Re: [sip-clf] New CLF Syntax draft (text with index)

Adam Roach <> Fri, 08 May 2009 15:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8A6EC3A711B for <>; Fri, 8 May 2009 08:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SPF_PASS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zmGCr5nQ1Npw for <>; Fri, 8 May 2009 08:24:27 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f03:267::2]) by (Postfix) with ESMTP id 720013A7009 for <>; Fri, 8 May 2009 08:24:27 -0700 (PDT)
Received: from hydra-3.local ( []) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id n48FPqFT065041 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 8 May 2009 10:25:53 -0500 (CDT) (envelope-from
Message-ID: <>
Date: Fri, 08 May 2009 10:25:52 -0500
From: Adam Roach <>
User-Agent: Postbox 1.0b11 (Macintosh/2009041623)
MIME-Version: 1.0
To: "Vijay K. Gurbani" <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass ( is authenticated by a trusted mechanism)
Subject: Re: [sip-clf] New CLF Syntax draft (text with index)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 May 2009 15:24:28 -0000

Vijay K. Gurbani wrote:
> 1) Any special reason why the flags field is separated from
> the record length field by a comma?  And the same for the
> record length field being separated by a comma from the
> server transaction pointer field.

I actually had started out with all the fields on the first line 
separated by commas, but removed the ones between the indices to save 
space. I have a feeling that breaking the total record length out with a 
delimiter will serve us well in the future if we ever decide to extend 
the format, but don't have any concrete examples. I'll ruminate on this 

> 2) I am not sure I follow the 0x0A in byte 80 -- is it the
> length of the Date/Time field (i.e., upto the period in
> byte 91)?

No; it's an ASCII line feed.

> 3) What about 0x09 in byte 98 and 0x09 in byte 109?  What
> are they used for?

Those are ASCII "tab" characters.

Really, I think the fastest way to get the gestalt of what I'm proposing 
is to uudecode the log message at the bottom of the draft and examine it.