/*
 * Argus Client Software. Tools to read, analyze and manage Argus data.
 * Copyright (c) 2000-2011 QoSient, LLC
 * All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2, or (at your option)
 * any later version.

 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.

 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
 *
 */


CHANGES -  This file attempts to capture the changes between argus-3.0
           and argus-2.x.  There are enormous changes, so if I missed
           anything, please be kind.


Argus Data Support

   Argus-3.0 represents a major change in argus data.  The format
was completely updated to support IPv6 data, 64-bit architectures
and Quad-word metrics, and provide better compression for data
in motion and at rest.  As a result there is no forward compatibility
between argus-2.0 programs and argus-3.0 data.  Argus-3.0 programs
are backward compatible, however, so you can read and process your
data with argus-3.0 programs.

   We have not made any provisions for argus-3.0 programs to
generate argus-2.x formatted data.  So there is explicit conversion
that will be going on under the covers.  Don't convert your
argus-2.x data to argus-3.0 unless you find that you can get
say better compressed files.

Architecture

   The client programs evolved quite a bit between argus-2.0
and argus-3.0.  With the addition of large scale argus data collection
and distribution, using radium(), the argus data architecture began.
Still not complete, however argus-3.0  provides the ability to generate,
collect, distribute, archive, analyze, and graph network flow data.

   radium() and rastream() are the principal programs that have been
added to the ra* family of programs.  radium can connect to multiple
sources of argus data, whether they are streams or files of data, and
can write out data to multiple targets, supporting independant access
control, authentication, and filtering per target.  What this means
is that you can build a argus data distribution tree, to collect,
process and redistribute argus data.

   rastream() is known as a stream block processor (SBP).  You want
to collect data from a set of argus data stream sources, and the
data just keeps coming in.  When/how can you stop to process the
data, say for real-time indexing, search and/or processing?  In the
database world this is called 'stream block processing'.  rastream()
reads in argus data, outputs the data into a set of files, with a
hold buffer to allow for input sorting, and then based on command
line options, will call scripts on the files after a time period or
an event.  We use rastream() to periodically commit data to an
information system for indexing, searching, processing, compressing,
and then archive. Say every 5 minutes, on the second, rastream() will
close completed input files and then spawn any number of processes
against those files. 

   With these two programs, we have collected data from as many as
5K argus data sources, and managed the data in a set of argus data 
respositories.



Core Programs
   ra         - support to print, filter all argus data types.
   racount    - no basic changes.
  +racluster  - complete rewrite of argus aggregation strategies,
                and replaces ragator.

  +radium     - argus record collection and distribution program.
  +radump     - tcpdump() style printer for argus user capture buffer.

  *ragator    - obseleted, replaced with racluster(). we can now
                use the name for another program (some people really
                liked the name).

   rahosts    - ported.
   raport     - ported.
   ragrep     - ported.
   ragraph    - ported.

  *ramon      - obseleted, all ra* programs now support -M rmon option.
   ranonymize - updated for new data types.
   rapath     - ported.
   rapolicy   - ported.
   rarpwatch  - ported.
   rasort     - ported.
   rasrvstats - rewritten for speed.

  +rastream   - argus stream block processor.  Allows you to process
                streaming data in block fashion.

   rastrip    - enhanced. Can remove more fields.

   ratop      - massive rewrite.  Completely new program.

  *raxml      - obseleted.  Most ra* programs now support the "-M xml" option
                so they all can print out xml output.


+ programs added for argus-3.0
* programs removed from argus-2.x
