Content-type: text/html
<HTML><HEAD><TITLE>Manpage of RA</TITLE>
</HEAD><BODY>
<H1>RA</H1>
Section: User Commands (1)<BR>Updated: 12 November 2000<BR><A HREF="#index">Index</A>
<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB"> </A>
<H2>NAME</H2>
<B>ra</B> - read <B><A HREF="http://localhost/cgi-bin/man/man2html?8+argus">argus</A>(8)</B> data.
<A NAME="lbAC"> </A>
<H2>SYNOPSIS</H2>
<B>ra</B>
<BR>
<B>ra [raoptions] [- filter-expression]</B>
<A NAME="lbAD"> </A>
<H2>DESCRIPTION</H2>
<A NAME="ixAAB"></A>
<P>
<B>Ra</B>
reads
<B>argus</B>
data from either <I>stdin</I>, an <I>argus-file</I>, or from a
remote <I>argus-server</I>, filters the records it encounters based on
an optional <I>filter-expression</I> and either prints the contents of the
<B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B>
records that it encounters to <B>stdout</B> or writes them out into an
<B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B>
datafile.
<P>
The <B>NEW FEATURES</B> section describes major enhancements of <B>ra</B>
between version 2.0 and 1.x.
<P>
<A NAME="lbAE"> </A>
<H2>OPTIONS</H2>
<DL COMPACT>
<DT><B>-a</B>
<DD>
Print record processing summary statistics at the end of processing.
<DT><B>-A</B>
<DD>
When generating ASCII output, print the application byte counts.
<DT><B>-b</B>
<DD>
Dump the compiled transaction-matching code to standard output and stop.
This is useful for debugging filter expressions.
<DT><B>-c</B>
<DD>
Print the transaction source and destination byte and packet <I>counts</I>.
<DT><B>-C</B>
<DD>
Indicate that the remote source of input is a Cisco Netflow record source.
This will cause <B><A HREF="http://localhost/cgi-bin/man/man2html?1+ra">ra</A>(1)</B> to open a UDP socket and attempt to read
Cisco Netflow records from the open socket. The default is port 9995.
This port number can be changed using the <B>-P</B> option.
<DT><B>-d <bytes></B>
<DD>
Print specified number of <B><bytes></B> from the user data capture buffer.
The <B><bytes></B> value can be a number, or an expression that specifies the
number of bytes for either the source or destination buffer. Formats
include:
<PRE>
-d 32 print 32 bytes from the src and dst buffer
-d s24 print 24 bytes from the src buffer
-d d16 print 16 bytes from the dst buffer
-d s32:d8 print 32 bytes from the src buffer and
8 bytes from the dst buffer
</PRE>
<DT><B>-D</B>
<DD>
<B><level></B>
Print debug information corresponding to <B><level></B> to stderr, if program
compiled to support debug printing. As the level increases, so does the
amount of debug information
<B><A HREF="http://localhost/cgi-bin/man/man2html?1+ra">ra</A>(1)</B>
will print. Values range from 1-8.
<DT><B>-E</B>
<DD>
<B><file></B>
When using a filter expression at the end of the command, this option will
cause
<B><A HREF="http://localhost/cgi-bin/man/man2html?1+ra">ra</A>(1)</B>
to write the records that are rejected by the filter into
<B><file></B>
<DT><B>-F</B>
<DD>
<B><conffile></B>
Use <B><conffile></B> as a source of configuration information. The format of
this file is identical to <B><A HREF="http://localhost/cgi-bin/man/man2html?5+rarc">rarc</A>(5)</B>. The data read from <B><conffile></B>
overrides any prior configuration information.
<DT><B>-g</B>
<DD>
Print the duration of the argus record interval in secs. Precision is controlled
by the '<B>-p</B>' option.
<DT><B>-G</B>
<DD>
Print both the start and last time values of the argus record interval.
<DT><B>-h</B>
<DD>
Print an explanation of all the arguments.
<DT><B>-i</B>
<DD>
Print source probe ID for each transaction.
<DT><B>-I</B>
<DD>
Print extended state and option indicators for each transaction.
<DT><B>-l</B>
<DD>
Print the last time value of the argus record interval.
<DT><B>-m</B>
<DD>
Print ethernet or fddi (MAC) addresses, if the <B><A HREF="http://localhost/cgi-bin/man/man2html?8+argus">argus</A>(8)</B> data contains it.
