delimited fields

[Russell Fulton]

On Tue, 24 Oct 2000 14:23:29 -0400 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Russell,
>    The reason we fuse the port with the address right now
> is so that we end up with the same number of columns regardless
> of whether the protocol is TCP/UDP or not.
> 
>    We could use something other than '.' between the addr
> and the port, so you can still separate the two easily but
> still get the same column count (based on the general field
> delimiter).  Say a ':' or '_' may work?
>   

That would help,  it would certainly make the spit cheaper.  However I 
would perfer to have empty fields i.e. contiguous delimiters for non 
tcp/udp traffic.  Remember the delimited format is designed to be read 
by programs and not people.  I would not mind if we actually had 
different field lists for the different records -- man is already a 
problem ;-)

so in perl speak:

    ($timestamp, $type, $rest) = split("\t", $_, 3);  # split into 3 
                                                      #  fields

    if( $type eq 'tcp' or $type eq 'udp') {
        ($src, $srcp, $dir, $dst, $dstp, $tp, $fp, $tb, $fb, $status) = 
			split("\t", $rest);
    } elsif( $type eq 'icmp' ) {
        ($src, $dir, $dst, $status, $tp, $fp, $tb, $fb, $text, $status )
			 = split("\t", $rest);
    }


Hmmmm... what do you do about things like ICMP URH where the old format 
gave a text message with the Host IP that was unreachable, not to 
mention 'frag' reports?

Cheers, Russell.