Argus Default Output Format

Carter Bullard carter at qosient.com
Thu Aug 31 18:02:32 EDT 2000 

Gentle People,
   We are very close to packaging up the initial
Argus-2.0 code for testing and I'd like to have
a new format for the default output line so we can
be trying it out.  We've had quite a bit of mail
on this, and so I'm going to take a stab at it
based on that mail.

   If I've forgotten something please speak up, it
is an oversight not a political statement :o)


Date
   Definitely like Russell's international arguments
so I'm going with his recommendation.  We'll try
a default strftime format "%d %b %y %T" which will give
us:
     "31 Aug 00 14:23:51"

for our date string.  '-u' option will give us Unix
time.  I don't see a need for any other formats.
Comments?


Status Field
   The status field is something that has caused a
lot of problems and not many use the indicators but me,
so, I'm going to recommend that we not print the
field by default.  Currently we have the -M option
to "Mask" this field out.  So lets remove the -M
option and use the "-I" option to print the
"Indicator" field.  This fixed length field will be
quoted, using double quotes, so parsers can parse
it out as a string.  So, for the first round it
will not implemented.

Field Number
   All records will generate the same number of fields.
Counts "-c" option will print packets and bytes for
all flows.  Bytes will be raw bytes, rather than cooked
bytes.  This may need to be tested.

MAC Addresses
   By default Argus will not report MAC address for
flows, so I've removed the '-m' option from the
client code.  This is temporary, but I'd like to
get a feeling for how many use the MAC addresses
in their tools.


TCP State Reporting
I believe that we'll stay with the "INT", "CON", "CLO"
style by default, and have a switch to turn on the
TCP specific "sSEFC" flags.  This is bit advanced, and
so for the uninitiated the default needs to be consistent
regardless of protocol.

My opinions, I'd love to hear others.

Carter





Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426

More information about the argus mailing list