ratop color support

Carter Bullard carter at qosient.com
Mon Dec 10 16:15:27 EST 2012 

Gentle people,
With the new color support in ratop(), just an email to describe the current implementation.
This is a testing version, in the next round, we'll have more variables in the rarc, and
a few more options, so you can control the algorithms.  And I have a few patches in this
email, so if you get through it, be sure and apply the patches.

Also, this is a first shot at starting a discussion of color implementation.   Please
add, change, whatever, as you see fit, so we can make this useful for people.

To test this support you will need a color terminal window that support at least 16 colors.
I use Mac OS X terminal, configured for ANSI colors.  I have not tested this with X Windows,
so if you have a chance, give that a test !!!!

First apply this patch:

==== //depot/argus/clients/examples/ratop/racurses.c#1 - /Volumes/Users/carter/argus/clients/examples/ratop/racurses.c ====
5647c5647
<       if (ns->status & RA_SVCFAILED) {
---
>       if (parser->Aflag & (ns->status & RA_SVCFAILED)) {
5855a5856
>                      char *fptr;
5858c5859
<                         if ((ptr = strstr(tfield, f->field)) != NULL) {
---
>                         if ((fptr = strstr(tfield, f->field)) != NULL) {


This will fix some things that crept in, unnoticed, and will make what is described in
this email, at least correct.


There are currently 4 coloring algorithms that ratop() supports, and they are turned
on by default, hard coded in the file ./examples/ratop/racurses.c, starting line 3215.

      RaColorAlgorithms[0] = ArgusColorAvailability;
      RaColorAlgorithms[1] = ArgusColorFlowFields;
      RaColorAlgorithms[2] = ArgusColorAddresses;
      RaColorAlgorithms[3] = ArgusColorGeoLocation;

In the next round, I'll have these so that you can specify them, and the order
you want them applied.  These are painting algorithms, so the last one is
the most significant color, etc….

Turn on color support in the new ratop by setting the color variable in the rarc.
RA_COLOR_SUPPORT="yes"

Without any other changes, when you run ratop() you will get a screen where
command line, date and the column titles are bright white, and the data is a soft
grey.  If you did not apply the above patch, you may get some lines that are
ORANGE.  Go back and apply the patch, at this point, if you see ORANGE.

If you search for strings in ratop(), the default highlight color for matched expressions is GREEN.
On the last line, status messages will be GRAY, until something happens, and then messages, such as
Debug message will appear WHITE, and errors and alerts will be in RED.

If you run ratop() with the -A option, you will get ORANGE colored lines when there is
" Availability " failure.  This happens when you send a packet, and don't get anything back.
Availability is important for access control validation, ops troubleshooting etc…..

To generate any other colors, you will need to use a racolor.conf configuration file.  There is an
example racolor.conf file in ./support/Config.  To use the file you add this line to your rarc file.

RA_COLOR_CONFIG=/tmp/racolor.conf


Colors and Attributes

We currently support a basic 8 color map, with the additional colors
WHITE, BLACK and 8 shades of GRAY.  There are 2 color schemes,
a dark background and a light background, with the content and accent
colors staying the same.  This is a pretty standard strategy in terminal color
schemes, so hopefully we'll be able to use it.  Ours is modeled after Ethan Schoonover's
Solarized scheme,  which you can check out here:

   http://ethanschoonover.com/solarized

Currently, for testing, I've got the scheme hard coded to dark background,
with the titles a bright white, and the text a middle of the road gray.  Give this
a run.

We also support 10 attributes, listed below, that allow you to BLINK,
UNDERLINE, change Character set, etc….  These are basic terminal color
options provided by ncurses.  We have these 8 gray tones:

   Base03, Base02 (background), Base01, Base00, Base0, Base1 (content),
       Base2 and Base3 (background)

and these accent colors:
   GREEN, BLUE, VIOLET, CYAN, RED, MAGENTA, ORANGE, YELLOW
  
We support these attributes:
   NORMAL, STANDOUT, UNDERLINE, REVERSE, BLINK, DIM, PROTECT, INVIS, ALTCHARSET

These also are the basic ncurses() color attribute support, that is pretty standard.


Configuration - the racolor.conf file

To color fields, we use a flow filter based color configuration scheme, where we fall through a list
of filter expressions, and if there is a hit, we will color the specified fields, specified colors, with
optional attributes.

If you wanted every field in the flow line in ratop to be painted red and blink when any connection,
originated from China, arrives, this will work:

filter="src co CN"  color="all:RED+BLINK"

or if you only wanted the src address to blink red, you would try this:

filter="src co CN"  color="saddr:RED+BLINK"


This kind of specificity allows you to have different fields in the same line, doing different things.
So if you wanted a threshold for a value, like total bytes, to blink yellow, this is good:

filter="dst bytes gt 3000000" color="dbytes:YELLOW:BLINK"


Because the default flow line color is grey, for those that you want to stand out, print the fields in WHITE.

filter="tcp"        color="saddr,daddr,dir,sport,dport,proto:WHITE"


If you put a " cont " at the end of the definition line, you will continue through the logic.
This provides the painters algorithm, where you can build up colors for any given flow.
This example racolor.conf generates a pretty display:

filter="udp"                    color="proto:VIOLET"                                    cont
filter="tcp"                    color="saddr,daddr,dir,sport,dport,proto:WHITE"         cont
filter="tcp and dst port http"  color="dport:GREEN"                                     cont
filter="tcp"                    color="sport:BLUE+DIM"                                  cont
filter="dst port domain"        color="dport:CYAN+DIM"                                  cont
filter="dst port imaps"         color="dport:MAGENTA+DIM"                               cont
filter="src pkts gt 50000"      color="spkts,dpkts,sbytes,dbytes:RED+BLINK"


If you don't get the colors you expected, you may need to remember to apply the patch in the beginning of the email ;O)
I'll send another email that describes the address painting support, this week.

Hopefully this is a good start, please comment, at your convenience.



Carter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121210/228108cf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121210/228108cf/attachment.bin>

More information about the argus mailing list