Dumping user fields with defined byte-sizes (rc4/rc5)

Brian M. Zeigler bzeigler at andrew.cmu.edu
Fri Jun 9 08:29:52 EDT 2006


Scott,

It appears that the syntax has changed slightly in argus-3.

The following command works for me in release candidate 3:
ra -S localhost -s +suser:128 +duser:128

Hope this helps.

--Brian


Scott A. McIntyre wrote:
>
> Hi,
>
> In argus-2, I could:
>
> ra -s +user -n -d128 -r /var/log/argus/argus.log
>
> To get the first 128 bytes of captured user flow data.
>
> The same does not work in argus-3:
>
> /usr/local/argus3/bin/ra -n -n -s +user -d128 -r argus.out
>
> (Yes, that argus.out file is version 3)...
>
> That generates the -h output, prefaced by:
>
> Ra Version 3.0.0.rc.4
> usage: ra
> usage: ra [options] -S remoteServer [- filter-expression]
> usage: ra [options] -r argusDataFile [- filter-expression]
>
> If I add a space after the d:
>
> /usr/local/argus3/bin/ra -n -n -s +user -d 128 -r argus.out
> ra[9205]: 06-09-06 14:18:57.993138 128 filter syntax error
>
> And if I remove the -d entirely, it works, but only the first 16 bytes 
> are output by default. ra usage implies it should work:
>
> -d <bytes> print number of <bytes> from user data capture buffer.
> format: num | s<num> | d<num> | s<num>:d<num>
>
>
> Am I missing something new in argus-3?
>
> Thanks,
>
> Scott
>
>
>



More information about the argus mailing list