Re: [sip-clf] New CLF Syntax draft (text with index)

"Vijay K. Gurbani" <> Fri, 08 May 2009 13:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0F31128C1E6 for <>; Fri, 8 May 2009 06:49:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.517
X-Spam-Status: No, score=-2.517 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pMcqbnvl3ZRQ for <>; Fri, 8 May 2009 06:49:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BC9E428C17F for <>; Fri, 8 May 2009 06:49:43 -0700 (PDT)
Received: from ( []) by (8.13.8/IER-o) with ESMTP id n48Dp8ad007850 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 8 May 2009 08:51:09 -0500 (CDT)
Received: from [] ( []) by (8.13.8/TPES) with ESMTP id n48Dp8wx006667; Fri, 8 May 2009 08:51:08 -0500 (CDT)
Message-ID: <>
Date: Fri, 08 May 2009 08:51:08 -0500
From: "Vijay K. Gurbani" <>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: Adam Roach <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on
Subject: Re: [sip-clf] New CLF Syntax draft (text with index)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 May 2009 13:49:45 -0000

Adam Roach wrote:
> This version defines a text format in which each record is composed of 
> two lines in a log file. The first line is primarily pointers into the 
> second line. The second line contains the actual logged fields, 
> separated by tab characters.

Adam: Thanks for getting this out.  I will read it in more
depth, but a couple of quick questions as I was looking at
the format.

1) Any special reason why the flags field is separated from
the record length field by a comma?  And the same for the
record length field being separated by a comma from the
server transaction pointer field.  Eliminating them would
save 2-bytes per record.

2) I am not sure I follow the 0x0A in byte 80 -- is it the
length of the Date/Time field (i.e., upto the period in
byte 91)?

3) What about 0x09 in byte 98 and 0x09 in byte 109?  What
are they used for?


- vijay
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{,,}