Argus Printf Statement
Russell Fulton
r.fulton at auckland.ac.nz
Mon Jul 17 17:34:08 EDT 2000
On Mon, 17 Jul 2000 13:34:13 -0700 Chas DiFatta <chas at freeworks.com>
wrote:
> Carter writes,
>
> > It seems that an Argus-1.0 question should be asked
> > again, and that is what should the default ra() ASCII
> > string be? We all thought hard to get a default 80
> > character output string that looked OK and had what
> > was considered useful information. And we introduced
> > the -W option for when there wasn't an 80 character
> > limit for the output device.
>
> Maybe I'm a corner case, but I wouldn't place a priority
> on trying to fit the default output into 80 characters.
> Most of the time when I'm using xterm which is well over
> 80 chars' I use the -c option of ra which obviously
> blows the 80 char limit. I'd vote to extend the default
> real estate.
Personally, I have not used an 80 column device for at least 10 years.
The biggest hassel I have now is that my mail editor insists on
wrapping at column 72 which is a pain when I send argus records to
ISPs.
I suggest we find something that works in less than 100 chars.
>
> A long term thought that may be a big effort is to consider
> a set of formatted fields like date(1) for those who wish
> to roll their own. I.e.
>
> %S - source address
> %D - destination address
> %s - source port
> %d - dest port
> %_ - delimiter
>
> ra -nS localhost -Z %S%_%s_%D_%d
> 128.1.1.1_2358_128.1.1.2_80
>
> I wouldn't do this as an initial effort though.
>
Ths is basically what I was proposing at the start of this thread. It
does get messy because there are a lot of possible fields when the
different record types are considered. I suspect that we would need to
go to two two or three character codes eg.
%Tsu -- Start time in UTC
%Tfl -- Finish time in local TZ
%SP -- Source peer addres
%Sa -- Source adjacent address (MAC)
%Sp -- Source port address
%P {t, f} Packets to and from
%B {t, f} Bytes to and from
%Sx for various status info
As far as the default ascii output goes the one thing I do want is to
either move to an unambiguous date format (i.e avoid British/American
confusion) or have the ability to specify the default time format.
I have argus 1.8 patches to do this.
My patches also add another command line flag (-z, it was just about
the only letter left ;-) which displays the state bits for TCP
sessions, I would like this display option included in future release
too. I find it more useful than the default which just displays the
last state.
Cheers, Russell
More information about the argus
mailing list