MAC addresses and ra timestamps

Carter Bullard carter at qosient.com
Fri Nov 3 10:46:41 EST 2006 

Going back through the mailing list to make sure we're catching things:

Hey Peter, so what's the bug you mention below?   Is there something
that I need to do with the man pages?

Carter


On Oct 18, 2006, at 11:34 AM, Peter Van Epp wrote:

> On Tue, Oct 17, 2006 at 08:05:22PM +0100, poncenby smythe wrote:
>> list,
>>
>> i have a pcap file in which i can clearly see mac addresses for each
>> endpoint.
>> i run this command:
>>
>> argus -r dump.pcap -w dump.data
>>
>> then run this command to see the normal ra output but with mac
>> addresses also:
>>
>> ./ra -r argus.data -s +smac +dmac
>>
>> no MAC fields are appended to the output, i've tried it printing just
>> the smac and dmac pair and nothing is printed at all.
>>
>> a separate issue....
>>
>> could someone tell me how to manipulate the stime and ltime fields,
>> so I can get the date as well as the time.
>> i've read the man pages, honest!
>>
>> many thanks in advance
>>
>> On 17 Oct 2006, at 06:58, CS Lee wrote:
>>
>
> 	You just weren't reading the correct man page (which I think is a  
> bug by the way) :-). The non obvious secret is in
> the rarc man page which refers you to strftime()
>
> %ra3 -r icmp3.argus -n | more
>     11:20:28.911941  v         icmp      142.58.201.99           - 
> >     142.58.201.254               1        0          102
>     0   ECO
>     11:20:28.911946  v         icmp      142.58.201.99           - 
> >     142.58.201.254               1        0          102
>     0   ECO
>     11:20:28.911951  v         icmp      142.58.201.99           - 
> >     142.58.201.254               1        0          102
>     0   ECO
>
> %cat ra3.conf.t
> RA_PRINT_LABELS=0
> RA_FIELD_DELIMITER=','
> RA_PRINT_NAMES=proto
> RA_TIME_FORMAT="%y-%m-%d %T"
> RA_PRINT_DURATION=no
> RA_PRINT_LASTIME=yes
>
> which I think gives what you want (or at least on form of it):
>
> %ra3 -F ra3.conf.t -r icmp3.argus | more
> StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,SrcPkts,DstPkts,S 
> rcBytes,DstBytes,State
> 06-06-27 11:20:28.911941, v       ,icmp,142.58.201.99,,->, 
> 142.58.201.254,,1,0,102,0,ECO
> 06-06-27 11:20:28.911946, v       ,icmp,142.58.201.99,,->, 
> 142.58.201.254,,1,0,102,0,ECO
> 06-06-27 11:20:28.911951, v       ,icmp,142.58.201.99,,->, 
> 142.58.201.254,,1,0,102,0,ECO
>
> 	The secret isn't localtime but rather strftime() (which I think we  
> should add
> to the ra man page) which has the time formatting fields (and I  
> just had to
> struggle to figure out where I found them the last time I did  
> this :-)).
>
> from the rarc man page
>
> RA_TIME_FORMAT
>        For ra() like clients, this variable is used to override the  
> time  for-
>        mat of the timestamp.  This string must conform to the  
> format specified
>        in strftime().  Malformed strings can  generate  fatal   
> errors,  so  be
>        careful with this one.
>
>        RA_TIME_FORMAT="%y-%m-%d %T"
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061103/cc29faa5/attachment.html>

More information about the argus mailing list