.\" Copyright (c) 2000-2003 QoSient, LLC
.\" All rights reserved.
.\"
.\" QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
.\" SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
.\" FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY
.\" SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
.\" RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
.\" CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
.\" CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" 
.TH RA 1 "12 November 2000" "ra 2.0"
.SH NAME
\fBra\fP \- read \fBargus(8)\fP data.
.SH COPYRIGHT
Copyright (c) 2000-2003 QoSient. All rights reserved.
.SH SYNOPSIS
\fBra\fP
.br
\fBra [raoptions] [- filter-expression]\fP
.SH DESCRIPTION
.IX  "ra command"  ""  "\fLra\fP \(em argus data"
.LP
.B Ra
reads
.BR argus(8)
data from either \fIstdin\fP, an \fIargus-file\fP, or from a
remote \fIargus-server\fP, filters the records it encounters based on
an optional \fIfilter-expression\fP  and either prints the contents of the
.BR argus(5)
records that it encounters to \fBstdout\fP or writes them out into an
.B argus(5)
datafile.
.LP
.SH OPTIONS
.TP 4 4
.B \-A
When generating ASCII output, print the application byte counts.
.TP 4 4
.B \-b
Dump the compiled transaction-matching code to standard output and stop.
This is useful for debugging filter expressions.
.TP 4 4
.B \-C [host:]<portnum>
Indicate the optional host and required port number for the remote Cisco
Netflow record source.  This will cause \fBra(1)\fP to open a UDP socket,
binding on the host and supplied port, and attempt to read
Cisco Netflow records from the open socket.  
.TP 4 src
.B \-d <bytes>
Print specified number of \fB<bytes>\fP from the user data capture buffer.
The \fB<bytes>\fP value can be a number, or an expression that specifies the
number of bytes for either the source or destination buffer.  Formats
include:
.nf
   -d 32      print 32 bytes from the src and dst buffer
   -d s24     print 24 bytes from the src buffer
   -d d16     print 16 bytes from the dst buffer
   -d s32:d8  print 32 bytes from the src buffer and
                     8 bytes from the dst buffer
.fi
.TP 4 4
.B \-D <level>
Print debug information corresponding to \fB<level>\fP to stderr, if program
compiled to support debug printing.  As the level increases, so does the
amount of debug information
.B ra(1)
will print.  Values range from 1-8.
.TP 4 4
.B \-E <file>
When using a filter expression at the end of the command, this option will
cause
.B ra(1)
to write the records that are rejected by the filter into
.B <file>
.TP 4 4
.B \-F <conffile>
Use \fB<conffile>\fP as a source of configuration information.  The format of
this file is identical to \fBrarc(5)\fP.  The data read from \fB<conffile>\fP
overrides any prior configuration information.
.TP 4 4
.B \-h
Print an explanation of all the arguments. 
.TP 4 4
.B \-n
Do not translate host and service numbers to names. \fB-nn\fP will
suppress translation of protocol numbers, as well.
.TP 4 4
.B \-p <digits>
Print \fB<digits>\fP number of units of precision for fraction of time.
.TP 4 4
.B \-q
Run in quiet mode. Configure Ra to not print out the contents of records.
This can be used with the -T and -a options to support aggregate activity
without printing each input record.
.TP 4 4
.B \-r <file file ...> -
Read data from \fB<files>\fP in the order presented on the
commandline. '\fB\-\fP' denotes stdin.  Because this
option can have many arguments, it must be terminated with a '-'.
The '-' of subsequent options is sufficient.
Ra can read \fBgzip(1)\fP, \fBbzip2(1)\fP and \fBcompress(1)\fP 
compressed data files.
.TP 4 4
.B \-R
Print response data when available. This option applies to ICMP,
arp and BOOTP traffic to indicate the responses to these protocol
specific queries.
.TP 4 4
.B \-s <[-][[+[#]]field ...> -
Specify the \fBfields\fP to print. Ra uses a default printing field list, 
by specifying a field you can replace this list completely, or you can
modify the existing default print list, using the optional '-' and '+[#]'
form of the command.  The available fields to print are:
.nf

   startime, lasttime, count, dur, avgdur,
   saddr, daddr, proto, sport, dport, ipid,
   stos, dtos, sttl, dttl, bytes, sbytes, dbytes,
   pkts, spkts, dpkts, load, loss, rate,
   srcid, ind, mac, dir, jitter, status, user,
   win, trans, seq, vlan, mpls

