIPcons;
    unsigned int actICMPcons,  cloICMPcons;
    unsigned int actIGMPcons,  cloIGMPcons;
    unsigned int actFRAGcons,  cloFRAGcons;
    unsigned int actSECcons,  cloSECcons;
    int record_len;
 };
 
 struct ArgusFarStruct {
    unsigned char type, length;
    unsigned short status;
  
    unsigned int ArgusTransRefNum;
    struct ArgusTimeDesc time;
    struct ArgusFlow flow;
    struct ArgusAttributes attr;
    struct ArgusMeter src, dst;
 };
 
 struct ArgusTimeDesc {
    struct timeval start;
    struct timeval last;
 };
 
 struct ArgusFlow {
    union {
       struct ArgusIPFlow     ip;
       struct ArgusICMPFlow icmp;
       struct ArgusMACFlow   mac;
       struct ArgusArpFlow   arp;
       struct ArgusRarpFlow rarp;
       struct ArgusESPFlow   esp;
   } flow_union;
 };
 
 struct ArgusIPAttributes {
    unsigned short soptions, doptions;
    unsigned char sttl, dttl;
    unsigned char stos, dtos;
 };
 
 struct ArgusARPAttributes {
    unsigned char response[8];
 };
 
 struct ArgusAttributes {
    union {
       struct ArgusIPAttributes   ip;
       struct ArgusARPAttributes arp;
    } attr_union;
 };
 
 
 struct ArgusMeter {
    unsigned int count, bytes, appbytes;
 };
 
 struct ArgusIPFlow {
    unsigned int ip_src, ip_dst;
    unsigned char ip_p, tp_p;
    unsigned short sport, dport;
    unsigned short ip_id;
 };
 
 struct ArgusICMPFlow {
    unsigned int ip_src, ip_dst;
    unsigned char ip_p, tp_p;
    unsigned char type, code;
    unsigned short id, ip_id;
 };
 
 struct ArgusMACFlow {
    struct ether_header ehdr;
    unsigned char dsap, ssap;
 };
 
 struct ArgusArpFlow {
    unsigned int arp_spa;
    unsigned int arp_tpa;
    unsigned char etheraddr[6];
    unsigned short pad;
 };
  
 struct ArgusRarpFlow {
    unsigned int arp_tpa;
    unsigned char srceaddr[6];
    unsigned char tareaddr[6];
 };
  
 struct ArgusESPFlow {
    unsigned int ip_src, ip_dst;
    unsigned char ip_p, tp_p;
    unsigned short pad;
    unsigned int spi;
 };

SEE ALSO

argus(8),