Timeranges

Carter Bullard carter at qosient.com
Fri Feb 13 11:04:29 EST 2004 

Hey Andrew,
  Sorry you're having some trouble.  The time range filters may
help but Mark is right, you'll need a specific program to do
what you really want.  I have something in the 'non open source'
threads of software that splits files on hard time boundaries.
If you're interested, send me some mail.  If anyone is interested,
send me some mail.  Its probably time to start using this software,
so if anyone is interested in checking out the 'private reserve'
software, send mail.

  There are some issues related to matching against a time range.
Argus supports by default 'span' matching which is:

  "any record that starts or ends during the time period or completely
       spans the specified time period"

the time range filter also supports two undocumented modes;
inclusive and exclusive.

Inclusive is:
  "any record that includes the time range in its timerange"

Exclusive is:
  "only records that start and stop within this timerange"

You specify these other modes by prepending the filter with
an 'i' or 'x'.  These are designed to help you can find potential
the parent or children of specific flows.  So examples are:

   -t x2004/01/21.10-11

will give you records that start and stop during 10-11.

   -t i2004/01/21.10-11

will give you records that started before 10am and ended after
11am.

Many sites split files on an hourly basis.  In most sites that I
work in, we split files on 5-15m boundaries, as searching through
files is a bit of a nuisance when the files are 1-2 GB in size.


Carter




-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Andrew Pollock
Sent: Tuesday, February 10, 2004 8:47 PM
To: argus-info at lists.andrew.cmu.edu
Subject: Timeranges

Hi,

Can anyone give me a clue as to how to specify a timerange of the first and
last 12 hours of a given day?

I currently split my Argus logs on a 24 hour day basis, however they're now
too large to fit on a CD bzipped, so I'm going to have to split them on a 12
hour basis :-(

Andrew

More information about the argus mailing list