MAC addresses and ra timestamps
Carter Bullard
carter at qosient.com
Tue Oct 17 15:21:10 EDT 2006
Hey Poncenby,
Argus does not include mac addresses by default, you have to use the
"-m" option on the command line or specify in the argus.conf file.
Time formats are defined in the .rarc file that you should have in your home
directory. Use strftime strings to format the time.
Carter
poncenby smythe wrote:
> list,
>
> i have a pcap file in which i can clearly see mac addresses for each
> endpoint.
> i run this command:
>
> argus -r dump.pcap -w dump.data
>
> then run this command to see the normal ra output but with mac
> addresses also:
>
> ./ra -r argus.data -s +smac +dmac
>
> no MAC fields are appended to the output, i've tried it printing just
> the smac and dmac pair and nothing is printed at all.
>
> a separate issue....
>
> could someone tell me how to manipulate the stime and ltime fields,
> so I can get the date as well as the time.
> i've read the man pages, honest!
>
> many thanks in advance
>
> On 17 Oct 2006, at 06:58, CS Lee wrote:
>
>> Hey all,
>>
>> I would like to use racount to generate the general overall
>> statistic based on protocol, while in man page it says that racount
>> -M proto will do the job, however for me it just doesn't work and it
>> apparently sum up all the protocols and show the result of
>> everything. Then I try to us the common method - filter expression,
>>
>> racount -r data.argus - tcp
>> racount -r data.argus - icmp
>> racount -r data.argus - udp
>>
>> It shows correctly which is what I want, I try to check on racount -
>> h and apparently it doesn't show anything about -M either, thus I'm
>> wondering any modes are supported by racount because it may confuse
>> people who use it for the first time or do we need an update for the
>> man page :)
>>
>> Cheers all :)
>>
>> --
>> Best Regards,
>>
>> CS Lee<geekooL[at]gmail.com>
>
>
>
More information about the argus
mailing list