.fi
Examles are:
.nf
   -s srcaddr    print only the source address.
   -s -bytes     removes the bytes field from list.
   -s +2srcid    adds MAC addresses as the 2nd field.
   -s mac pkts   prints MAC addresses and src and dst pkt counts.
.fi
.TP 4 4
.B \-S <host[:portnum]>
Specify a remote \fIargus-server\fP \fB<host>\fP. Use the optional
':pornum' to specify a port number other than the default; 561.
.TP 4 4
.B \-t <timerange>
Specify the \fB<time range>\fP for matching \fBargus(5)\fP records. The syntax
for the \fB<time range>\fP is:
.nf

timeSpecification[-timeSpecification]
timeSpecification: [[[yyyy/]mm/]dd.]hh[:mm[:ss]]
                     [yyyy/]mm/dd
                     -%d{yMdhms}

.fi
Examples are:
.nf
   -t 14             matches 2pm-3pm any day
   -t 23.11:10-14    11:10:00 - 2pm on the 23rd
   -t 11/23          all records on Nov 23rd
   -t 1999/01/23.10  10-11am on Jan, 23, 1999
   -t -10m           matches 10 minutes before to the present
   -t -2h5m-2h       matches range between 2 hours 5 minutes before
                     until 2 hours before.
.fi

.TP 4 4
.B \-T <secs>
Read \fBargus(5)\fP from remote server for \fB<secs>\fP of time.
.TP 4 4
.B \-u
Write out time values using UTC time format.
.TP 4 4
.B \-w <file>
Write out matching data to \fB<file>\fP, in
.B argus
file format. An \fIoutput-file\fP of '-' directs 
.B ra
to write the \fBargus(5)\fP records to stdout, allowing for "chaining"
.B ra*
style commands together.
.TP 4 4
.B \-z
Print Argus TCP state changes for each tcp transaction. Values are
.nf
  's' - Syn Transmitted
  'S' - Syn Acknowledged
  'E' - TCP Established
  'f' - Fin Transmitted  (FIN Wait State 1)
  'F' - Fin Acknowledged (FIN Wait State 2)
  'R' - TCP Reset
.fi

.TP 4 4
.B \-Z <s|d|b>
Print actual TCP flag values. <'s'rc | 'd'st | 'b'oth>.
.nf
  'F' - Fin
  'S' - Syn
  'R' - Reset
  'P' - Push
  'A' - Ack
  'U' - Urgent Pointer
  '7' - Undefined 7th bit set
  '8' - Undefined 8th bit set
.fi

.SH FILTER EXPRESSION
If arguments remain after option processing, the collection is
interpreted as a single filter \fBexpression\fP.  In order to indicate
the end of arguments, a '\-' is recommended before the filter
expression is added to the command line.
.br
.br
The filter expression specifies which \fBargus(5)\fP records will
be selected for processing.  If no \fIexpression\fP is given, all
records are selected, otherwise, only those records for which
\fIexpression\fP is `true' will be printed.

The syntax is very similar to the expression syntax for \fBtcpdump(1)\fP,
as the tcpdump compiler was the basis for the \fBargus(5)\fP filter
expression compiler.  The semantics for \fBtcpdump(1)'s\fP packet
filter expression are different when applied to transaction record
filtering, so there are some major differences.
.LP
The \fIexpression\fP consists of one or more
.I primitives.
Primitives usually consist of an
.I id
(name or number) preceded by one or more qualifiers.  There are three
different kinds of qualifier:
.IP \fItype\fP
qualifiers say what kind of thing the id name or number refers to.
Possible types are
.BR srcid ,
.BR host ,
.BR net ,
.BR port ,
.BR tos ,
.BR ttl ,
.BR vid ,
and
.BR mid .

