strange behaviour in status field

Rodney McKee rmckee at aconex.com
Wed Oct 28 17:31:23 EDT 2009 

ok, added the status:10 

racluster -nr 20.gz -Z b -s +stime +ltime +sbytes:20 +dbytes:20 - host 72.229.139.101 
2009-10-20 22:38:07.705062 e s tcp 72.229.139.101.51653 -> 128.121.17.3.80 217559 222087604 SRPA_FSPA 2009-10-20 22:38:07.705062 2009-10-20 23:36:37.342957 218133107 3954497 

and 

racluster -nr 20.gz -Z b -s +stime +ltime +sbytes:20 +dbytes:20 - host 72.229.139.101 and src bytes gt 100000 
2009-10-20 22:38:07.705062 e s tcp 72.229.139.101.51653 -> 128.121.17.3.80 217490 222049458 SPA_SPA 2009-10-20 22:38:07.705062 2009-10-20 23:35:51.340683 218098077 3951381 


----- "Carter Bullard" <carter at qosient.com> wrote: 
> Hey Rodney, 
Yes this seems reasonable. Filtering can definitely change the contents 
of the status field. You don't have enough space in your "status" directive 
to show all the status bits, so to see the "_S" show up when the "R" goes away (status 
values shifting left), definitely seems correct. 

> 
In your .rarc, specify "status:10" to have enough space to get all the letters printed. 

> 
Carter 

> 

On Oct 28, 2009, at 4:38 PM, Rodney McKee wrote: 




> Is this expected? 
> It appears that I'm getting different status flags if I add the src bytes filter. I'm using the filter to reduce the numbers of records displayed. 
> 
> racluster -nr 20.gz -Z b - host 72.229.139.101 
> 2009-10-20 22:38:07.705062 e s tcp 72.229.139.101.51653 -> 128.121.17.3.80 217559 222087604 S R PA_ 
> 
> racluster -nr 20.gz -Z b -s +stime +ltime +sbytes +dbytes - host 72.229.139.101 
> 2009-10-20 22:38:07.705062 e s tcp 72.229.139.101.51653 -> 128.121.17.3.80 217559 222087604 SRPA_ 2009-10-20 22:38:07.705062 2009-10-20 23:36:37.342957 218133107 3954497 
> 
> 
> racluster -nr 20.gz -Z b -s +stime +ltime +sbytes +dbytes - host 72.229.139.101 and src bytes gt 100000 
> 2009-10-20 22:38:07.705062 e s tcp 72.229.139.101.51653 -> 128.121.17.3.80 217490 222049458 SPA_S 2009-10-20 22:38:07.705062 2009-10-20 23:35:51.340683 218098077 3951381 
> 
> racluster -nr 20.gz -Z b - host 72.229.139.101 and src bytes gt 100000 
> 2009-10-20 22:38:07.705062 e s tcp 72.229.139.101.51653 -> 128.121.17.3.80 217490 222049458 SPA_S 
> 
> Rgds 
> Rodney McKee 
> 
> 
> 

-- 













Rodney McKee 
Linux systems administrator 
	Aconex 
The easy way to save time and money on your project 

696 Bourke Street, Melbourne 
Tel: +61 3 9240 0200 Fax: +61 3 9240 0299 
Email: rmckee at aconex.com www.aconex.com 
This email and any attachments are intended solely for the addressee. The contents may be privileged, confidential and/or subject to copyright or other applicable law. 
No confidentiality or privilege is lost by an erroneous transmission. If you have received this e-mail in error, please let us know by reply e-mail and delete or destroy 
this mail and all copies. If you are not the intended recipient of this message you must not disseminate, copy or take any action in reliance on it. The sender takes no 
responsibility for the effect of this message upon the recipient's computer system. 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20091029/b430a737/attachment.html>

More information about the argus mailing list