Omitting data with dir = <?>
Esteban G
infoape at gmail.com
Mon Dec 10 16:58:15 EST 2007
On a related question. Sometime ago you provided the following command
line as an example for splitting out the servers observed by a sensor
into directories based on IP:
rasplit -R data -M time 1d -w servers/\$daddr/argus.%Y.%m.%d.%H.%M.%S \
- \( tcp and syn and synack \) or \( not tcp and con \)
When I do this, the output is really nice. However, I am only seeing
the tcp traffic and nothing from the "(not tcp and con)" filter. When
I run ra -n -r <data> - "(not tcp and con)". I get the complaint:
ArgusFilterCompile: expression rejects all records
-Esteban
On 12/3/07, Carter Bullard <carter at qosient.com> wrote:
> Hey Wolfgang,
> The ? is caused by not seeing the tcp syn or synack, so ...
>
> -- (syn or synack) or not tcp
>
> Should do the trick.
>
> Carter
>
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: wob at swobspace.de (Wolfgang Barth)
>
> Date: Fri, 30 Nov 2007 17:45:21
> To:argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] Omitting data with dir = <?>
>
>
> Hi,
>
> I want to omit records with unknown direction (dir = <?>). How can I filter
> out such records with ra?
>
> Wolfgang
> --
> <wob (at) swobspace de> * http://www.swobspace.de
>
>
>
More information about the argus
mailing list