E.g., `srcid isis`, `host sphynx', `net 192.168', `port domain', `ttl 1'.  If there is no type
qualifier,
.B host
is assumed.
.IP \fIdir\fP
qualifiers specify a particular transfer direction to and/or from
.I an id.
Possible directions are
.BR src ,
.BR dst ,
.B "src or dst"
and
.BR "src and dst" .
E.g., `src sphynx', `dst net 192.168', `src or dst port ftp',
`src and dst tos 0x0a', `src or dst vid 0x12`.
If there is no dir qualifier,
.B "src or dst"
is assumed.
.IP \fIproto\fP
qualifiers restrict the match to a particular protocol.  Possible
values are those specified in the \fB/etc/protocols\fP system file.
When preceeded by \fIether\fP, the protocol names and numbers that
are valid are specified in ./include/ethernames.h.
.LP
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
.BR gateway ,
.BR multicast ,
and
.BR broadcast .
All of these are described below.
.LP
More complex filter expressions are built up by using the words
.BR and ,
.B or
and
.B not
to combine primitives.  E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted.  E.g.,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
.LP
Allowable primitives are:
.IP "\fBsrcid \fIargusid\fR"
True if the argus identifier field of the Argus record is \fIsrcid\fP,
which may be an IP address, a name or a decimal/hexidecimal number.
.IP "\fBdst host \fIhost\fR"
True if the IP destination field of the Argus record is \fIhost\fP,
which may be either an address or a name.
.IP "\fBsrc host \fIhost\fR"
True if the IP source field of the Argus record is \fIhost\fP.
.IP "\fBhost \fIhost\fP
True if either the IP source or destination of the Argus record is \fIhost\fP.
Any of the above host expressions can be prepended with the keywords,
\fBip\fP, \fBarp\fP, or \fBrarp\fP as in:
.in +.5i
.nf
\fBip host \fIhost\fR
.fi
.in -.5i
which is equivalent to:
.in +.5i
.nf
\fBether proto \fI\\ip\fB and host \fIhost\fR
.fi
.in -.5i
If \fIhost\fR is a name with multiple IP addresses, each address will
be checked for a match.
.IP "\fBether dst \fIehost\fP
True if the ethernet destination address is \fIehost\fP.  \fIEhost\fP
may be either a name from /etc/ethers or a number (see
.IR ethers (3N)
for numeric format).
.IP "\fBether src \fIehost\fP
True if the ethernet source address is \fIehost\fP.
.IP "\fBether host \fIehost\fP
True if either the ethernet source or destination address is \fIehost\fP.
.IP "\fBgateway\fP \fIhost\fP
True if the transaction used \fIhost\fP as a gateway.  I.e., the ethernet
source or destination address was \fIhost\fP but neither the IP source
nor the IP destination was \fIhost\fP.  \fIHost\fP must be a name and
must be found in both /etc/hosts and /etc/ethers.  (An equivalent
expression is
.in +.5i
.nf
\fBether host \fIehost \fBand not host \fIhost\fR
.fi
.in -.5i
which can be used with either names or numbers for \fIhost / ehost\fP.)
.IP "\fBdst net \fInet\fR"
True if the IP destination address of the Argus record has a network
number of \fInet\fP, which may be either an address or a name.
.IP "\fBsrc net \fInet\fR"
True if the IP source address of the Argus record has a network
number of \fInet\fP.
.IP "\fBnet \fInet\fR"
True if either the IP source or destination address of the Argus record has a network
number of \fInet\fP.
.IP "\fBdst port \fIport\fR"
True if the network transaction is ip/tcp or ip/udp and has a
destination port value of \fIport\fP.
The \fIport\fP can be a number or a name used in /etc/services (see
.IR tcp (4P)
and
.IR udp (4P)).
If a name is used, both the port
number and protocol are checked.  If a number or ambiguous name is used,
only the port number is checked (e.g., \fBdst port 513\fR will print both
tcp/login traffic and udp/who traffic, and \fBport domain\fR will print
both tcp/domain and udp/domain traffic).
.IP "\fBsrc port \fIport\fR"
True if the network transaction has a source port value of \fIport\fP.
.IP "\fBport \fIport\fR"
True if either the source or destination port of the Argus record is \fIport\fP.
Any of the above port expressions can be prepended with the keywords,
\fBtcp\fP or \fBudp\fP, as in:
.in +.5i
.nf
\fBtcp src port \fIport\fR
.fi
.in -.5i
which matches only tcp connections.
.IP "\fBip proto \fIprotocol\fR"
True if the Argus record is an ip transaction (see
.IR ip (4P))
of protocol type \fIprotocol\fP.
\fIProtocol\fP can be a number or any of the string values found
in \fI/etc/protocolsk\fP.
.IP \fBmulticast\fR
True if the network transaction involved an ip multicast address.
By specifing ether multicast, you can select argus records that
involve an ethernet multicast address.
.IP \fBbroadcast\fR
True if the network transaction involved an ip broadcast address.
By specifing ether broadcast, you can select argus records that
involve an ethernet broadcast address.
.IP  "\fBether proto \fIprotocol\fR"
True if the Argus record is of ether type \fIprotocol\fR.
\fIProtocol\fP can be a number or a name like
\fIip\fP, \fIarp\fP, or \fIrarp\fP.
Note these identifiers are also keywords
and must be escaped via backslash (\\).
.IP "\fBdst ttl \fInumber\fR"
True if the destination TTL of the Argus record equals \fInumber\fP.
.IP "\fBsrc ttl \fInumber\fR"
True if the source TTL of the Argus record equals \fInumber\fP.
.IP "\fBttl \fInumber\fR"
True if either the source or destination TTL of the Argus record equals
\fInumber\fP.
.IP "\fBdst tos \fInumber\fR"
True if the destination TOS of the Argus record equals \fInumber\fP.
.IP "\fBsrc tos \fInumber\fR"
True if the source TOS of the Argus record equals \fInumber\fP.
.IP "\fBtos \fInumber\fR"
True if either the source or destination TOS of the Argus record equals
\fInumber\fP.
.IP "\fBdst vid \fInumber\fR"
True if the destination VLAN id of the Argus record equals \fInumber\fP.
.IP "\fBsrc vid \fInumber\fR"
True if the source VLAN id of the Argus record equals \fInumber\fP.
.IP "\fBvid \fInumber\fR"
True if either the source or destination VLAN id of the Argus record equals
\fInumber\fP.
.IP "\fBdst mid \fInumber\fR"
True if the destination MPLS Label of the Argus record equals \fInumber\fP.
.IP "\fBsrc mid \fInumber\fR"
True if the source MPLS Label of the Argus record equals \fInumber\fP.
.IP "\fBmid \fInumber\fR"
True if either the source or destination MPLS Label of the Argus record equals
\fInumber\fP.