<DT><B>-n</B>
<DD>
Do not translate host and service numbers to names. <B>-nn</B> will
suppress translation of protocol numbers, as well.
<DT><B>-p</B>
<DD>
<B><digits></B>
Print <B><digits></B> number of units of precision for fraction of time.
<DT><B>-P</B>
<DD>
Use alternate <B><portnum></B> when accessing remote
<B>argus</B>
server. The default is port 561/tcp.
<DT><B>-q</B>
<DD>
Run in quiet mode. Configure Ra to not print out the contents of records.
This can be used with the -T and -a options to support aggregate activity
without printing each input record.
<DT><B>-r</B>
<DD>
<B><file file ...> -</B>
Read data from <B><files></B> in the order presented on the
commandline. '<B>-</B>' denotes stdin. Because this
option can have many arguments, it must be terminated with a '-'.
The '-' of subsequent options is sufficient.
Ra can read <B><A HREF="http://localhost/cgi-bin/man/man2html?1+gzip">gzip</A>(1)</B>, <B><A HREF="http://localhost/cgi-bin/man/man2html?1+bzip2">bzip2</A>(1)</B> and <B><A HREF="http://localhost/cgi-bin/man/man2html?1+compress">compress</A>(1)</B>
compressed data files.
<DT><B>-R</B>
<DD>
Print response data when available. This option applies to ICMP,
arp and BOOTP traffic to indicate the responses to these protocol
specific queries.
<DT><B>-S</B>
<DD>
<B><host></B>
Specify a remote <I>argus-server</I> <B><host></B>.
<DT><B>-t</B>
<DD>
<B><timerange></B>
Specify the <B><time range></B> for matching <B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B> records. The syntax
for the <B><time range></B> is:
<PRE>
timeSpecification[-timeSpecification]
timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
[yyyy/]mm/dd
</PRE>
Examples are:
<PRE>
-t 14 matches 2pm-3pm any day
-t 23.11:10 - 14 11:10:00 - 2pm on the 23rd
-t 11/23 all records on Nov 23rd
-t 1999/01/23.10 10-11am on Jan, 23, 1999
</PRE>
<P>
<DT><B>-T</B>
<DD>
<B><secs></B>
Read <B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B> from remote server for <B><secs></B> of time.
<DT><B>-u</B>
<DD>
Write out time values using UTC time format.
<DT><B>-w</B>
<DD>
<B><file></B>
Write out matching data to <B><file></B>, in
<B>argus</B>
file format. An <I>output-file</I> of '-' directs
<B>ra</B>
to write the <B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B> records to stdout, allowing for "chaining"
<B>ra*</B>
style commands together.
<DT><B>-z</B>
<DD>
Print Argus TCP state changes for each tcp transaction. Values are
<PRE>
's' - Syn Transmitted
'S' - Syn Acknowledged
'E' - TCP Established
'f' - Fin Transmitted (FIN Wait State 1)
'F' - Fin Acknowledged (FIN Wait State 2)
'R' - TCP Reset
</PRE>
<P>
<DT><B>-Z</B>
<DD>
<B><s|d|b></B>
Print actual TCP flag values. <'s'rc | 'd'st | 'b'oth>.
<PRE>
'F' - Fin
'S' - Syn
'R' - Reset
'P' - Push
'A' - Ack
'U' - Urgent Pointer
'7' - Undefined 7th bit set
'8' - Undefined 8th bit set
</PRE>
<P>
</DL>
<A NAME="lbAF"> </A>
<H2>ARGUMENTS</H2>
If arguments remain after option processing, the collection is
interpreted as a single filter <B>expression</B>. In order to indicate
the end of arguments, a '-' is recommended before the filter
expression is added to the command line.
<BR>
<BR>
The filter expression specifies which <B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B> records will
be selected for processing. If no <I>expression</I> is given, all
records are selected, otherwise, only those records for which
<I>expression</I> is `true' will be printed.
<P>
The syntax is very similar to the expression syntax for <B><A HREF="http://localhost/cgi-bin/man/man2html?1+tcpdump">tcpdump</A>(1)</B>,
as the tcpdump compiler was the basis for the <B><A HREF="http://localhost/cgi-bin/man/man2html?5+argus">argus</A>(5)</B> filter
expression compiler. The semantics for <B><A HREF="http://localhost/cgi-bin/man/man2html?1+tcpdump">tcpdump</A>(1)'s</B> packet
filter expression are different when applied to transaction record
filtering, so there are some major differences.
