strange behaviour in status field
Carter Bullard
carter at qosient.com
Wed Oct 28 16:55:06 EDT 2009
Hey Rodney,
Yes this seems reasonable. Filtering can definitely change the contents
of the status field. You don't have enough space in your "status"
directive
to show all the status bits, so to see the "_S" show up when the "R"
goes away (status
values shifting left), definitely seems correct.
In your .rarc, specify "status:10" to have enough space to get all the
letters printed.
Carter
On Oct 28, 2009, at 4:38 PM, Rodney McKee wrote:
> Is this expected?
> It appears that I'm getting different status flags if I add the src
> bytes filter. I'm using the filter to reduce the numbers of records
> displayed.
>
> racluster -nr 20.gz -Z b - host 72.229.139.101
> 2009-10-20 22:38:07.705062 e s tcp
> 72.229.139.101.51653 -> 128.121.17.3.80 217559
> 222087604 SRPA_
>
> racluster -nr 20.gz -Z b -s +stime +ltime +sbytes +dbytes - host
> 72.229.139.101
> 2009-10-20 22:38:07.705062 e s tcp
> 72.229.139.101.51653 -> 128.121.17.3.80 217559
> 222087604 SRPA_ 2009-10-20 22:38:07.705062 2009-10-20
> 23:36:37.342957 218133107 3954497
>
>
> racluster -nr 20.gz -Z b -s +stime +ltime +sbytes +dbytes - host
> 72.229.139.101 and src bytes gt 100000
> 2009-10-20 22:38:07.705062 e s tcp
> 72.229.139.101.51653 -> 128.121.17.3.80 217490
> 222049458 SPA_S 2009-10-20 22:38:07.705062 2009-10-20
> 23:35:51.340683 218098077 3951381
>
> racluster -nr 20.gz -Z b - host 72.229.139.101 and src bytes gt 100000
> 2009-10-20 22:38:07.705062 e s tcp
> 72.229.139.101.51653 -> 128.121.17.3.80 217490
> 222049458 SPA_S
>
> Rgds
> Rodney McKee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091028/5ce43105/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091028/5ce43105/attachment.bin>
More information about the argus
mailing list