.LP
Ra filter expressions support primitives that are specific
to flow states and can be used to select flow records that
were in these states at the time they were generated.
\fInormal\fP,
\fIwait\fP,
\fItimeout\fP,
\fIest\fP or \fIcon\fP

Primitives that select flows that experienced fragmentation.
\fIfrag\fP and
\fIfragonly\fP

Support for selecting flows that used multiple pairs of MAC
addresses during their lifetime.
\fImultipath\fP

.LP
Primitives specific to TCP flows are supported.
\fIsyn\fP,
\fIsynack\fP,
\fIdata\fP,
\fIecn\fP,
\fIfin\fP,
\fIfinack\fP,
\fIreset\fP,
\fIretrans\fP,
\fIoutoforder\fP and
\fIwinshut\fP

Primitives specific to ICMP flows are supported.
\fIecho\fP,
\fIunreach\fP,
\fIredirect\fP and
\fItimexed\fP

.LP
For some primitives, a direction qualifier is appropriate.
These are
\fIfrag\fP,
\fIreset\fP,
\fIretrans\fP,
\fIoutoforder\fP and
\fIwinshut\fP

.LP
Primitives may be combined using:
.IP
A parenthesized group of primitives and operators
(parentheses are special to the Shell and must be escaped).
.IP
Negation (`\fB!\fP' or `\fBnot\fP').
.IP
Concatenation (`\fBand\fP').
.IP
Alternation (`\fBor\fP').
.LP
Negation has highest precedence.
Alternation and concatenation have equal precedence and associate
left to right.  Note that explicit \fBand\fR tokens, not juxtaposition,
are now required for concatenation.
.LP
If an identifier is given without a keyword, the most recent keyword
is assumed.
For example,
.in +.5i
.nf
\fBnot host sphynx and anubis\fR
.fi
.in -.5i
is short for
.in +.5i
.nf
\fBnot host sphynx and host anubis\fR
.fi
.in -.5i
which should not be confused with
.in +.5i
.nf
\fBnot ( host sphynx or anubis )\fR
.fi
.in -.5i
.LP
Expression arguments can be passed to \fBra(1)\fP as either a single argument
or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces before being parsed.

