ra() field printing in argus-clients-2.0.6

Carter Bullard carter at qosient.com
Tue Oct 29 19:12:27 EST 2002 

Gentle people,
This is a note on the flexible field printing features
in argus-clients-2.0.6.  ra* programs now have command-line
and .rarc based arbitrary field printing, ra(), by default,
prints out the same 11 fields as previous versions, but
now you can add to, subtract from, or completely replace the
default output with any field, in any order.

On the command line, this is done with the -s option.
Here is the man page description of the -s option.

 -s <[-][[+[#]]field ...> -
     Specify the fields to print.  Ra uses a default 
     printing field list, by specifying a field you can
     replace this list completely, or you can modify
     the existing default print list, using the optional '-'
     and '+[#]' form of the command.  The available
     fields to print are:
 
        startime, lasttime, count, dur, avgdur,
        saddr, daddr, proto, sport, dport, ipid,
        stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
        pkts, spkts, dpkts, load, loss, rate,
        srcid, ind, mac, smac, dmac, dir, jitter, status,
        user, win, trans, seq, vlan, mpls
 
        Examles are:
          -s saddr      print only the source address.
          -s -bytes     removes the bytes field from list.
          -s +2srcid    adds MAC addresses as the 2nd field.
          -s mac pkts   prints MAC addresses and src and
                        dst pkt counts.

Providing a +field, without a column indication will
cause the field to be added to the current end of the list.

Because of the limitations of getopt(), if you use the
-field form, you must have a "-s" foreach field, if not
you can list as many as you like.  Examples are:

ra -p0 -s -bytes -s -status -s -pkts -r /tmp/argus.out
  StartTime      Flgs   Type     SrcAddr      Sport Dir     DstAddr
Dport 
10/25.06:59:56           tcp   192.168.0.128.36885   ->
192.168.0.162.monito

ra -s lasttime dur jitter -r /tmp/argus.out | head
       LastTime             Dur         SrcJitter    DstJitter  
10/25.07:00:01.155860        4.993914   1878.722     1878.725

ra -s pkts lasttime -r /tmp/argus.out | head

SrcPkt   DstPkt           LastTime       
5        5         10/25.07:00:01.155860


In the rarc file, there is a new configuration variable,
RA_FIELD_SPECIFIER, which has the same format as the command line,
but you don't have to worry about the -s flag.

RA_FIELD_SPECIFIER="-bytes -status -pkts"
RA_FIELD_SPECIFIER="startime stos sttl saddr daddr sbytes"
RA_FIELD_SPECIFIER="pkts lasttime"

If you haven't gotten the latest version, here it is:
ftp://qosient.com/dev/argus-2.0/argus-clients-2.0.6.beta.34.tar.gz

Please give this feature a run, and if you have any comments/opinions/
attitudes/whatevers, just send mail!

Carter

More information about the argus mailing list