Skip to main content

ARGUS Clients

Argus Client Programs

Argus Core

The argus clients distribution contains a set of Core Clients that provide basic functions, such as reading, printing, sorting, filtering and file management, as well as a set of supported client examples, that are designed to demonstrate fundamental data methods.

The Core Clients are a set of simple programs that represent basic flow processing.  Modeled after basic Unix commands, like sort.1, split.1, cat.1 ... these core clients support printing, sorting, minimizing, splitting, aggregating, anonymizing, and distributing Argus data.

The principle example of the Core Clients is the routine ra.1.  This program reads data, provides record filtering and stripping (a form of data minimization),  and either prints the contents or writes the contents to another file.  It is a simple program but does so much.

Another critically important program is racluster.1.  This program provides for argus data aggregation, and is the first program that you will want to master in the suite.  Aggregation is THE method used to generate almost every report you will ever want to generate from Argus data.  If you want the list of active ethernet addresses in a particular VLAN for last Friday, you'll use racluster.1. If you are interested in what services are being used on a given host, you'll use racluster.1.  It is the Swiss Army knife of flow data processing. 

Another important program is radium.1, the argus data distribution program. radium.1 can read and write argus data files and it also generates and manages data streams.  radium.1 is designed to be your starting point for distributing Argus data, and to manage Argus analytic pipelines.

Argus Examples

The examples provided in the Argus Clients distribution are proof-of-concept programs that provide specific capabilities, such as flow data conversion, analytics, flow data labeling, network path extraction, policy verification reporting, captured payload analytics, MySQL database support, and the important program, ratop.1.

Some of these examples are just that, ways of solving a specific problem, but a few have become key components of the Argus System.

ratop.1 and ramysql.1 have evolved to be product quality components of a flow information system, and you should look to see how these tools can improve your approach to network ops, performance and security management.

Argus Client Development

The Argus open source project is about generating the best network awareness data possible, and enabling the use of that data to solve problems.  That is where the Argus Clients comes in play.  To get value out of argus data, you need to not only generate it, but you need to collect it, enhance it, filter it, aggregate it, compress it, index it, minimize it, print it out in csv, json, or xml, put it in a database, even anonymize it.

Argus currently has programs that perform all of these functions, and can be used to do a lot of data management, analytics and processing, but there is always room for more.

On GitHub, we have several projects to add functionality that takes advantages of the new features in v.50 data.   In particular, are the new comprehensive control plane data capture feature that enables a Private Passive DNS information system using radns.1.

Other projects, such as the Argus Python project are efforts to extend the use of Argus data for AI/ML and Behavioral analytics.

Argus system development is pretty wide open, and we welcome most if not all contributions.  The Argus project invites you to contribute to the effort !!!

Argus Clients Library

Title

Title

Title

Developing Argus System Components involves reading, processing and writing Argus data through the argus-clients library packages.  We highly recommend that you use the library because the data formats are pretty complex.  Each flow record is a composite of flow data record elements, which have versioning, and dynamic compression to minimize record size on the wire and in files.  The library also handles a number of file compression methods, and there is on-the-wire encryption support.

The principle example is ra.1, and is a good starting point for anyone wanting to write an argus data processing program.  This program reads data, provides record filtering and stripping (a form of data minimization),  and either prints the contents or writes the contents to another file.  It is a simple program based on the library, and so the amount of code needed is rather small.

Ra.1 is a part of the core clients, a set of simple programs that represent basic flow processing.  Modeled after basic Unix commands, like sort.1, split.1, cat.1 ... these core clients supporting printing, sorting, minimizing, splitting, aggregating, anonymizing, and distributing Argus data.

A really important program is racluster.1.  This program provides for argus data aggregation, and is the first program that you will want to master in the suite.  Aggregation is the method used to generate almost every report you will ever want to generating from Argus data.  If you want the list of active ethernet addresses in a particular VLAN for last Friday, you'll use racluster.1. If you are interested in what services are being used on a given host, you'll use racluster.1.  It is the Swiss Army knife of flow data. 

Also an important program is radium.1, the argus data distribution node. radium.1 reads and writes argus data files or streams.  Using radium.1 as a starting point is a great way to improve the Argus System group, and avoids the problems of dealing with the Argus data formats, especially encrypted argus data, and wire-line compression.

The kind of programs that need to be worked on is endless.  If you're interested, but on your data boots and jump in.