.SS "Startup Processing"
\fBRa\fP begins by searching for the configuration file \fB.rarc\fP first
in the directory, \fB$ARGUSHOME\fP and then \fB$HOME\fP.  If a \fB.rarc\fP
is found, all variables specified in the file are set.
.PP
\fBRa\fP then parses its command line options and set its internal variables
accordingly.
.PP
If a configuration file is specified on the command-line, using the "-f <confile>"
option, the values in this .rarc formatted file superceed all other values.


.SH EXAMPLES
.LP
To report all TCP transactions from and to host 'narly.wave.com',
reading transaction data from \fIargus-file\fP argus.data:
.RS
.nf
\fBra -r argus.data - tcp and host narly.wave.com\fP
.fi
.RE
.LP
Create the \fIargus-file\fP icmp.log with all ICMP events involving
the host nimrod, using data from \fIargus-file\fP, but reading the
transaction data from \fIstdin\fP:
.RS
.nf
\fBcat \fIargus-file\fP | ra -r - -w icmp.log - icmp and host nimrod\fP
.fi
.RE
.br
.SH OUTPUT FORMAT
.LP
The following is a brief description of the output format of
.B ra
which reports transaction data in various levels of detail.
The general format is:
.RE
.RS
.nf
.sp .1
\fI  time proto  srchost  dir  dsthost  [count] status\fP
.sp .1
.fi
.RE
.TP 4 4
.BI time
The format of the \fItime\fP field is specified by the .rarc file, using
syntax supported by the routine
.B localtime(3V).
The default is 
.B Argus
transaction data contains both starting and ending transaction times,
with precision to the microsecond. However,
.B ra
prints out only one of these dates depending on the status of the
.B argus
server.  When the 
.B argus
server is running in default mode, 
.B ra
reports the transaction starting time.
When the server is in DETAIL mode, the transaction ending time is reported.
.TP 4 4
.BI mac.addr
\fImac.addr\fP
is an optional field, specified using the
.B -m
flag.  \fImac.addr\fP represents the first source and destination
MAC addresses seen for a particular transaction.  These addresses are
paired with the \fIhost.port\fP fields, so the direction indicator is
needed to distinguish between the source and destination MAC addresses.
.TP 4 4
.BI proto\ [options\ protocol]
The \fIproto\fP indicator consists of two fields. The first is
protocol specific and the designations are:
.nf
.sp .5
  m       -  MPLS encapsulated flow
  q       -  802.1Q encapsulated flow
  p       -  PPP over Enternet encapsulated flow
  E       -  Multiple encapsulations/tags
   s      -  Src TCP packet retransmissions
   d      -  Dst TCP packet retransmissions
   *      -  Both Src and Dst TCP retransmissions
   i      -  Src TCP packets out of order
   r      -  Dst TCP packets out of order
   &      -  Both Src and Dst packet out of order
    S     -  Src TCP Window Closure
    D     -  Dst TCP Window Closure
    @     -  Both Src and Dst Window Closure
    x     -  Src TCP Explicit Congestion Notification
    t     -  Dst TCP ECN
    E     -  Both Src and Dst ECN 
     M    -  Multiple physical layer paths
      I   -  ICMP event mapped to this flow
       S  -  IP option Strict Source Route
       L  -  IP option Loose Source Route
       T  -  IP option Time Stamp
       +  -  IP option Security
       R  -  IP option Record Route
       A  -  IP option Router Alert
       O  -  multiple IP options set
       E  -  unknown IP options set
        F -  Fragments seen
        f -  Partial Fragment
        V -  Fragment overlap seen
.fi

