Dumping user fields with defined byte-sizes (rc4/rc5)
Robin Gruyters
r.gruyters at yirdis.nl
Fri Jun 9 08:47:01 EDT 2006
Works for me aswell.
I have checked the manual and it doesn't contain the "-d" option
anymore, but it tells you more about the "-s" option:
[...]
-s <[-][[+[#]]field[:len] ...>
[...]
Regards,
Robin
Quoting "Brian M. Zeigler" <bzeigler at andrew.cmu.edu>:
> Scott,
>
> It appears that the syntax has changed slightly in argus-3.
>
> The following command works for me in release candidate 3:
> ra -S localhost -s +suser:128 +duser:128
>
> Hope this helps.
>
> --Brian
>
>
> Scott A. McIntyre wrote:
>>
>> Hi,
>>
>> In argus-2, I could:
>>
>> ra -s +user -n -d128 -r /var/log/argus/argus.log
>>
>> To get the first 128 bytes of captured user flow data.
>>
>> The same does not work in argus-3:
>>
>> /usr/local/argus3/bin/ra -n -n -s +user -d128 -r argus.out
>>
>> (Yes, that argus.out file is version 3)...
>>
>> That generates the -h output, prefaced by:
>>
>> Ra Version 3.0.0.rc.4
>> usage: ra
>> usage: ra [options] -S remoteServer [- filter-expression]
>> usage: ra [options] -r argusDataFile [- filter-expression]
>>
>> If I add a space after the d:
>>
>> /usr/local/argus3/bin/ra -n -n -s +user -d 128 -r argus.out
>> ra[9205]: 06-09-06 14:18:57.993138 128 filter syntax error
>>
>> And if I remove the -d entirely, it works, but only the first 16
>> bytes are output by default. ra usage implies it should work:
>>
>> -d <bytes> print number of <bytes> from user data capture buffer.
>> format: num | s<num> | d<num> | s<num>:d<num>
>>
>>
>> Am I missing something new in argus-3?
>>
>> Thanks,
>>
>> Scott
>>
>>
>>
More information about the argus
mailing list