.\" Copyright (c) 2000-2003 QoSient, LLC
.\" All rights reserved.
.\"
.\" QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
.\" SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
.\" FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY
.\" SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
.\" RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
.\" CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
.\" CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"
.TH RASTRIP 1 "04 December 2001"
.SH NAME
\fBrastrip\fP \- strip \fBargus(8)\fP data file.
.SH COPYRIGHT
Copyright (c) 2000-2003 QoSient. All rights reserved.
.SH SYNOPSIS
.B rastrip
[[\fB\-M\fP \fIstripfield\fP] [stripfield\fP] ...]
[\fBraoptions\fP]
.SH DESCRIPTION
.IX  "rastrip command"  ""  "\fLrastrip\fP \(em argus data"
.LP
.B Rastrip
reads
.BR argus
data from an \fIargus-data\fP source, and removes data sections
that are specified on the command line, and outputs a valid
\fIargus-stream\fP.  If \fBrastrip\fP is run without any
\fBstripfield\fP directives,  the default is to strip out all
information from the record except the FAR information
and TCP specific information.  This default generates an
\fIargus-stream\fP that contains the same semantic information
that was present in argus-1.5 data records, and generates the
same output from ra().

.SH OPTIONS
Rastrip, like all ra based clients, supports a number of
\fBra options\fP including filtering of input argus
records through a terminating filter expression.
See \fBra(1)\fP for a complete description of \fBra options\fP.
\fBrastrip(1)\fP specific options are:
.PP
.PD 0
.TP 15
.BI \-M "\| [-|+]stripfield\^"

Supported stripfields are:
.PP
.RS
.TP 15
.B far
flow descriptors and flow metrics
.TP
.B mac
media access control addresses
.TP
.B tcp
TCP specific identifiers and metrics, such as base sequence
numbers, advertised window sizes and retransmission statistics. 
.TP
.B icmp
ICMP specific identifiers and metrics, such as the source address
of the ICMP packet, the declared gateway address and the ICMP types
and modes, such as ECHO or Port Unreachable, along with the port value.
.TP
.B rtp
RTP and RTCP specific identifiers and metrics, such as the source
stream identifiers, the last sequence number and stream drop statistics.
.TP
.B igmp
IGMP specific identifiers and metrics.
.TP
.B arp
IGMP specific identifiers and metrics, such as the MAC address of
the responder to arp requests for a specific address.
.TP
.B frag
Fragmentation specific identifiers and metrics, such as the average
fragment size, number of fragments in this fragment, last offset
seen in this fragment.
.TP
.B esp
ESP specific identifiers and metrics, such as the Security Identifier
the last sequence number seen and drop statistics.
.TP
.B mpls
MPLS specific identifiers, such as the last MPLS label seen on this
flow.
.TP
.B vlan
VLAN specific identifiers, such as the source and destination VLAN
identifiers.
flow.
.TP
.B pppoe
PPPOE specific identifiers, such as the source and destination SAP
identifiers.
.TP
.B agr
Aggregation specific metrics, such as the number of records aggregated,
the mean record duration, standard deviations.
.TP
.B jitter
Jitter specific metrics, such as the mean interpacket arrival time
while the flow is active, max, min and standard deviation, as well
as metrics for while the flow is idle.
.TP
.B user
All user data capture buffers.
.TP
.B srcuser
User data capture buffer from the source node.
.TP
.B dstuser
User data capture buffer from the destination node.
.TP
.B stime
Source jitter information.
.TP
.B dtime
Destination jitter information.
.PD
.RE

.SH INVOCATION
Sample invocations of \fBrastrip(1)\fP.  The first call reads \fBargus(8)\fP
data from \fBinputfile\fP and strips the record, leaving only the FAR data,
which contains the flow descriptors and basic metrics, and jitter
information.
.nf

   \fBrastrip\fP -r inputfile -M far jitter
.fi

The next sample invocation of \fBrastrip(1)\fP, adds vlan specific information
to the default far and tcp information that would normally be retained.
.nf

   \fBrastrip\fP -r inputfile -M +vlan
.fi

The next sample invocation of \fBrastrip(1)\fP, removes only the user data
capture buffers from the \fIargus-stream\fP, keep the rest of the data
intact.
.nf

   \fBrastrip\fP -r inputfile -M -user
.fi
.SH SEE ALSO
.BR ra(1),
.BR rarc(5),
.BR argus(8),
.BR tcpdump(1)
.SH FILES

.SH AUTHORS
.nf
Carter Bullard (carter@qosient.com).
.fi
.SH BUGS