argus ra print field
Peter Van Epp
vanepp at sfu.ca
Thu Nov 26 12:27:53 EST 2009
On Thu, Nov 26, 2009 at 08:21:50PM +0800, CS Lee wrote:
> hi carter,
>
> There's one thing i see when comes to consume argus data, sometimes when
> certain field has no value, it is blank. This makes the data inconsistent,
> is that possible to replace the blank field as zero or null instead of
> printing nothing, for example some of the fields like sttl dttl, and others
> like stcpb dtcpb and so forth, for example stcpb and dtcpb, tcprtt are not
> printed in icmp flow.
>
> Thanks!
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
Thats what the RA_FIELD_DELIMITER parameter in the .rarc file is for.
If you change it from the default blank to a "," the blank fields will be
delimited by "," instead of " " and thus are able to be properly parsed as
not present.
Peter Van Epp
More information about the argus
mailing list