<P>
The <I>expression</I> consists of one or more
<I>primitives.</I>
Primitives usually consist of an
<I>id</I>
(name or number) preceded by one or more qualifiers. There are three
different kinds of qualifier:
<DL COMPACT>
<DT><I>type</I><DD>
qualifiers say what kind of thing the id name or number refers to.
Possible types are
<B>host</B>,
<B>net ,</B>
<B>port</B>,
<B>tos</B>
and
<B>ttl</B>.
<P>
E.g., `host sphynx', `net 192.168', `port domain', `ttl 1'. If there is no type
qualifier,
<B>host</B>
is assumed.
<DT><I>dir</I><DD>
qualifiers specify a particular tranfer direction to and/or from
<I>an id.</I>
Possible directions are
<B>src</B>,
<B>dst</B>,
<B>src or dst</B>
and
<B>src and dst</B>.
E.g., `src sphynx', `dst net 192.168', `src or dst port ftp', `src and dst tos 0x0a'.
If there is no dir qualifier,
<B>src or dst</B>
is assumed.
<DT><I>proto</I><DD>
qualifiers restrict the match to a particular protocol. Possible
values are those specified in the <B>/etc/protocols</B> system file.
When preceeded by <I>ether</I>, the protocol numbers specified in
</DL>
<P>
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
<B>gateway</B>,
and
<B>broadcast</B>.
All of these are described below.
<P>
More complex filter expressions are built up by using the words
<B>and</B>,
<B>or</B>
and
<B>not</B>
to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted. E.g.,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
<P>
Allowable primitives are:
<DL COMPACT>
<DT><B>dst host </B><I>host</I><DD>
True if the IP destination field of the Argus record is <I>host</I>,
which may be either an address or a name.
<DT><B>src host </B><I>host</I><DD>
True if the IP source field of the Argus record is <I>host</I>.
<DT><B>host </B><I>host</I><DD>
True if either the IP source or destination of the Argus record is <I>host</I>.
Any of the above host expressions can be prepended with the keywords,
<B>ip</B>, <B>arp</B>, or <B>rarp</B> as in:
<PRE>
<B>ip host </B><I>host</I>
</PRE>
which is equivalent to:
<PRE>
<B>ether proto </B><I>\ip</I><B> and host </B><I>host</I>
</PRE>
If <I>host</I> is a name with multiple IP addresses, each address will
be checked for a match.
<DT><B>ether dst </B><I>ehost</I><DD>
True if the ethernet destination address is <I>ehost</I>. <I>Ehost</I>
may be either a name from /etc/ethers or a number (see
<I><A HREF="http://localhost/cgi-bin/man/man2html?3N+ethers">ethers</A></I>(3N)
for numeric format).
<DT><B>ether src </B><I>ehost</I><DD>
True if the ethernet source address is <I>ehost</I>.
<DT><B>ether host </B><I>ehost</I><DD>
True if either the ethernet source or destination address is <I>ehost</I>.
<DT><B>gateway</B> <I>host</I><DD>
True if the transaction used <I>host</I> as a gateway. I.e., the ethernet
source or destination address was <I>host</I> but neither the IP source
nor the IP destination was <I>host</I>. <I>Host</I> must be a name and
must be found in both /etc/hosts and /etc/ethers. (An equivalent
expression is
<PRE>
<B>ether host </B><I>ehost </I><B>and not host </B><I>host</I>
</PRE>
which can be used with either names or numbers for <I>host / ehost</I>.)
<DT><B>dst net </B><I>net</I><DD>
True if the IP destination address of the Argus record has a network
number of <I>net</I>, which may be either an address or a name.
<DT><B>src net </B><I>net</I><DD>
True if the IP source address of the Argus record has a network
number of <I>net</I>.
<DT><B>net </B><I>net</I><DD>
True if either the IP source or destination address of the Argus record has a network
number of <I>net</I>.
<DT><B>dst port </B><I>port</I><DD>
True if the network transaction is ip/tcp or ip/udp and has a
destination port value of <I>port</I>.
The <I>port</I> can be a number or a name used in /etc/services (see
<I><A HREF="http://localhost/cgi-bin/man/man2html?4P+tcp">tcp</A></I>(4P)
and
<I><A HREF="http://localhost/cgi-bin/man/man2html?4P+udp">udp</A></I>(4P)).
