Argus Printf Statement

Chas DiFatta chas at freeworks.com
Wed Jul 12 14:15:10 EDT 2000 

Agreed,

It would be a huge effort, so I suggest we try to gather some low
hanging fruit first to make progress.  If you don't write your own
Argus clients, then working with the output does tend to be a pain.
In specific the # of fields are not consistent because the delimiter
is a space and some fields are null at times.  If we could
have yet another arg that changes the delimiter from a space,
then it will eliminate the problem of the dropped field.  In
the following, note the "s" in the 4th field.

Wed 07/12 00:59:01 s    tcp  128.0.1.3.8193   ->  128.1.0.1.6101  10  6  156
0  FIN
Wed 07/12 00:59:05      tcp  128.0.1.3.8193   ->  128.1.0.1.6101  10  6  156
0  RST

This is especially a problem with different protos, i.e.,

Wed 07/12 00:50:47     icmp  128.1.1.3  <->  128.1.0.1       10     10

How about something like,

Wed:07/12:00:50:47:icmp:128.1.1.3:<->:128.1.0.1:10:10:::

and leave null the unused fields.  Comments?  This would let us write
filters
easily and be assured that we'd have consistent data in the fields.

	...cd


> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Carter Bullard
> Sent: Wednesday, July 12, 2000 5:03 AM
> To: 'Russell Fulton'; argus at lists.andrew.cmu.edu
> Subject: Argus Printf Statement
>
>
>
> This I believe would be a huge thing to do, and I would like to
> get some opinions on how this could work.  Now I don't have any
> Perl experience, so all my examples will be C oriented.
>
> I can see providing an argprintf() function that mimics sprintf():
>
>    argprintf((char *)buf, (char *)formatstr, (ArgusStruct *) arg)
>
> and the formatstr can have a syntax very much like printf() and
> strftime().  A first thought, we could come up with a syntax
> that allows us to extend the normal printf() and strftime()
> formats with Argus data identifer tags.  This would allow a
> preprocessor to be able to construct real sprintf() and
> strftime() calls based on our syntax.
>
> We've got to be able to specify source vs. destination for metrics
> and flow identifiers, so a %s.X and a %d.Y type of qualifier may
> be all that is needed.  For time we've got start and stop time
> values and their formats to consider.
>
> Does this seem reasonable?
>
> Carter
>
>
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
> Sent: Tuesday, July 11, 2000 7:23 PM
> To: argus at lists.andrew.cmu.edu
> Subject: New Argus features.
>
>
> I think I have mentioned this before but I'll do so again in case it
> has got overlooked.
>
> In ra I would like to be able to control the formatting of the output
> record.  The easiest way I can think of this would be to allow one to
> specify a format string in the manner of strftime.  In particular I
> would like to be able to specify a format that is better suited to
> parsing in perl (tab delimited list of just the data I need). This
> could also be used to have different time formats british vs americal
> vs international and perhaps different timezones -- local or UTC.
>
> Russell
>
>

More information about the argus mailing list