TotBytes field Truncated
Barry Kolts
bhkolts at gotrain.org
Tue Sep 22 01:36:11 EDT 2009
Hi Carter,
That set me straight, thanks.
Barry
"Carter Bullard" <carter at qosient.com> wrote in message
news:A14B6F03-F4AB-486B-BC5B-CFC2999D02EC at qosient.com...
> Hey Barry,
> The 10 char field size is a default size. You can change it using your
> commands
> by putting a field width specifier on the "bytes" option to ra().
>
> ... | ra -s saddr sbytes dbytes bytes:14 - net xx.xx.xxx.xxx
>
> Normally, you would have a .rarc where you can override the defaults with
> the
> RA_FIELD_SPECIFIER=" ......" configuration. I have mine set to:
>
> RA_FIELD_SPECIFIER="stime flgs:9 proto saddr sport:7 dir daddr dport:7
> spkts dpkts sbytes dbytes state"
>
> but I change it alot depending on the ra* program.
>
> Carter
>
>
>
> On Sep 21, 2009, at 10:51 PM, Barry Kolts wrote:
>
>> Hi All,
>>
>> When using the command:
>> racluster -M rmon -m saddr -r /path/to/argus.data -t
>> 2009/09/20.00:00-2009/09/20.23:59 -w - ip \
>> | rasort -m bytes -w - | ra -s saddr sbytes dbytes bytes - net
>> xx.xx.xxx.xxx
>>
>> I get the output:
>> SrcAddr SrcBytes DstBytes TotBytes
>> xx.xx.xxx.xxx 11779408141 2621465262 1440087340
>>
>> Notice that TotBytes field has been truncated on the right, it should
>> end in
>> a 3. This only seems to happen when the TotBytes field is more than 10
>> digits, under 10 digits it works fine.
>>
>> Is this a bug or have I miss configured something somewhere?
>>
>> Let me know what other information is needed to answer this question.
>>
>> Thanks in advance,
>> Barry
>>
>>
>>
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>
More information about the argus
mailing list