1ARGUS(5) File Formats Manual ARGUS(5)
2
6 argus - IP Network Auditing Facility
7
9 Copyright (c) 2000-2004 QoSient. All rights reserved.
10
13 #include <[argus_dir]/include/argus_def.h>
14 #include <[argus_dir]/include/argus_out.h>
15
18 The format of the argus(8) data stream is most succinctly described
19 through the structures defined in the header file, but the general for‐
20 mat is as follows:
21 Argus File Format:
23 Argus_Datum Initial_Management_Record
24 Argus_Datum
25 .
26 .
27 Argus_Datum Management_Statistics
28 Argus_Datum
29 .
30 .
31 where the individual data fields are defined as follows:
33 struct ArgusRecord {
35 unsigned char type, cause;
36 unsigned short length;
37 unsigned int status;
38 unsigned int argusid;
39 unsigned int seqNumber;
40 union {
42 struct ArgusMarStruct mar;
43 struct ArgusFarStruct far;
44 } ar_union;
45 };
46 struct ArgusMarStruct {
48 struct timeval startime, now;
49 unsigned char major_version, minor_version;
50 unsigned char interfaceType, interfaceStatus;
51 unsigned short reportInterval, argusMrInterval;
52 unsigned int argusid, localnet, netmask, nextMrSequenceNum;
53 unsigned long long pktsRcvd, bytesRcvd;
54 unsigned int pktsDrop, flows, flowsClosed;
55 unsigned int actIPcons, cloIPcons;
56 unsigned int actICMPcons, cloICMPcons;
57 unsigned int actIGMPcons, cloIGMPcons;
58 unsigned int actFRAGcons, cloFRAGcons;
59 unsigned int actSECcons, cloSECcons;
60 int record_len;
61 };
62 struct ArgusFarStruct {
64 unsigned char type, length;
65 unsigned short status;
66 unsigned int ArgusTransRefNum;
68 struct ArgusTimeDesc time;
69 struct ArgusFlow flow;
70 struct ArgusAttributes attr;
71 struct ArgusMeter src, dst;
72 };
73 struct ArgusTimeDesc {
75 struct timeval start;
76 struct timeval last;
77 };
78 struct ArgusFlow {
80 union {
81 struct ArgusIPFlow ip;
82 struct ArgusICMPFlow icmp;
83 struct ArgusMACFlow mac;
84 struct ArgusArpFlow arp;
85 struct ArgusRarpFlow rarp;
86 struct ArgusESPFlow esp;
87 } flow_union;
88 };
89 struct ArgusIPAttributes {
91 unsigned short soptions, doptions;
92 unsigned char sttl, dttl;
93 unsigned char stos, dtos;
94 };
95 struct ArgusARPAttributes {
97 unsigned char response[8];
98 };
99 struct ArgusAttributes {
101 union {
102 struct ArgusIPAttributes ip;
103 struct ArgusARPAttributes arp;
104 } attr_union;
105 };
106 struct ArgusMeter {
109 unsigned int count, bytes, appbytes;
110 };
111 struct ArgusIPFlow {
113 unsigned int ip_src, ip_dst;
114 unsigned char ip_p, tp_p;
115 unsigned short sport, dport;
116 unsigned short ip_id;
117 };
118 struct ArgusICMPFlow {
120 unsigned int ip_src, ip_dst;
121 unsigned char ip_p, tp_p;
122 unsigned char type, code;
123 unsigned short id, ip_id;
124 };
125 struct ArgusMACFlow {
127 struct ether_header ehdr;
128 unsigned char dsap, ssap;
129 };
130 struct ArgusArpFlow {
132 unsigned int arp_spa;
133 unsigned int arp_tpa;
134 unsigned char etheraddr[6];
135 unsigned short pad;
136 };
137 struct ArgusRarpFlow {
139 unsigned int arp_tpa;
140 unsigned char srceaddr[6];
141 unsigned char tareaddr[6];
142 };
143 struct ArgusESPFlow {
145 unsigned int ip_src, ip_dst;
146 unsigned char ip_p, tp_p;
147 unsigned short pad;
148 unsigned int spi;
149 };
150
153 argus(8),
154 23 June 2000 ARGUS(5)