The second field indicates the upper protocol used in the transaction.
This field will contain the first 4 characters of the official
name for the protocol used, as defined in RFC-1700.  Argus attempts
to discovery the Realtime Transport Protocol, when it is being used.
When it encounters RTP, it will indicate its use in this field, with
the string 'rtp'.  Use of the
.B -n
option, twice (-nn), will cause the actual protocol number to be
displayed.
.TP 4 4
.BI host
The \fIhost\fP field is protocol dependent, and for all protocols
will contain the IP address/name.  For TCP and UDP, the field will
also contain the port number/name, separated by a period.
.TP 3 3
.BI dir
The \fIdir\fP field will have the direction of the transaction,
as can be best determined from the datum, and is used to indicate
which hosts are transmitting. For TCP, the dir field indicates
the actual source of the TCP connection, and the center character
indicating the state of the transaction.
.RS
.nf
.sp .5
     -  - transaction was NORMAL
     |  - transaction was RESET
     o  - transaction TIMED OUT.
     ?  - direction of transaction is unknown.
.fi
.RE
.TP 4 4
.BI count
\fIcount\fP is an optional field, specified using the
.B -c
option.  There are 4 fields that are produced.  The
first 2 are the packet counts and the last 2 are the byte counts
for the specific transaction.  The fields are paired with the
previous host fields, and represent the packets transmitted by
the respective host.
.TP 4 4
.BI status
The \fIstatus\fP field indicates the principle status for the transaction
report, and is protocol dependent.  For all the protocols, except ICMP,
this field reports on the basic state of a transaction.
.TP 4 4
.in .25i
.B REQ|INT (requested|initial)
This indicates that this is the \fIinitial\fP status report for a
transaction and is seen only when the \fIargus-server\fP is in DETAIL
mode.  For TCP connections this is \fBREQ\fP, indicating that a
connection is being requested.  For the connectionless protocols,
such as UDP, this is \fBINT\fP.
.TP 4 4
.in .25i
.B ACC (accepted)
This indicates that a request/response condition has occurred,
and that a transaction has been detected between two hosts.
For TCP, this indicates that a connection request has been
answered, and the connection will be accepted.  This is only seen
when the \fIargus-server\fP is in DETAIL mode.  For the
connectionless protocols, this state indicates that there
has been a single packet exchange between two hosts, and could
qualify as a request/response transaction.
.TP 4 4
.in .25i
.B EST|CON (established|connected)
This record type indicates that the reported transaction is active, and
has been established or is continuing.  This should be interpreted as a
status report of a currently active transaction.
For TCP, the EST status is only seen in DETAIL mode, and indicates
that the three way handshake has been completed for a connection.
.TP 4 4
.in .25i
.B CLO (closed) 
TCP specific, this record type indicates that the TCP connection has
closed normally.
.TP 4 4
.in .25i
.B TIM (timeout)
Activity was not seen relating to this transaction, during the
.B argus
server's timeout period for this protocol.  This status is seen
only when there were packets recorded since the last report for
this transaction.

.LP
For the ICMP protocol, the \fIstatus\fP field displays specific
aspects of the ICMP type.  ICMP status can have the values:
.nf
.in 10

\fBECO\fP     Echo Request
\fBECR\fP     Echo Reply
\fBSRC\fP     Source Quench
\fBRED\fP     Redirect
\fBRTA\fP     Router Advertisement
\fBRTS\fP     Router Solicitation
\fBTXD\fP     Time Exceeded
\fBPAR\fP     Parameter Problem
\fBTST\fP     Time Stamp Request
\fBTSR\fP     Time Stamp Reply
\fBIRQ\fP     Information Request
\fBIRR\fP     Information Reply
\fBMAS\fP     Mask Request
\fBMSR\fP     Mask Reply
\fBURN\fP     Unreachable network
\fBURH\fP     Unreachable host
\fBURP\fP     Unreachable port
\fBURF\fP     Unreachable need fragmentation
\fBURS\fP     Unreachable source failed
\fBURNU\fP    Unreachable dst network unknown
\fBURHU\fP    Unreachable dst host unknown
\fBURISO\fP   Unreachable source host isolated
\fBURNPRO\fP  Unreachable network administrative prohibited
\fBURHPRO\fP  Unreachable host administrative prohibited
\fBURNTOS\fP  Unreachable network TOS prohibited
\fBURHTOS\fP  Unreachable host TOS prohibited
\fBURFIL\fP   Unreachable administrative filter
\fBURPRE\fP   Unreachable precedence violation
\fBURCUT\fP   Unreachable precedence cutoff

.fi
.LP
.br
.SH OUTPUT EXAMPLES

These examples show typical \fBra\fP output, and demonstrates a
number of variations seen in \fBargus\fP data.  This \fBra\fP
output was generated using the \fB-n\fP option to suppress
number translation.

