-A When generating ASCII output, print the application byte counts.
|
-b Dump the compiled transaction-matching code to standard output and stop. This is useful for
debugging filter expressions.
|
-C [host:]<portnum>
Indicate the optional host and required port number for the remote Cisco Netflow record source. This
will cause ra(1) to open a UDP socket, binding on the host and supplied port, and attempt to read
Cisco Netflow records from the open socket.
|
-d <bytes>
Print specified number of <bytes> from the user data capture buffer. The <bytes> value can be a
number, or an expression that specifies the number of bytes for either the source or destination
buffer. Formats include:
-d 32 print 32 bytes from the src and dst buffer
-d s24 print 24 bytes from the src buffer
-d d16 print 16 bytes from the dst buffer
-d s32:d8 print 32 bytes from the src buffer and
8 bytes from the dst buffer
|
-D <level>
Print debug information corresponding to <level> to stderr, if program compiled to support debug
printing. As the level increases, so does the amount of debug information ra(1) will print. Values
range from 1-8.
|
-E <file>
When using a filter expression at the end of the command, this option will cause ra(1) to write the
records that are rejected by the filter into <file>
|
-F <conffile>
Use <conffile> as a source of configuration information. The format of this file is identical to
rarc(5). The data read from <conffile> overrides any prior configuration information.
|
-h Print an explanation of all the arguments.
|
-n Do not translate host and service numbers to names. -nn will suppress translation of protocol
numbers, as well.
|
-p <digits>
Print <digits> number of units of precision for fraction of time.
|
-q Run in quiet mode. Configure Ra to not print out the contents of records. This can be used with the
-T and -a options to support aggregate activity without printing each input record.
|
-r <file file ...> -
Read data from <files> in the order presented on the commandline. '-' denotes stdin. Because this
option can have many arguments, it must be terminated with a '-'. The '-' of subsequent options is
sufficient. Ra can read gzip(1), bzip2(1) and compress(1) compressed data files.
|
-R Print response data when available. This option applies to ICMP, arp and BOOTP traffic to indicate
the responses to these protocol specific queries.
|
-s <[-][[+[#]]field ...> -
Specify the fields to print. Ra uses a default printing field list, by specifying a field you can
replace this list completely, or you can modify the existing default print list, using the optional
'-' and '+[#]' form of the command. The available fields to print are:
startime, lasttime, count, dur, avgdur,
saddr, daddr, proto, sport, dport, ipid,
stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
pkts, spkts, dpkts, load, loss, rate,
srcid, ind, mac, dir, jitter, status, user,
win, trans, seq, vlan, mpls
Examles are:
-s srcaddr print only the source address.
-s -bytes removes the bytes field from list.
-s +2srcid adds MAC addresses as the 2nd field.
-s mac pkts prints MAC addresses and src and dst pkt counts.
|
-S <host[:portnum]>
Specify a remote argus-server <host>. Use the optional
|
-t <timerange>
Specify the <time range> for matching argus(5) records. The syntax for the <time range> is:
timeSpecification[-timeSpecification]
timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
[yyyy/]mm/dd
-%d{yMdhms}
Examples are:
-t 14 matches 2pm-3pm any day
-t 23.11:10-14 11:10:00 - 2pm on the 23rd
-t 11/23 all records on Nov 23rd
-t 1999/01/23.10 10-11am on Jan, 23, 1999
-t -10m matches 10 minutes before to the present
-t -2h5m-2h matches range between 2 hours 5 minutes before
until 2 hours before.
|
-T <secs>
Read argus(5) from remote server for <secs> of time.
|
-u Write out time values using UTC time format.
|
-w <file>
Write out matching data to <file>, in argus file format. An output-file of '-' directs ra to write
the argus(5) records to stdout, allowing for "chaining" ra* style commands together.
|
-z Print Argus TCP state changes for each tcp transaction. Values are
's' - Syn Transmitted
'S' - Syn Acknowledged
'E' - TCP Established
'f' - Fin Transmitted (FIN Wait State 1)
'F' - Fin Acknowledged (FIN Wait State 2)
'R' - TCP Reset
|
-Z <s|d|b>
Print actual TCP flag values. <'s'rc | 'd'st | 'b'oth>.
'F' - Fin
'S' - Syn
'R' - Reset
'P' - Push
'A' - Ack
'U' - Urgent Pointer
'7' - Undefined 7th bit set
'8' - Undefined 8th bit set
|