[ARGUS] Using ra to view 0 byte/packet dst flows?

[Steve McInerney]

Hi All,

is there an "ra approved" way of showing flows that have zero 
bytes/packets from the DST?
I haven't seen that there is any way of doing such a query via the 
standard filters.


More a mildly curious question than anything, as I can more or less 
duplicate the desired results via the following (post ragator'ed data 
file) construct:

ra -n -s startime daddr dport dbytes - -r 
argus-april.ragatored-http.argus | awk '{ if ($6 == 0) print $0 }' | tee 
april.zero_http.txt


To put the actual Question in English:
Essentially we're looking for the date/times of flows where we had 
nothing back from outgoing http requests.

Being able to do so in ra would provide a little more flexibility in the 
output - not so dependant on what's in what column etc.


Thanks


- Steve