playing with rastrip

[Carter Bullard]

Hey Russell,
  Thanks, good to see that it helps.

  The -z option doesn't take an argument like the -Z option does,
so it assumes that the -zb is -z and -b, the -b being dump the
filter expression pseudo-code.  You should use just -z.
I'm not sure how I could make it so that -zb is tolerated.

  I'm working on a Huffman encoded compression strategy that
could really bring the numbers down, but it means creating a
whole new set of Data Specific Records (DSR) types, so it may
take a while.  The idea is to build a Huffman Code for, say,
the IP Addresses in a file, put the code in the front, and then
replace the addresses.  Since the flow descriptor is upto 50%
of the record, we can really save a lot of space, here.

What do you think?


Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Russell Fulton
> Sent: Tuesday, November 05, 2002 4:31 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: playing with rastrip
> 
> 
> Hi All,  Finally getting to have a play with the new clients.  I have
> been playing with rastrip and working out just what is included by
> default. rastrip.out.gz is the output from rastrip run without any
> flags, when I run ra on this file with -Zb (print TCP flags) it works
> fine but with nothing in the status field for tcp session 
> (that's fine),
> when I use -zb (print tcp states) I get:
> 
> rful011 at ruru:/home/argus$ bin/ra -AIncr rastrip.out.gz -zb       
> (000) ret      #96
> 
> I don't think this is what was intended ;-)
> 
> BTW rastrip reduced the size of the compressed argus output by around
> 45% and seems to have all the stuff I really want for long term
> archiving.  
> 
> Thanks Carter!!!
> 
> -- 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> "It aint necessarily so"  - Gershwin
> 
>