MAC addresses and ra timestamps
Carter Bullard
carter at qosient.com
Fri Nov 3 11:21:06 EST 2006
got it. the whole blurb in the ra.1 man page on this is/was wrong, so I
updated it. Thanks!!!
Carter
On Nov 3, 2006, at 11:11 AM, Peter Van Epp wrote:
> Yes, I think we should replace the reference to localtime() in the
> ra man page with strftime(), as strftime() has the format needed to
> change
> the output format where localtime() (at least on FreeBSD) only
> talks about
> time zone changes and has no reference to strftime() to point you
> in the
> right direction for changing the output format, I've been meaning
> to provide
> a patch but I haven't had time :-)
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> On Fri, Nov 03, 2006 at 10:46:41AM -0500, Carter Bullard wrote:
>> Going back through the mailing list to make sure we're catching
>> things:
>>
>> Hey Peter, so what's the bug you mention below? Is there something
>> that I need to do with the man pages?
>>
>> Carter
>>
>>
>> On Oct 18, 2006, at 11:34 AM, Peter Van Epp wrote:
>>
>>> On Tue, Oct 17, 2006 at 08:05:22PM +0100, poncenby smythe wrote:
>>>> list,
>>>>
>>>> i have a pcap file in which i can clearly see mac addresses for
>>>> each
>>>> endpoint.
>>>> i run this command:
>>>>
>>>> argus -r dump.pcap -w dump.data
>>>>
>>>> then run this command to see the normal ra output but with mac
>>>> addresses also:
>>>>
>>>> ./ra -r argus.data -s +smac +dmac
>>>>
>>>> no MAC fields are appended to the output, i've tried it printing
>>>> just
>>>> the smac and dmac pair and nothing is printed at all.
>>>>
>>>> a separate issue....
>>>>
>>>> could someone tell me how to manipulate the stime and ltime fields,
>>>> so I can get the date as well as the time.
>>>> i've read the man pages, honest!
>>>>
>>>> many thanks in advance
>>>>
>>>> On 17 Oct 2006, at 06:58, CS Lee wrote:
>>>>
>>>
>>> You just weren't reading the correct man page (which I think is a
>>> bug by the way) :-). The non obvious secret is in
>>> the rarc man page which refers you to strftime()
>>>
>>> %ra3 -r icmp3.argus -n | more
>>> 11:20:28.911941 v icmp 142.58.201.99 -
>>>> 142.58.201.254 1 0 102
>>> 0 ECO
>>> 11:20:28.911946 v icmp 142.58.201.99 -
>>>> 142.58.201.254 1 0 102
>>> 0 ECO
>>> 11:20:28.911951 v icmp 142.58.201.99 -
>>>> 142.58.201.254 1 0 102
>>> 0 ECO
>>>
>>> %cat ra3.conf.t
>>> RA_PRINT_LABELS=0
>>> RA_FIELD_DELIMITER=','
>>> RA_PRINT_NAMES=proto
>>> RA_TIME_FORMAT="%y-%m-%d %T"
>>> RA_PRINT_DURATION=no
>>> RA_PRINT_LASTIME=yes
>>>
>>> which I think gives what you want (or at least on form of it):
>>>
>>> %ra3 -F ra3.conf.t -r icmp3.argus | more
>>> StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,SrcPkts,DstPkts
>>> ,S
>>> rcBytes,DstBytes,State
>>> 06-06-27 11:20:28.911941, v ,icmp,142.58.201.99,,->,
>>> 142.58.201.254,,1,0,102,0,ECO
>>> 06-06-27 11:20:28.911946, v ,icmp,142.58.201.99,,->,
>>> 142.58.201.254,,1,0,102,0,ECO
>>> 06-06-27 11:20:28.911951, v ,icmp,142.58.201.99,,->,
>>> 142.58.201.254,,1,0,102,0,ECO
>>>
>>> The secret isn't localtime but rather strftime() (which I think we
>>> should add
>>> to the ra man page) which has the time formatting fields (and I
>>> just had to
>>> struggle to figure out where I found them the last time I did
>>> this :-)).
>>>
>>> from the rarc man page
>>>
>>> RA_TIME_FORMAT
>>> For ra() like clients, this variable is used to override the
>>> time for-
>>> mat of the timestamp. This string must conform to the
>>> format specified
>>> in strftime(). Malformed strings can generate fatal
>>> errors, so be
>>> careful with this one.
>>>
>>> RA_TIME_FORMAT="%y-%m-%d %T"
>>>
>>> Peter Van Epp / Operations and Technical Support
>>> Simon Fraser University, Burnaby, B.C. Canada
>>>
>>
>>
>>
>>
>
More information about the argus
mailing list