If a name is used, both the port
number and protocol are checked. If a number or ambiguous name is used,
only the port number is checked (e.g., <B>dst port 513</B> will print both
tcp/login traffic and udp/who traffic, and <B>port domain</B> will print
both tcp/domain and udp/domain traffic).
<DT><B>src port </B><I>port</I><DD>
True if the network transaction has a source port value of <I>port</I>.
<DT><B>port </B><I>port</I><DD>
True if either the source or destination port of the Argus record is <I>port</I>.
Any of the above port expressions can be prepended with the keywords,
<B>tcp</B> or <B>udp</B>, as in:
<PRE>
<B>tcp src port </B><I>port</I>
</PRE>
which matches only tcp connections.
<DT><B>ip proto </B><I>protocol</I><DD>
True if the Argus record is an ip transaction (see
<I><A HREF="http://localhost/cgi-bin/man/man2html?4P+ip">ip</A></I>(4P))
of protocol type <I>protocol</I>.
<I>Protocol</I> can be a number or any of the string values found
in <I>/etc/protocolsk</I>.
<DT><B>broadcast</B><DD>
True if the network transaction involved a broadcast address.
<DT><B>ether proto </B><I>protocol</I><DD>
True if the Argus record is of ether type <I>protocol</I>.
<I>Protocol</I> can be a number or a name like
<I>ip</I>, <I>arp</I>, or <I>rarp</I>.
Note these identifiers are also keywords
and must be escaped via backslash (\).
<DT><B>dst ttl </B><I>number</I><DD>
True if the destination TTL of the Argus record equals <I>number</I>.
<DT><B>src ttl </B><I>number</I><DD>
True if the source TTL of the Argus record equals <I>number</I>.
number of <I>net</I>.
<DT><B>ttl </B><I>number</I><DD>
True if either the source or destination TTL of the Argus record equals
<I>number</I>.
<DT><B>dst tos </B><I>number</I><DD>
True if the destination TOS of the Argus record equals <I>number</I>.
<DT><B>src tos </B><I>number</I><DD>
True if the source TOS of the Argus record equals <I>number</I>.
number of <I>net</I>.
<DT><B>tos </B><I>number</I><DD>
True if either the source or destination TOS of the Argus record equals
<I>number</I>.
<P>
</DL>
<P>
Ra filter expressions support primitives that are specific
to flow states and can be used to select flow records that
were in these states at the time they were generated.
<P>
<I>normal</I>
<I>wait</I>
<I>timeout</I>
<I>est</I> or <I>con</I>
<P>
Primitives that select flows that experienced fragmented packets.
<I>frag</I>
<I>fragonly</I>
<P>
Support for selecting flows that used multiple pairs of MAC
addresses during their lifetime.
<I>multipath</I>
<P>
<P>
Primitives specific to TCP flows are supported.
<I>syn</I>
<I>synack</I>
<I>data</I>
<I>ecn</I>
<I>fin</I>
<I>finack</I>
<I>reset</I>
<I>retrans</I>
<I>winshut</I>
<P>
Primitives specific to ICMP flows are supported.
<I>echo</I>
<I>unreach</I>
<I>redirect</I>
<I>timexed</I>
<P>
<P>
For some primitives, a direction qualifier is appropriate.
These are
<I>frag</I>
<I>reset</I>
<I>retrans</I>
<I>winshut</I>
<P>
<P>
Primitives may be combined using:
<DL COMPACT>
<DT><DD>
A parenthesized group of primitives and operators
(parentheses are special to the Shell and must be escaped).
<DT><DD>
Negation (`<B>!</B>' or `<B>not</B>').
<DT><DD>
Concatenation (`<B>and</B>').
<DT><DD>
Alternation (`<B>or</B>').
</DL>
<P>
Negation has highest precedence.
Alternation and concatenation have equal precedence and associate
left to right. Note that explicit <B>and</B> tokens, not juxtaposition,
are now required for concatenation.
<P>
If an identifier is given without a keyword, the most recent keyword
is assumed.
For example,
<PRE>
<B>not host sphynx and anubis</B>
</PRE>
is short for
<PRE>
<B>not host sphynx and host anubis</B>
</PRE>
which should not be confused with
<PRE>
<B>not ( host sphynx or anubis )</B>
</PRE>
<P>
Expression arguments can be passed to <B><A HREF="http://localhost/cgi-bin/man/man2html?1+ra">ra</A>(1)</B> as either a single argument
or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces before being parsed.