.in -6n
.ll +1n
.ft B
.nf
Thu 12/29 06:40:32   S tcp  132.3.31.15.6439   -> 12.23.14.77.23   CLO
.fi
.ft R
.in +6n
.ll -1n
This is a normal tcp transaction to the telnet port on host 12.23.14.77.
The IP Option strict source route was seen.

.in -6n
.ll +1n
.ft B
.nf
Thu 12/29 06:40:32     tcp  132.3.31.15.6200  <|  12.23.14.77.25   RST
.fi
.ft R
.in +6n
.ll -1n
This tcp transaction from the smtp port of host 12.23.14.77
was \fBRESET\fP, indicating that the transaction was denied.

.in -6n
.ll +1n
.ft B
.nf
Thu 12/29 03:39:05  M  igmp 12.88.14.10       <-> 128.2.2.10       CON
.fi
.ft R
.in +6n
.ll -1n
This is an igmp transaction status report, usually seen with MBONE traffic.
There was more than one source and destination MAC address pair used to
support the transaction, suggesting a possible routing loop.

.in -6n
.ll +1n
.ft B
.nf
Thu 12/29 06:40:05 *   tcp  12.23.14.23.1043  <-> 12.23.14.27.6000 TIM
.fi
.ft R
.fi
.in +6n
.ll -1n
This is an X-windows transaction, that has \fBTIMEDOUT\fP.   Packets
were retransmitted during the connection.

.in -6n
.ll +1n
.ft B
.nf
Thu 12/29 07:42:09     udp   12.9.1.115.2262   -> 28.12.141.6.139  INT
.fi
.ft R
.in +6n
.ll -1n
This is an initial netbios UDP transaction status report, indicating
that this is the first datagram encountered for this transaction. 

.in -6n
.ll +1n
.ft B
.nf
Thu 12/29 06:42:09     icmp  12.9.1.115       <-> 12.68.5.127      ECO
.fi
.ft R
.in +6n
.ll -1n
This example represents a "ping" of host 12.9.1.115, and its response. 
.in -6n
.ll +1n

.ss 12
.cs B
.ft R
This next example shows the \fBra\fP output of a complete TCP transaction,
with the preceeding Arp and DNS requests, while reading from a remote
\fIargus-server\fP.   The '*' in the CLO report indicates that at least
one TCP packet was retransmitted during the transaction.  The hostnames
in this example are ficticious.

.nf
% ra -S \fIargus-server\fP and host i.qosient.com
ra: Trying argus-server port 561
ra: connected Argus Version 2.0
Sat 12/03 15:29:38     arp  i.qosient.com     who-has  dsn.qosient.com  INT
Sat 12/03 15:29:39     udp  i.qosient.com.1542  <->    dns.qosient.53   INT
Sat 12/03 15:29:39     arp  i.qosient.com     who-has  qosient.com      INT
Sat 12/03 15:29:39 *   tcp  i.qosient.com.1543   ->    qosient.com.smtp CLO
.ss 12
.cs B
.ft
.fi
.br
.SH AUTHORS
.nf
Carter Bullard (carter@qosient.com).
.fi
.SH FILES
.BR /etc/ra.conf
.SH SEE ALSO
.BR argus (8)
.BR tcpdump (1),
.LP
Postel, Jon,
.IR "Internet Protocol",
.SM RFC
791,
Network Information Center,
.SM SRI
International, Menlo Park, Calif.,
May 1981.
.LP
Postel, Jon, 
.IR "Internet Control Message Protocol" ,
.SM RFC
792,
Network Information Center, SRI International, Menlo Park, Calif.,
May 1981.
.LP
Postel, Jon, 
.IR "Transmission Control Protocol" ,
.SM RFC
793,
Network Information Center, SRI International, Menlo Park, Calif.,
May 1981.
.LP
Postel, Jon,
.IR "User Datagram Protocol" ,
.SM RFC
768,
Network Information Center, SRI International, Menlo Park, Calif.,
May 1980.
.LP
McCanne, Steven, and Van Jacobson,
.IR "The BSD Packet Filter: A New Architecture for User-level Capture" ,
Lawrwnce Berkeley Laboratory, One Cyclotron Road, Berkeley, Calif., 94720,
December 1992.