TotBytes field Truncated
Carter Bullard
carter at qosient.com
Tue Sep 22 00:25:56 EDT 2009
Hey Barry,
The 10 char field size is a default size. You can change it using
your commands
by putting a field width specifier on the "bytes" option to ra().
... | ra -s saddr sbytes dbytes bytes:14 - net xx.xx.xxx.xxx
Normally, you would have a .rarc where you can override the defaults
with the
RA_FIELD_SPECIFIER=" ......" configuration. I have mine set to:
RA_FIELD_SPECIFIER="stime flgs:9 proto saddr sport:7 dir daddr dport:7
spkts dpkts sbytes dbytes state"
but I change it alot depending on the ra* program.
Carter
On Sep 21, 2009, at 10:51 PM, Barry Kolts wrote:
> Hi All,
>
> When using the command:
> racluster -M rmon -m saddr -r /path/to/argus.data -t
> 2009/09/20.00:00-2009/09/20.23:59 -w - ip \
> | rasort -m bytes -w - | ra -s saddr sbytes dbytes bytes - net
> xx.xx.xxx.xxx
>
> I get the output:
> SrcAddr SrcBytes DstBytes TotBytes
> xx.xx.xxx.xxx 11779408141 2621465262 1440087340
>
> Notice that TotBytes field has been truncated on the right, it
> should end in
> a 3. This only seems to happen when the TotBytes field is more than 10
> digits, under 10 digits it works fine.
>
> Is this a bug or have I miss configured something somewhere?
>
> Let me know what other information is needed to answer this question.
>
> Thanks in advance,
> Barry
>
>
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090922/6ddb7d28/attachment.bin>
More information about the argus
mailing list