Byte count wrapping?
Carter Bullard
carter at qosient.com
Tue Apr 14 10:03:50 EDT 2009
Hey David,
All the ra* programs use 64-bit numbers for counters, so you're
probably not
rolling over, but, seems like you're on to the issue. When you print
a field, it is
constrained by the field's width specifier. The default field width
for 'bytes' is
12 characters, and the default for 'pkts' is 8 characters.
To change the width, append a ":len" (where the len is an integer) to
the field
specifier, either on the command line, or in your ra.conf file.
Here is an example for ~/.rarc:
RA_FIELD_SPECIFIER="stime flgs proto saddr sport dir daddr dport spkts:
10 dpkts:10 sbytes:16 dbytes:16 state"
Carter
On Apr 14, 2009, at 8:55 AM, David wrote:
> I have some data from racluster, piped to rasort and sorted by
> bytes. However the top two entries appear to be "swapped", one is
> 6GB total but the one above appears to only be 1GB.
>
> I'm assuming that the number is too wide for the column and that
> I've lost a digit (it's probably supposed to be 11GB). Except for
> specifying a comma as the default separator, I don't think I have
> changed anything in the global ra.conf. I updated to the latest
> clients about two weeks ago.
>
> Is there any way to get the total correctly?
>
> David
>
More information about the argus
mailing list