Argus Printf Statement
Carter Bullard
carter at qosient.com
Wed Jul 12 15:24:05 EDT 2000
This is easily doable. Its just a matter of what
suits everyone.
Carter
-----Original Message-----
From: Chas DiFatta [mailto:chas at freeworks.com]
Sent: Wednesday, July 12, 2000 2:15 PM
To: carter at qosient.com
Cc: 'Russell Fulton'; argus at lists.andrew.cmu.edu
Subject: RE: Argus Printf Statement
Agreed,
It would be a huge effort, so I suggest we try to gather some low
hanging fruit first to make progress. If you don't write your own
Argus clients, then working with the output does tend to be a pain.
In specific the # of fields are not consistent because the delimiter
is a space and some fields are null at times. If we could
have yet another arg that changes the delimiter from a space,
then it will eliminate the problem of the dropped field. In
the following, note the "s" in the 4th field.
Wed 07/12 00:59:01 s tcp 128.0.1.3.8193 -> 128.1.0.1.6101 10 6 156
0 FIN
Wed 07/12 00:59:05 tcp 128.0.1.3.8193 -> 128.1.0.1.6101 10 6 156
0 RST
This is especially a problem with different protos, i.e.,
Wed 07/12 00:50:47 icmp 128.1.1.3 <-> 128.1.0.1 10 10
How about something like,
Wed:07/12:00:50:47:icmp:128.1.1.3:<->:128.1.0.1:10:10:::
and leave null the unused fields. Comments? This would let us write
filters
easily and be assured that we'd have consistent data in the fields.
...cd
More information about the argus
mailing list