Argus Printf Statement

Russell Fulton r.fulton at auckland.ac.nz
Mon Jul 17 17:34:08 EDT 2000


On Mon, 17 Jul 2000 13:34:13 -0700 Chas DiFatta <chas at freeworks.com> 
wrote:

> Carter writes,
> 
> >    It seems that an Argus-1.0 question should be asked
> > again, and that is what should the default ra() ASCII
> > string be?  We all thought hard to get a default 80
> > character output string that looked OK and had what
> > was considered useful information.  And we introduced
> > the -W option for when there wasn't an 80 character
> > limit for the output device.
> 
> Maybe I'm a corner case, but I wouldn't place a priority
> on trying to fit the default output into 80 characters.
> Most of the time when I'm using xterm which is well over
> 80 chars' I use the -c option of ra which obviously
> blows the 80 char limit.  I'd vote to extend the default
> real estate.

Personally, I have not used an 80 column device for at least 10 years.
The biggest hassel I have now is that my mail editor insists on 
wrapping at column 72 which is a pain when I send argus records to 
ISPs.

I suggest we find something that works in less than 100 chars.

> 
> A long term thought that may be a big effort is to consider
> a set of formatted fields like date(1) for those who wish
> to roll their own.  I.e.
> 
> 	%S - source address
> 	%D - destination address
> 	%s - source port
> 	%d - dest port
> 	%_ - delimiter
> 
> ra -nS localhost -Z %S%_%s_%D_%d
> 128.1.1.1_2358_128.1.1.2_80
> 
> I wouldn't do this as an initial effort though.
> 

Ths is basically what I was proposing at the start of this thread. It 
does get messy because there are a lot of possible fields when the 
different record types are considered.  I suspect that we would need to 
go to two two or three character codes eg.

%Tsu   -- Start time in UTC
%Tfl   -- Finish time in local TZ

%SP    -- Source peer addres
%Sa    -- Source adjacent address (MAC)
%Sp    -- Source port address

%P {t, f}  Packets to and from
%B {t, f}  Bytes to and from

%Sx for various status info


As far as the default ascii output goes the one thing I do want is to 
either move to an unambiguous date format (i.e avoid British/American 
confusion) or have the ability to specify the default time format. 

I have argus 1.8 patches to do this.

My patches also add another command line flag (-z, it was just about 
the only letter left ;-) which displays the state bits for TCP 
sessions, I would like this display option included in future release 
too.  I find it more useful than the default which just displays the 
last state.

Cheers, Russell



More information about the argus mailing list