Copyright (c) 2000-2004 QoSient. All rights reserved.


#include <[argus_dir]/include/argus_def.h>
#include <[argus_dir]/include/argus_out.h>


The format of the argus(8) data stream is most succinctly described through the structures defined in the header file, but the general format is as follows:

Argus File Format:

   Argus_Datum Initial_Management_Record
   Argus_Datum Management_Statistics

where the individual data fields are defined as follows:

struct ArgusRecord {
   unsigned char type, cause;
   unsigned short length;
   unsigned int status;
   unsigned int argusid;
   unsigned int seqNumber;

   union {
      struct ArgusMarStruct  mar;
      struct ArgusFarStruct  far;
   } ar_union;

struct ArgusMarStruct {
   struct timeval startime, now;
   unsigned char  major_version, minor_version;
   unsigned char interfaceType, interfaceStatus;
   unsigned short reportInterval, argusMrInterval;
   unsigned int argusid, localnet, netmask, nextMrSequenceNum;
   unsigned long long pktsRcvd, bytesRcvd;
   unsigned int  pktsDrop, flows, flowsClosed;
   unsigned int actIPcons,  cloIPcons;
   unsigned int actICMPcons,  cloICMPcons;
   unsigned int actIGMPcons,  cloIGMPcons;
   unsigned int actFRAGcons,  cloFRAGcons;
   unsigned int actSECcons,  cloSECcons;
   int record_len;

struct ArgusFarStruct {
   unsigned char type, length;
   unsigned short status;

   unsigned int ArgusTransRefNum;
   struct ArgusTimeDesc time;
   struct ArgusFlow flow;
   struct ArgusAttributes attr;
   struct ArgusMeter src, dst;

struct ArgusTimeDesc {
   struct timeval start;
   struct timeval last;

struct ArgusFlow {
   union {
      struct ArgusIPFlow     ip;
      struct ArgusICMPFlow icmp;
      struct ArgusMACFlow   mac;
      struct ArgusArpFlow   arp;
      struct ArgusRarpFlow rarp;
      struct ArgusESPFlow   esp;
  } flow_union;

struct ArgusIPAttributes {
   unsigned short soptions, doptions;
   unsigned char sttl, dttl;
   unsigned char stos, dtos;

struct ArgusARPAttributes {
   unsigned char response[8];

struct ArgusAttributes {
   union {
      struct ArgusIPAttributes   ip;
      struct ArgusARPAttributes arp;
   } attr_union;

struct ArgusMeter {
   unsigned int count, bytes, appbytes;

struct ArgusIPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned short sport, dport;
   unsigned short ip_id;

struct ArgusICMPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned char type, code;
   unsigned short id, ip_id;

struct ArgusMACFlow {
   struct ether_header ehdr;
   unsigned char dsap, ssap;

struct ArgusArpFlow {
   unsigned int arp_spa;
   unsigned int arp_tpa;
   unsigned char etheraddr[6];
   unsigned short pad;

struct ArgusRarpFlow {
   unsigned int arp_tpa;
   unsigned char srceaddr[6];
   unsigned char tareaddr[6];

struct ArgusESPFlow {
   unsigned int ip_src, ip_dst;
   unsigned char ip_p, tp_p;
   unsigned short pad;
   unsigned int spi;