MAC addresses and ra timestamps

Peter Van Epp vanepp at sfu.ca
Wed Oct 18 11:34:17 EDT 2006 

On Tue, Oct 17, 2006 at 08:05:22PM +0100, poncenby smythe wrote:
> list,
> 
> i have a pcap file in which i can clearly see mac addresses for each  
> endpoint.
> i run this command:
> 
> argus -r dump.pcap -w dump.data
> 
> then run this command to see the normal ra output but with mac  
> addresses also:
> 
> ./ra -r argus.data -s +smac +dmac
> 
> no MAC fields are appended to the output, i've tried it printing just  
> the smac and dmac pair and nothing is printed at all.
> 
> a separate issue....
> 
> could someone tell me how to manipulate the stime and ltime fields,  
> so I can get the date as well as the time.
> i've read the man pages, honest!
> 
> many thanks in advance
> 
> On 17 Oct 2006, at 06:58, CS Lee wrote:
> 

	You just weren't reading the correct man page (which I think is a bug by the way) :-). The non obvious secret is in 
the rarc man page which refers you to strftime()

%ra3 -r icmp3.argus -n | more
    11:20:28.911941  v         icmp      142.58.201.99           ->     142.58.201.254               1        0          102        
    0   ECO
    11:20:28.911946  v         icmp      142.58.201.99           ->     142.58.201.254               1        0          102        
    0   ECO
    11:20:28.911951  v         icmp      142.58.201.99           ->     142.58.201.254               1        0          102        
    0   ECO

%cat ra3.conf.t
RA_PRINT_LABELS=0
RA_FIELD_DELIMITER=','
RA_PRINT_NAMES=proto
RA_TIME_FORMAT="%y-%m-%d %T"
RA_PRINT_DURATION=no
RA_PRINT_LASTIME=yes

which I think gives what you want (or at least on form of it):

%ra3 -F ra3.conf.t -r icmp3.argus | more
StartTime,Flgs,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,SrcPkts,DstPkts,SrcBytes,DstBytes,State
06-06-27 11:20:28.911941, v       ,icmp,142.58.201.99,,->,142.58.201.254,,1,0,102,0,ECO
06-06-27 11:20:28.911946, v       ,icmp,142.58.201.99,,->,142.58.201.254,,1,0,102,0,ECO
06-06-27 11:20:28.911951, v       ,icmp,142.58.201.99,,->,142.58.201.254,,1,0,102,0,ECO

	The secret isn't localtime but rather strftime() (which I think we should add 
to the ra man page) which has the time formatting fields (and I just had to 
struggle to figure out where I found them the last time I did this :-)). 

from the rarc man page

RA_TIME_FORMAT
       For ra() like clients, this variable is used to override the time  for-
       mat of the timestamp.  This string must conform to the format specified
       in strftime().  Malformed strings can  generate  fatal  errors,  so  be
       careful with this one.

       RA_TIME_FORMAT="%y-%m-%d %T"

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list