ra/ragator output issue with argus-clients-2.0.6.beta.37

[Peter Van Epp]

On Tue, Dec 17, 2002 at 10:31:09AM -0800, Mike Iglesias wrote:
> The default ra/ragator output has a field called "Flgs" after
> the date/time.  This field can be blank, which makes it hard to use
> perl's "split" function on it without checking to see if the
> flags field is blank and adjusting things accordingly.  If nothing
> is going to be printed in that field, can something like "-" be
> generated so split will work?
> 
> Here's an example of ra output:
> 
> 16 Dec 02 23:55:46           udp aaa.bbb.ccc.ddd.138    -> eee.fff.ggg.hhh.138   4        0         996          0           INT
> 
> What I would like to see:
> 
> 16 Dec 02 23:55:46 -          udp aaa.bbb.ccc.ddd.138    -> eee.fff.ggg.hhh.138   4        0         996          0           INT
> 
> 
> Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069

Mike:
	The solution to this is to put 

RA_FIELD_DELIMITER='\t'

in the ra.conf file and then do the split based on /\t/ rather than ' '. That
way the blank field will get seperated as a blank if it isn't present. For
example (with an end time also selected):

        ( $date, $e_timestmp, $flag, $type, $src_ip,  $src_port, $mid_flag,
          $dst_ip, $dst_port, $src_pkt, $dst_pkt, $src_bytes, $dst_bytes, $end_f
lag) = split(/\t/, $_);

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada