Minor Bug in XML output

Benet Leong benet at comworth.co.jp
Wed Feb 17 00:05:46 EST 2010 

I should note that I also faced this same issue with ra clients at 3.0.2.
In my case, "ra -M xml" will return the proper output with full closing attributes and tags but the other clients for instance racluster will not. racluster at ver 3.0.2 is missing the closing </ArgusDataStream> at the end of the output.

This problem is fixed at version 3.0.3.2, but there's another issue with two double quotes for the SrcAddr and DstAddr in certain Argus flow records. 
This is visible from the example that Carter provided below.

>> <ArgusFlowRecord  StartTime = "2010-02-16T21:47:30.369737" Flags = " e       " Proto = "arp" SrcAddr = "207.237.192.1"" Dir = "who" DstAddr = "207.237.205.218"" SrcPkts = "1" DstPkts = "0" SrcBytes = "60" DstBytes = "0" State = "INT"></ArgusFlowRecord>
>> </ArgusDataStream>



Best regards,
Benet Leong.
ComWorth Co., Ltd.

On Feb 17, 2010, at 1:36 PM, Phillip G Deneault wrote:

> 3.0.2, and I was using a "," delimiter, but of course, as soon as I remove it, the problem goes away.
> 
> The ra clients use the delimiter in the strangest of places.  I was bitten by a similar issue back in June, only then I couldn't remove the delimiter in the solution I was working on.
> 
> Thanks,
> Phil
> 
> On Tue, 16 Feb 2010, Carter Bullard wrote:
> 
>> Hey Phillip,
>> Which version are you running, and are you using a comma as a field separator?  Not sure where
>> your comma's are coming from.  Here is what I get using the latest ra().
>> 
>> ../bin/ra -S amon -M xml -N 1
>> <?xml version ="1.0" encoding="UTF-8"?>
>> <!--Generated by ra(3.0.3.2) QoSient, LLC-->
>> <ArgusDataStream
>> xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
>> xsi:noNamespaceSchemaLocation = "http://qosient.com/argus/Xml/ArgusRecord.3.0.xsd"
>> BeginDate = "2009-10-05T12:02:14.695285" CurrentDate = "2010-02-16T21:47:31.209683"
>> MajorVersion = "3" MinorVersion = "0.7" InterfaceType = "DLT_NULL" InterfaceStatus = "Up"
>> ArgusSourceId = "207.237.36.98"  NetAddr = "0.0.0.0"  NetMask = "0.0.0.0">
>> 
>> <ArgusFlowRecord  StartTime = "2010-02-16T21:47:30.369737" Flags = " e       " Proto = "arp" SrcAddr = "207.237.192.1"" Dir = "who" DstAddr = "207.237.205.218"" SrcPkts = "1" DstPkts = "0" SrcBytes = "60" DstBytes = "0" State = "INT"></ArgusFlowRecord>
>> </ArgusDataStream>
>> 
>> 
>> Carter
>> 
>> On Feb 16, 2010, at 9:26 PM, Phillip G Deneault wrote:
>> 
>>> Playing with output from 'ra -M xml' I get...
>>> 
>>> <ArgusFlowRecord  SourceId = "192.168.1.11, StartTime = "21:12:51.990399, LastTime = "21:12:56.966699, Duration = "4.976300, Trans = "1, Flags = " e i     , SrcAddr = "192.168.1.2, Dir = "<?>, DstAddr = "192.168.1.3, Proto = "6, SrcPort = "59842, DstPort = "22,  SrcIpId = "0x4fb0, DstIpId = "0x1324, SrcPkts = "27, DstPkts = "25, SrcBytes = "2678, DstBytes = "3666, State = "CON></ArgusFlowRecord>
>>> 
>>> I assume there are suppose to be closing quotes for all those attributes?
>>> 
>>> Thanks,
>>> Phil
>>> 
>>> 
>> 
>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100217/8151186e/attachment.html>

More information about the argus mailing list