<P>
<A NAME="lbAG"> </A>
<H3>Startup Processing</H3>
<B>Ra</B> begins by searching for the configuration file <B>.rarc</B> first
in the directory, <B>$ARGUSHOME</B> and then <B>$HOME</B>. If a <B>.rarc</B>
is found, all variables specified in the file are set.
<P>
<B>Ra</B> then parses its command line options and set its internal variables
accordingly.
<P>
If a configuration file is specified on the command-line, using the "-f <confile>"
option, the values in this .rarc formatted file superceed all other values.
<P>
<P>
<A NAME="lbAH"> </A>
<H2>EXAMPLES</H2>
<P>
To report all TCP transactions from and to host 'narly.wave.com',
reading transaction data from <I>argus-file</I> argus.data:
<DL COMPACT><DT><DD>
<PRE>
<B>ra -r argus.data - tcp and host narly.wave.com</B>
</PRE>
</DL>
<P>
Create the <I>argus-file</I> icmp.log with all ICMP events involving
the host nimrod, using data from <I>argus-file</I>, but reading the
transaction data from <I>stdin</I>:
<DL COMPACT><DT><DD>
<PRE>
<B>cat </B><I>argus-file</I> | ra -r - -w icmp.log - icmp and host nimrod
</PRE>
</DL>
<BR>
<A NAME="lbAI"> </A>
<H2>OUTPUT FORMAT</H2>
<P>
The following is a brief description of the output format of
<B>ra</B>
which reports transaction data in various levels of detail.
The general format is:
<DL COMPACT><DT><DD>
<PRE>
<I> time proto srchost dir dsthost [count] status</I>
</PRE>
</DL>
<DL COMPACT>
<DT><B>time</B>
<DD>
The format of the <I>time</I> field is specified by the .rarc file, using
syntax supported by the routine
<B><A HREF="http://localhost/cgi-bin/man/man2html?3V+localtime">localtime</A>(3V).</B>
The default is
<B>Argus</B>
transaction data contains both starting and ending transaction times,
with precision to the microsecond. However,
<B>ra</B>
prints out only one of these dates depending on the status of the
<B>argus</B>
server. When the
<B>argus</B>
server is running in default mode,
<B>ra</B>
reports the transaction starting time.
When the server is in DETAIL mode, the transaction ending time is reported.
<DT><B>mac.addr</B>
<DD>
<I>mac.addr</I>
is an optional field, specified using the
<B>-m</B>
flag. <I>mac.addr</I> represents the first source and destination
MAC addresses seen for a particular transaction. These addresses are
paired with the <I>host.port</I> fields, so the direction indicator is
needed to distinguish between the source and destination MAC addresses.
<DT><B>proto [options protocol]</B>
<DD>
The <I>proto</I> indicator consists of two fields. The first is
protocol specific and the designations are:
<PRE>
m - MPLS encapsulated flow
q - 802.1Q encapsulated flow
p - PPP over Enternet encapsulated flow
E - Multiple encapsulations/tags
s - Src TCP packet retransmissions
d - Dst TCP packet retransmissions
* - Both Src and Dst TCP retransmissions
S - Src TCP Window Closure
D - Dst TCP Window Closure
@ - Both Src and Dst Window Closure
S - IP option Strict Source Route
L - IP option Loose Source Route
T - IP option Time Stamp
+ - IP option Security
R - IP option Record Route
N - IP option SATNET
O - multiple IP options set
F - Fragments seen
f - Partial Fragment
V - Fragment overlap seen
M - Multiple physical layer paths
</PRE>
<P>
The second field indicates the upper protocol used in the transaction.
This field will contain the first 4 characters of the official
name for the protocol used, as defined in RFC-1700. Argus attempts
to discovery the Realtime Transport Protocol, when it is being used.
When it encounters RTP, it will indicate its use in this field, with
the string 'rtp'. Use of the
<B>-n</B>
option, twice (-nn), will cause the actual protocol number to be
displayed.
<DT><B>host</B>
<DD>
The <I>host</I> field is protocol dependent, and for all protocols
will contain the IP address/name. For TCP and UDP, the field will
also contain the port number/name, separated by a period.
<DT><B>dir</B>
<DD>
The <I>dir</I> field will have the direction of the transaction,
as can be best determined from the datum, and is used to indicate
which hosts are transmitting. For TCP, the dir field indicates
the actual source of the TCP connection, and the center character
indicating the state of the transaction.
