Ip network auditing facility
Copyright (c) 2000-2004 QoSient. All rights reserved.
#include <[argus_dir]/include/argus_def.h> #include <[argus_dir]/include/argus_out.h>
The format of the argus(8) data stream is most succinctly described through the structures defined in the header file, but the general format is as follows:
Argus File Format:
Argus_Datum Initial_Management_Record Argus_Datum . . Argus_Datum Management_Statistics Argus_Datum . .
where the individual data fields are defined as follows:
struct ArgusRecord { unsigned char type, cause; unsigned short length; unsigned int status; unsigned int argusid; unsigned int seqNumber; union { struct ArgusMarStruct mar; struct ArgusFarStruct far; } ar_union; }; struct ArgusMarStruct { struct timeval startime, now; unsigned char major_version, minor_version; unsigned char interfaceType, interfaceStatus; unsigned short reportInterval, argusMrInterval; unsigned int argusid, localnet, netmask, nextMrSequenceNum; unsigned long long pktsRcvd, bytesRcvd; unsigned int pktsDrop, flows, flowsClosed; unsigned int actIPcons, cloIPcons; unsigned int actICMPcons, cloICMPcons; unsigned int actIGMPcons, cloIGMPcons; unsigned int actFRAGcons, cloFRAGcons; unsigned int actSECcons, cloSECcons; int record_len; }; struct ArgusFarStruct { unsigned char type, length; unsigned short status; unsigned int ArgusTransRefNum; struct ArgusTimeDesc time; struct ArgusFlow flow; struct ArgusAttributes attr; struct ArgusMeter src, dst; }; struct ArgusTimeDesc { struct timeval start; struct timeval last; }; struct ArgusFlow { union { struct ArgusIPFlow ip; struct ArgusICMPFlow icmp; struct ArgusMACFlow mac; struct ArgusArpFlow arp; struct ArgusRarpFlow rarp; struct ArgusESPFlow esp; } flow_union; }; struct ArgusIPAttributes { unsigned short soptions, doptions; unsigned char sttl, dttl; unsigned char stos, dtos; }; struct ArgusARPAttributes { unsigned char response[8]; }; struct ArgusAttributes { union { struct ArgusIPAttributes ip; struct ArgusARPAttributes arp; } attr_union; }; struct ArgusMeter { unsigned int count, bytes, appbytes; }; struct ArgusIPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short sport, dport; unsigned short ip_id; }; struct ArgusICMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short id, ip_id; }; struct ArgusMACFlow { struct ether_header ehdr; unsigned char dsap, ssap; }; struct ArgusArpFlow { unsigned int arp_spa; unsigned int arp_tpa; unsigned char etheraddr[6]; unsigned short pad; }; struct ArgusRarpFlow { unsigned int arp_tpa; unsigned char srceaddr[6]; unsigned char tareaddr[6]; }; struct ArgusESPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short pad; unsigned int spi; };