-ltime seems to not work
Carter Bullard
carter at qosient.com
Mon Sep 25 16:51:02 EDT 2006
Hey Peter,
I think it disappears because it thinks that you are wanting to
append the "suser-ltime" field which doesn't exist, of course.
If Karl was interested in adding the ltime field:
ra -s +suser:128 +ltime -r file
as long as you are adding (+), you don't need an additional '-s'
directive.
If you are removing and adding, you have to provide a "-s" so that
getopt()
doesn't get lost.
ra -s -ltime -s +suser:128 -s -proto -s +pkts +bytes -r file - ip
Carter
On Sep 25, 2006, at 3:52 PM, Peter Van Epp wrote:
> On Mon, Sep 25, 2006 at 01:56:48PM -0500, Karl Tatgenhorst wrote:
>>
>>
>> If I do ra -s +suser:128 -ltime -r argus-file
>>
>> I get the following:
>>
>> ra[18712]: 13:54:30.073772 time syntax error ime
>> ra[18712]: 13:54:30.473741 +suser:128 - filter syntax error
>>
>>
>> Any ideas?
>>
>> Karl
>>
> Hmmm, which argus are you using? On rc.29 (with an argus 3.0 input
> file) I get:
>
> %ra3 -s +suser:128 -ltime -r rudata1.3.argus
> ra3[67733]: 12:53:34.154885 time syntax error ime
>
> which is because there is no -l option. If you want to supress ltime
> you need to remove the blanks (although ltime is supressed by
> default unless
> you have it on in the .rc file):
>
> %ra3 -s +suser:128-ltime -r rudata1.3.argus
> 11:21:34.224639 v tcp 142.58.160.80.26635 <?
> > 142.55.229.29.1069 27 26 2448
> 1664
> CON
> s[4]
> =":/.."
>
> although there does seem to be a bug here (in that suser
> disappears if
> I remove the length field):
>
> %ra3 -s +suser-ltime -r rudata1.3.argus
> 11:21:34.224639 v tcp 142.58.160.80.26635 <?
> > 142.55.229.29.1069 27 26 2448
> 1664 CON
> %ra3 -s +suser -r rudata1.3.argus
> 11:21:34.224639 v tcp 142.58.160.80.26635 <?
> > 142.55.229.29.1069 27 26 2448
> 1664 CON s[4]=":/.."
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list