<DL COMPACT><DT><DD>
<PRE>
- - transaction was NORMAL
| - transaction was RESET
o - transaction TIMED OUT.
? - direction of transaction is unknown.
</PRE>
</DL>
<DT><B>count</B>
<DD>
<I>count</I> is an optional field, specified using the
<B>-c</B>
option. There are 4 fields that are produced. The
first 2 are the packet counts and the last 2 are the byte counts
for the specific transaction. The fields are paired with the
previous host fields, and represent the packets transmitted by
the respective host.
<DT><B>status</B>
<DD>
The <I>status</I> field indicates the principle status for the transaction
report, and is protocol dependent. For all the protocols, except ICMP,
this field reports on the basic state of a transaction.
<DT>
<DD>
<B>REQ|INT (requested|initial)</B>
This indicates that this is the <I>initial</I> status report for a
transaction and is seen only when the <I>argus-server</I> is in DETAIL
mode. For TCP connections this is <B>REQ</B>, indicating that a
connection is being requested. For the connectionless protocols,
such as UDP, this is <B>INT</B>.
<DT>
<DD>
<B>ACC (accepted)</B>
This indicates that a request/response condition has occurred,
and that a transaction has been detected between two hosts.
For TCP, this indicates that a connection request has been
answered, and the connection will be accepted. This is only seen
when the <I>argus-server</I> is in DETAIL mode. For the
connectionless protocols, this state indicates that there
has been a single packet exchange between two hosts, and could
qualify as a request/response transaction.
<DT>
<DD>
<B>EST|CON (established|connected)</B>
This record type indicates that the reported transaction is active, and
has been established or is continuing. This should be interpreted as a
status report of a currently active transaction.
For TCP, the EST status is only seen in DETAIL mode, and indicates
that the three way handshake has been completed for a connection.
<DT>
<DD>
<B>CLO (closed) </B>
TCP specific, this record type indicates that the TCP connection has
closed normally.
<DT>
<DD>
<B>TIM (timeout)</B>
Activity was not seen relating to this transaction, during the
<B>argus</B>
server's timeout period for this protocol. This status is seen
only when there were packets recorded since the last report for
this transaction.
<P>
For the ICMP protocol, the <I>status</I> field displays various
aspects of the ICMP data. With the <B>-I</B> option, extended ICMP protocol
data information is given. ICMP status can have the values (<B>-I</B> option info):
<PRE>
<B>ECO</B> echo request
<B>ECR</B> echo reply
<B>URF</B> unreachable need fragmentation
<B>URH</B> unreachable host (<I>hostaddr</I>)
<B>URN</B> unreachable network (<I>netaddr</I>)
<B>URO</B> unreachable protocol (<I>protonum</I>)
<B>URP</B> unreachable port (<I>protonum portnum</I>)
<B>URS</B> unreachable source failed
<B>SRC</B> source quench
<B>RED</B> redirect
<B>TIM</B> time exceeded
<B>PAR</B> parameter problem
<B>TST</B> timestamp request
<B>TSR</B> timestamp reply
<B>IRQ</B> information request
<B>IRR</B> information reply
<B>MAS</B> mask request
<B>MSR</B> mask reply (<I>maskaddr</I>)
</PRE>
</DL>
<P>
<BR>
<A NAME="lbAJ"> </A>
<H2>OUTPUT EXAMPLES</H2>
<P>
These examples show typical <B>ra</B> output, and demonstrates a
number of variations seen in <B>argus</B> data. This <B>ra</B>
output was generated using the <B>-n</B> option to suppress
number translation.
<P>
<B>
</B><PRE>
Thu 12/29 06:40:32 S tcp 132.3.31.15.6439 -> 12.23.14.77.23 CLO
</PRE>
This is a normal tcp transaction to the telnet port on host 12.23.14.77.
The IP Option strict source route was seen.
<P>
<B>
</B><PRE>
Thu 12/29 06:40:32 tcp 132.3.31.15.6200 <| 12.23.14.77.25 RST
</PRE>
This tcp transaction from the smtp port of host 12.23.14.77
was <B>RESET</B>, indicating that the transaction was denied.
<P>
<B>
</B><PRE>
Thu 12/29 03:39:05 M igmp 12.88.14.10 <-> 128.2.2.10 CON
</PRE>
This is an igmp transaction status report, usually seen with MBONE traffic.
