CRAWDAD tools/process/syslog/syslog_parser

Citation Author(s):
Submitted by:
Last updated:
Wed, 11/01/2006 - 08:00
Data Format:
0 ratings - Please login to submit your rating.


A tool for parsing Cisco and Aruba 802.11 syslog traces.

syslog_parser is a script to parse the syslog traces from Cisco VxWorks, Cisco IOS and Aruba access points. This script was designed to parse the syslog traces in the dartmouth/campus/syslog tracesets, but should be useful for other traces as well.

Lastmodified :


Dataname :


File :


Releasedate :


Change :

the initial version

Website :

Keyword :


License :

# a script to parse syslogs
#      Author: Tristan Henderson
#      version: v. 2006-11-01
#      Copyright (c) 2006 Dartmouth College
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License Version 2 as published by
# the Free Software Foundation.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
# more details.
# You should have received a copy of the GNU General Public License along with
# this program; if not, write to the Free Software Foundation, Inc., 51
# Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

Support :

Please send your suggestions, bug reports and fixes to

Build : uses the Time::Local and
Getopt::Std perl modules.
If your perl does not include these modules, please
install a newer version of perl before
running the script.

Output : parses syslog traces (see "usage" for the supported syslogs)
and extracts the following information:

timestamp, client MAC address, message, AP MAC address

Parameters :

See "usage" for details about the parameters needed for each tool.

Usage :

This is a script to parse the following syslog traces:

- Cisco VxWorks
- Cisco IOS
- Aruba: note that we don't really know what the Aruba messages mean, but
I assume that "station up" means associate and "station down"
means disassociate. Since Aruba messages are received from a
mobility controller, not an AP, they may not correspond
directly to 802.11 associate/disassociate.

Note that we don't parse all messages, just ones that were interesting to us.

$./ -h
usage: ./ [OPTION] [SYSLOG]
-y <year>       define a year for syslogs
# syslog messages don't contain the year.
# you can pass the year using -y <year>.
# otherwise we assume the current year
-t              don't reformat time as a Unix timestamp
-r              show the reason for an event (where available)
-b <file>       file containing APs to ignore
-d              output debug info to STDERR
-a <file>       file containing Aruba APs names
# for internal use
-h              show this help

An example VxWorks syslog record:
Jun 21 05:00:16 AdmBldg25AP1 AdmBldg25AP1 (Info): Station 0006257c081a Associated

An example IOS syslog record:
Jun 21 05:00:09 AcadBldg34AP2 2698: AcadBldg34AP2: Jun 21 09:00:09: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   000d93737dab Reassociated KEY_MGMT[NONE]

An example aruba syslog record:
1125561901 Sep 1 04:05:01 2005 [] authmgr[643]: <INFO> station down <00:02:2d:46:1f:62> bssid 00:0b:86:5c:e5:f9, essid Kiewit Wireless, vlan 2834, ingress 0x10c3 (tunnel 99), u_encr 1, m_encr 1, loc 167.3.2 slotport 0xfc3

Example :

$ ./ | head
986990216 0040961e58be authenticated AdmBldg19AP3
986990247 0040961e58be authenticated AdmBldg19AP3
986990247 0040961e58be associated AdmBldg19AP3
986990293 0040961e58be authenticated AdmBldg19AP3
986990364 0040961e58be authenticated AdmBldg19AP3
986990484 0040961e58be authenticated AdmBldg19AP3
986991490 0040961e58be authenticated AdmBldg19AP3
986991491 00601db0635a authenticated AdmBldg16AP1
986991491 00601db0635a associated AdmBldg16AP1
986991532 0040961e58be authenticated AdmBldg19AP3

$ ./ | head
1088568001 0009b7f3ff1f reassociated AcadBldg4AP3
1088568003 00022d12c361 reassociated ResBldg69AP6
1088568003 00022d12c361 roamed ResBldg69AP4
1088568003 00022d12c361 disassociated ResBldg69AP4
1088568006 00022d12c361 authenticated ResBldg69AP4
1088568006 00022d12c361 associated ResBldg69AP4
1088568006 00022d12c361 roamed ResBldg69AP6
1088568008 00904b86f12a disassociated ResBldg44AP4
1088568013 00022dd9b5b2 disassociated SocBldg3AP2
1088568016 0009b7f3ff1f reassociated ResBldg97AP6

$ ./ 060831.072842.aruba | head
1157009322 001124567039 associated 98.1.2
1157009335 000d93e3e675 associated 167.3.3
1157009342 0016cff28931 associated 68.3.1
1157009344 00131ab19f7c disassociated 188.4.2
1157009344 00131ab19f7c associated 188.3.1
1157009349 001302f5e3e3 disassociated 119.1.1
1157009363 000d28120f0a disassociated 23.3.11
1157009363 000d28120f0a associated 23.3.1
1157020082 0013024da937 associated 119.4.1
1157020093 00131ab19f7c disassociated 188.3.1

The files in this directory are a CRAWDAD toolset hosted by IEEE DataPort. 

About CRAWDAD: the Community Resource for Archiving Wireless Data At Dartmouth is a data resource for the research community interested in wireless networks and mobile computing. 

CRAWDAD was founded at Dartmouth College in 2004, led by Tristan Henderson, David Kotz, and Chris McDonald. CRAWDAD datasets and toolsets are hosted by IEEE DataPort as of November 2022. 

Note: Please use the tools in an ethical and responsible way with the aim of doing no harm to any person or entity for the benefit of society at large. Please respect the privacy of any human subjects whose wireless-network activity is captured by the tools and comply with all applicable laws, including without limitation such applicable laws pertaining to the protection of personal information, security of data, and data breaches. Please do not apply, adapt or develop algorithms for the extraction of the true identity of users and other information of a personal nature, which might constitute personally identifiable information or protected health information under any such applicable laws. Do not publish or otherwise disclose to any other person or entity any information that constitutes personally identifiable information or protected health information under any such applicable laws derived from the tools through manual or automated techniques. 

Please acknowledge the source of the tools in any publications or presentations reporting use of these tools. 


Tristan Henderson, CRAWDAD toolset tools/process/syslog/syslog_parser (v. 2006‑11‑01),, Nov 2006.

Dataset Files

Open Access dataset files are accessible to all logged in  users. Don't have a login?  Create a free IEEE account.  IEEE Membership is not required.


These datasets are part of Community Resource for Archiving Wireless Data (CRAWDAD). CRAWDAD began in 2004 at Dartmouth College as a place to share wireless network data with the research community. Its purpose was to enable access to data from real networks and real mobile users at a time when collecting such data was challenging and expensive. The archive has continued to grow since its inception, and starting in summer 2022 is being housed on IEEE DataPort.

Questions about CRAWDAD? See our CRAWDAD FAQ. Interested in submitting your dataset to the CRAWDAD collection? Get started, by submitting an Open Access Dataset.