color support
Carter Bullard
carter at qosient.com
Fri Nov 2 16:10:44 EDT 2012
Hey Elof (et. al.),
OK, so I have completed an implementation of a rudimentary color configuration strategy.
Here is a racolor.conf file that currently works with the new ratop() to specify a Flow Field
coloring scheme.
I've extended the standard ralabel.conf configuration strategy to accept a color="...."
directive. Here I'm specifying only the color configuation, but you can gang up labeling
along with this function.
# RaLabel Configuration
#
# Carter Bullard
# QoSient, LLC
#
# This configuration is a ralabel(1) configuration file specifying color
#
# Flow Filter Based Color Configuration
# Flow filter based color configuration uses the standard flow
# filter strategies to provide a general purpose coloring scheme.
# The concept is similar to racluster()'s fall through matching
# scheme. Fall through the list of filters, if it matches, set the
# color values. If you want to continue through the list, once
# there is a match, add a "cont" to the end of the matching rule.
#
filter="tcp" color="all:WHITE" cont
filter="udp" color="proto:VIOLET" cont
filter="tcp and dst port http" color="dport:GREEN" cont
filter="tcp" color="sport:BLUE+DIM" cont
filter="dst port domain" color="dport:CYAN+DIM" cont
filter="dst port imaps" color="dport:MAGENTA+DIM" cont
filter="src pkts gt 50" color="spkts,dpkts,sbytes,dbytess:RED+BLINK"
The syntax is:
color=COLORSPEC[;COLORSPEC]
COLORSPEC :: field[,fields....]:COLOR[+ATTRIBUTE]
Where field is any of the printable fields supported by ra* programs. "all" indicates all fields.
I've included a resulting screen, the red fields BLINK on and off every second.
This screen results from these algorithms being applied in this order:
ArgusColorAvailability() - sets entire line to ARGUS_ORANGE if it fails an availability test
ArgusColorAddresses() - sets the saddr and daddr fields based on local vs remote vs multicast
ArgusColorFlowFields() - uses the definition above to color specific fields.
I'll add other algorithms, such as ArgusColorGeoLocation(), next.... It maybe that this scheme can
do some of the country code based coloring, but I do see a need to have a Geo based coloring scheme.
if lat,long falls in this square, then color ......
OK, so if this looks like its going to be useful, I'll start working toward making it available.
If there is anything that you think we need to consider / add / remove / whatever ......, holler !!!!!
Carter
On Oct 25, 2012, at 12:31 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Elof,
> More on the topic of color.
> So I've got some of the framework for color configuration going, here is what I'm doing in a racolor.conf file.
> Need some suggestions / criticisms before I finalize an implementation.
>
> Currently I have an array of 256 color methods to apply to each line before we draw.
> We run each method that is configured, then we draw the line. Haven't figured out, yet, what
> a decent configuration method is for specifying what methods should be the array. I suspect
> that once we have a bunch of methods, we'll configure a "list the method" style of configuration.
>
> Right now, I have two methods, ArgusColorAvailability(), and ArgusColorAddresses()
> that I'm using to test. These are hardcoded as method 1, and 2 in the array, respectively.
>
> If you use " - A " on the command line, the availability testing kicks in and we do a good
> test on the argus record to determine if a flow has failed. If so we'll color it ORANGE (hard coded right now).
>
> Next we do the ArgusColorAddresses() method, and its what I mentioned in earlier email, also hard coded.
>
> This is working very well. Need more methods, and I need method specific configurations, so still a lot of
> work to do.
>
> The next method will be the ArgusColorFlowField() routine that I described below. Here is the sample
> configuration I've worked out:
>
>
> # Ra client flow based color configuration support
> #
> # Carter Bullard
> # QoSient, LLC
> #
> # This configuration is a racolor(1) flow model configuration file.
> #
> # The concept is to bind a traditional ra* filter with an
> # color map for fields in the argus record. Records are tested
> # against the filter specifications in "fall down" order, when they match,
> # the color model is applied to output.
> #
> # The use of the ' cont ' keyword will allow you to specify a
> # painters algorithm for coloring individual flow records, using
> # display programs like ratop().
> #
> # Available colors
> #
> # The color models available are extensible, but at a minimum,
> # assume you have 16 basic colors plus white and black, to choose
> # from. These colors are referred as:
> # WHITE, BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, ORANGE, VIOLET,
> # BASE03, BASE02, BASE01, BASE00, BASE0, BASE1, BASE2, BASE3
> #
> # Traditional graphics color terms usch as BACKGROUND and FOREGROUND are also
> # available.
>
> # Available Attributes
> #
> # These tools also support assigning terminal attributes as well, these include:
> #
> # STANDOUT Best highlighting mode of the terminal
> # UNDERLINE Underlining
> # REVERSE Reverse video
> # BLINK Blinking
> # DIM Half bright
> # BOLD Extra bright or bold
> #
> # How these colors and attributes interact to generate display effects
> # is implementation specific, so you'll have to play to get exactly what
> # you want.
> #
> # Because the color map is extensible, anything is really possible.
> # If the underlying display devices can handle more graphics support,
> # you should be able to pass Hexidecimal color values, using the #XXXXXX
> # format.
> #
> # The color map assignement syntax is:
> # field specification
> # field[,field,...]=color[:attribute][;field specifciation[;....]]
> #
> # All printable fields can be used. The Keyword 'all' is used to specify
> # the complete output line.
> #
> # srcid=BLUE
> # saddr,daddr=BLUE;smac,dmac=CYAN
> # all=RED:BLINK
> #
> # Here is a sample configuration file
> #
> #
> filter="src co CN' saddr=RED cont
> label="ALERT" all-RED
> filter="load gt 1M" sload,dload=VIOLET
> filter="load gt 10M" sload,dload=RED
>
> Hopefully this gets the ideas going.
>
> So if I put ArgusColorFlowField() as #3 in the array, it gets the colormap from the other
> two methods, and then paints based these rules. With the " cont " keyword, regardless
> of a hit, we'll keep going down the list.
>
> Can we use this?
> Hope all is most excellent,
>
> Carter
>
> On Oct 23, 2012, at 6:27 AM, elof2 at sentor.se wrote:
>
>>
>> On Tue, 23 Oct 2012, Carter Bullard wrote:
>>> Hey Elof,
>>> There are many reasons to color a record or a part of a record, and I'm thinking of having a list of methods that result in a painters algorithm, to generate the final result.
>>> Somewhere in that list of color methods is address coloring. So if you want the whole record RED, because of some fault condition, but you want the addresses colored because of locality, you would specify the fault method first, the address method second.
>>
>> Rules applied in order sounds very logical and sound.
>>
>>> In the implementation so far, we know what each column is, and the coloring can be targeted at any field, group of fields or the whole record. So if you have a minimum byte count condition, as an example, you should have a way of specifying that conditional against the field and then indicate what fileds get what color.
>>
>> Nice.
>>
>>> I'm working with our standard filters, like we use for aggregation, with a field=color directive. Does that sound useful ?
>>
>> Yes, very!
>>
>> /Elof
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121102/d6b7984f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ratopScreen.tiff
Type: image/tiff
Size: 593244 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121102/d6b7984f/attachment.tiff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121102/d6b7984f/attachment.bin>
More information about the argus
mailing list