Argus time field truncation

Carter Bullard carter at qosient.com
Tue Mar 27 12:06:20 EDT 2018 

Hey Drew,
You can change the default length of any of the printed fields either on the command line and/or in the ra.conf file, by putting a “:len” specification in the field.  So, Here is a “RA_FIELD_SPECIFIER” definition that may work for you …

   RA_FIELD_SPECIFIER=“stime:24 dur flgs proto saddr sport dir daddr sport spkts dpkts sbytes dbytes state”

On the command line, you can redefine the stime field like this:

   ra -S localhost -s -stime -s +0stime:24

This removes the default specification of the stime field, and puts a new stime field as column 0, with 24 characters of length.

Of course, if you printed the records out with a different field separator, like a comma, then you would see the whole date.

   ra -S localhost -c ‘,’

Hope this is helpful,
 
Carter

> On Mar 27, 2018, at 11:22 AM, Drew Dixon <dwdixon at umich.edu> wrote:
> 
> Hi there,
> 
> I have a need to add the date into the stime field with ra so I've done so using an ra.conf file:
> 
> RA_TIME_FORMAT="%y-%m-%d %T"
> 
> It appears to be picking up the customization in my ra.conf file but when I test it out reading a file with ra the stime field is truncated (18-03-27 14*) and negates the purpose of adding the date in with the time....I came across this part of the man page:
> 
> "Field lengths are hard constraints, and field output that exceeds the field length will be truncated, and a '*' will be inserted as the last character. When you see this, add more to the length specification for that specific field." 
> 
> Which at first seems somewhat contradictory, with it stating these are hard constraints but then that you can modify them, I suppose I'm not sure how I would go about adding more to the length specification for that specific field?  Is this indicating we would need to modify the field length value in the argus client tools source code and recompile to increase the length specification for this field?
> 
> Any help on how I can increase the length specification for the time field would be greatly appreciated!
> 
> Many thanks,
> 
> -Drew

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180327/7867eef7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4045 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180327/7867eef7/attachment.bin>

More information about the argus mailing list