There was more than one source and destination MAC address pair used to
support the transaction, suggesting a possible routing loop.
<P>
<B>
</B><PRE>
Thu 12/29 06:40:05 * tcp 12.23.14.23.1043 <-> 12.23.14.27.6000 TIM
</PRE>
This is an X-windows transaction, that has <B>TIMEDOUT</B>. Packets
were retransmitted during the connection.
<P>
<B>
</B><PRE>
Thu 12/29 07:42:09 udp 12.9.1.115.2262 -> 28.12.141.6.139 INT
</PRE>
This is an initial netbios UDP transaction status report, indicating
that this is the first datagram encountered for this transaction.
<P>
<B>
</B><PRE>
Thu 12/29 06:42:09 icmp 12.9.1.115 <-> 12.68.5.127 ECO
</PRE>
This example represents a "ping" of host 12.9.1.115, and its response.
<P>
This next example shows the <B>ra</B> output of a complete TCP transaction,
with the preceeding Arp and DNS requests, while reading from a remote
<I>argus-server</I>. The '*' in the CLO report indicates that at least
one TCP packet was retransmitted during the transaction. The hostnames
in this example are ficticious.
<P>
<PRE>
% ra -S <I>argus-server</I> and host i.qosient.com
ra: Trying argus-server port 561
ra: connected Argus Version 2.0
Sat 12/03 15:29:38 arp i.qosient.com who-has dsn.qosient.com INT
Sat 12/03 15:29:39 udp i.qosient.com.1542 <-> dns.qosient.53 INT
Sat 12/03 15:29:39 arp i.qosient.com who-has qosient.com INT
Sat 12/03 15:29:39 * tcp i.qosient.com.1543 -> qosient.com.smtp CLO
</PRE>
<BR>
<A NAME="lbAK"> </A>
<H2>AUTHORS</H2>
<PRE>
Carter Bullard (<A HREF="mailto:carter@qosient.com">carter@qosient.com</A>).
</PRE>
<A NAME="lbAL"> </A>
<H2>FILES</H2>
<B>/etc/ra.conf</B>
<A NAME="lbAM"> </A>
<H2>SEE ALSO</H2>
<B><A HREF="http://localhost/cgi-bin/man/man2html?8+argus">argus</A></B>(8)
<B><A HREF="http://localhost/cgi-bin/man/man2html?1+tcpdump">tcpdump</A></B>(1),
<P>
Postel, Jon,
<I>Internet Protocol,</I>
<FONT SIZE="-1">RFC</FONT>
791,
Network Information Center,
<FONT SIZE="-1">SRI</FONT>
International, Menlo Park, Calif.,
May 1981.
<P>
Postel, Jon,
<I>Internet Control Message Protocol</I>,
<FONT SIZE="-1">RFC</FONT>
792,
Network Information Center, SRI International, Menlo Park, Calif.,
May 1981.
<P>
Postel, Jon,
<I>Transmission Control Protocol</I>,
<FONT SIZE="-1">RFC</FONT>
793,
Network Information Center, SRI International, Menlo Park, Calif.,
May 1981.
<P>
Postel, Jon,
<I>User Datagram Protocol</I>,
<FONT SIZE="-1">RFC</FONT>
768,
Network Information Center, SRI International, Menlo Park, Calif.,
May 1980.
<P>
McCanne, Steven, and Van Jacobson,
<I>The BSD Packet Filter: A New Architecture for User-level Capture</I>,
Lawrwnce Berkeley Laboratory, One Cyclotron Road, Berkeley, Calif., 94720,
December 1992.
<P>
<HR>
<A NAME="index"> </A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">OPTIONS</A><DD>
<DT><A HREF="#lbAF">ARGUMENTS</A><DD>
<DL>
<DT><A HREF="#lbAG">Startup Processing</A><DD>
</DL>
<DT><A HREF="#lbAH">EXAMPLES</A><DD>
<DT><A HREF="#lbAI">OUTPUT FORMAT</A><DD>
<DT><A HREF="#lbAJ">OUTPUT EXAMPLES</A><DD>
<DT><A HREF="#lbAK">AUTHORS</A><DD>
<DT><A HREF="#lbAL">FILES</A><DD>
<DT><A HREF="#lbAM">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 23:40:28 GMT, March 15, 2001
</BODY>
</HTML>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
dc2800a8ec9b3e4a05b103066b15d559
>
files
>
42
