delimited fields

Carter Bullard carter at qosient.com
Tue Oct 24 17:09:44 EDT 2000 

Hey Russell,
   So, right now, when we print out the unreachable port
numbers (using the -R option (response data)) you'll
still see the same column number.  We print the two
text fields in the Src and Dst Byte fields.

   Frag reports still need to be implemented but they
were going to also have the same number of columns of
whatever.

   So with the FIELD_DELIMITER support we can do what
you suggest, however the default "pretty" output,
will end up with unbalanced output.  Do we want to
consider the "pretty" output as an exception?

Carter


-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Tuesday, October 24, 2000 4:20 PM
To: argus at lists.andrew.cmu.edu
Subject: Re: RE: delimited fields



On Tue, 24 Oct 2000 14:23:29 -0400 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Russell,
>    The reason we fuse the port with the address right now
> is so that we end up with the same number of columns regardless
> of whether the protocol is TCP/UDP or not.
> 
>    We could use something other than '.' between the addr
> and the port, so you can still separate the two easily but
> still get the same column count (based on the general field
> delimiter).  Say a ':' or '_' may work?
>   

That would help,  it would certainly make the spit cheaper.  However I 
would perfer to have empty fields i.e. contiguous delimiters for non 
tcp/udp traffic.  Remember the delimited format is designed to be read 
by programs and not people.  I would not mind if we actually had 
different field lists for the different records -- man is already a 
problem ;-)

so in perl speak:

    ($timestamp, $type, $rest) = split("\t", $_, 3);  # split into 3 
                                                      #  fields

    if( $type eq 'tcp' or $type eq 'udp') {
        ($src, $srcp, $dir, $dst, $dstp, $tp, $fp, $tb, $fb, $status) = 
			split("\t", $rest);
    } elsif( $type eq 'icmp' ) {
        ($src, $dir, $dst, $status, $tp, $fp, $tb, $fb, $text, $status )
			 = split("\t", $rest);
    }


Hmmmm... what do you do about things like ICMP URH where the old format 
gave a text message with the Host IP that was unreachable, not to 
mention 'frag' reports?

Cheers, Russell.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20001024/f74b851a/attachment.html>

More information about the argus mailing list