ra(1) - read argus(8) data
-A  When generating ASCII output, print the application byte counts.
-b  Dump  the  compiled  transaction-matching  code  to  standard  output  and  stop.  This is useful for
    debugging filter expressions.
-C [host:]<portnum>
    Indicate the optional host and required port number for the remote Cisco Netflow record source.  This
    will  cause  ra(1)  to  open a UDP socket, binding on the host and supplied port, and attempt to read
    Cisco Netflow records from the open socket.
-d <bytes>
    Print specified number of <bytes> from the user data capture buffer.  The  <bytes>  value  can  be  a
    number,  or  an  expression  that  specifies the number of bytes for either the source or destination
    buffer.  Formats include:
       -d 32      print 32 bytes from the src and dst buffer
       -d s24     print 24 bytes from the src buffer
       -d d16     print 16 bytes from the dst buffer
       -d s32:d8  print 32 bytes from the src buffer and
                         8 bytes from the dst buffer
-D <level>
    Print debug information corresponding to <level> to stderr, if  program  compiled  to  support  debug
    printing.   As the level increases, so does the amount of debug information ra(1) will print.  Values
    range from 1-8.
-E <file>
    When using a filter expression at the end of the command, this option will cause ra(1) to  write  the
    records that are rejected by the filter into <file>
-F <conffile>
    Use  <conffile>  as  a  source of configuration information.  The format of this file is identical to
    rarc(5).  The data read from <conffile> overrides any prior configuration information.
-h  Print an explanation of all the arguments.
-n  Do not translate host and service numbers  to  names.  -nn  will  suppress  translation  of  protocol
    numbers, as well.
-p <digits>
    Print <digits> number of units of precision for fraction of time.
-q  Run  in quiet mode. Configure Ra to not print out the contents of records.  This can be used with the
    -T and -a options to support aggregate activity without printing each input record.
-r <file file ...> -
    Read data from <files> in the order presented on the commandline. '-' denotes  stdin.   Because  this
    option  can  have many arguments, it must be terminated with a '-'.  The '-' of subsequent options is
    sufficient.  Ra can read gzip(1), bzip2(1) and compress(1) compressed data files.
-R  Print response data when available. This option applies to ICMP, arp and BOOTP  traffic  to  indicate
    the responses to these protocol specific queries.
-s <[-][[+[#]]field ...> -
    Specify  the  fields  to  print. Ra uses a default printing field list, by specifying a field you can
    replace this list completely, or you can modify the existing default print list, using  the  optional
    '-' and '+[#]' form of the command.  The available fields to print are:

       startime, lasttime, count, dur, avgdur,
       saddr, daddr, proto, sport, dport, ipid,
       stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
       pkts, spkts, dpkts, load, loss, rate,
       srcid, ind, mac, dir, jitter, status, user,
       win, trans, seq, vlan, mpls

    Examles are:
       -s srcaddr    print only the source address.
       -s -bytes     removes the bytes field from list.
       -s +2srcid    adds MAC addresses as the 2nd field.
       -s mac pkts   prints MAC addresses and src and dst pkt counts.
-S <host[:portnum]>
    Specify a remote argus-server <host>. Use the optional
-t <timerange>
    Specify the <time range> for matching argus(5) records. The syntax for the <time range> is:

    timeSpecification[-timeSpecification]
    timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
                         [yyyy/]mm/dd
                         -%d{yMdhms}

    Examples are:
       -t 14             matches 2pm-3pm any day
       -t 23.11:10-14    11:10:00 - 2pm on the 23rd
       -t 11/23          all records on Nov 23rd
       -t 1999/01/23.10  10-11am on Jan, 23, 1999
       -t -10m           matches 10 minutes before to the present
       -t -2h5m-2h       matches range between 2 hours 5 minutes before
                         until 2 hours before.
-T <secs>
    Read argus(5) from remote server for <secs> of time.
-u  Write out time values using UTC time format.
-w <file>
    Write  out  matching  data to <file>, in argus file format. An output-file of '-' directs ra to write
    the argus(5) records to stdout, allowing for "chaining" ra* style commands together.
-z  Print Argus TCP state changes for each tcp transaction. Values are
      's' - Syn Transmitted
      'S' - Syn Acknowledged
      'E' - TCP Established
      'f' - Fin Transmitted  (FIN Wait State 1)
      'F' - Fin Acknowledged (FIN Wait State 2)
      'R' - TCP Reset
-Z <s|d|b>
    Print actual TCP flag values. <'s'rc | 'd'st | 'b'oth>.
      'F' - Fin
      'S' - Syn
      'R' - Reset
      'P' - Push
      'A' - Ack
      'U' - Urgent Pointer
      '7' - Undefined 7th bit set
      '8' - Undefined 8th bit set