ArgusBug ratop display filter : only lack of knowledge

Stéphane Peters stephane.peters at forem.be
Wed Feb 14 08:24:31 EST 2007 

Hello Carter,

you are right, I didn't know anything about the 'remote', 'local' or 
'display' filter types;
I haven't seen them in a ratop manpage :-)

Because I worked on a file, it's normal that a change on the 'remote' 
filter did nothing.
I have tried a 'local' filter, that did nothing either (I needed to type 
'r').
But the 'display' filter works immediately.
Please note that for discarding the filter, you need to type a space 
after 'display':
    'display' <space> <carriage return>

Having these 3 filter types is another great feature of the argus package !


Carter Bullard wrote :

> Hey Stephane,
> Two things, yes there is a bug in the filter, but it may not be working
> as you think .........  Thanks for the report,, I have fixed it, so wait
> until rc.40 to test drive the suggestions below, and I apologize if
> I am going over understood concepts.
>
> You specified an input filter, and so for it to have an effect, you
> need to re-read the data so the filter can be applied to the data.
> After setting up the filter, type 'r' .  The "Read files(s): " prompt  
> should
> come up with the file you've already read.  Just type carriage
> return, and ratop() will discard its internal buffers and re-read the  
> file.
> Now if there wasn't a bug, it would filter out records, but with the bug
> it will act as if there you had not entered a filter.
>
> There are three types of filters in ratop(), the first is a remote  
> filter, which
> will be transmitted to a remote argus source, thus limiting the amount
> of traffic on the wire.  The second is a local input filter.  You  
> would use
> this type of filter if the remote does not support the type of filter  
> you want
> to use.  This is a compatibility feature.  The third, which is the  
> filter you
> are looking for I suspect, is a display filter, which will control what
> records are displayed, without affecting the internal buffers of ratop 
> ().
>
> You differentiate the filter types using the keywords "remote", "local"
> and "display".   Without a keyword, you get "remote", and the remote
> filter is sent, if there is an argus server to send it to, and it is  
> used as
> an input filter for ratop().
>
> So ... try this:
>
>    ratop -r file
>
> This causes ratop() to process the file without any type of input  
> filtering.
> Once the data is done, then in ratop(), call up the "Specify filter:  
> " prompt
> by typing:
>
>   f
>
> and then at the prompt type:
>
>    display tcp and dst port 80
>
> and then carriage return, and you should see the display only list
> the http traffic.  To get rid of the display filter, type:
>
>    'f'
>
> and just back over the filter, leaving the 'display', and then hit  
> carriage
> return, the filter will be discarded.
>
> you can have all three types of filters active at the same time,, and  
> ratop()
> will display each of the them on the command line.  To get rid of a  
> specific
> one, just type the keyword after calling up the "Specify filter: "  
> prompt, and
> carriage return and the filter will be discarded.
>
> Hope this is helpful,
>
> Carter
>
>
>
> On Feb 13, 2007, at 7:34 PM, Stéphane Peters wrote:
>
>> >Description:
>>        On ratop, the 'f' command, that permits to change the filter,
>>        has no effect except displaying "Specify filter:   <anyfilter> 
>> filter accepted"
>>        at the bottom of the screen, without applying it.
>>
>>        The same filter given on the command line is working as  
>> expected.
>>
>> >How-To-Repeat:
>>        launch ratop on some data
>>        type f followed by any filter
>>
>> >Fix:
>>        not known
>>
>> >Originator:    ARGUS
>> >Argus support: none
>> >Release:       argus-3.0
>> >Product:       ratop
>> >Synopsis:      unable to change filter ('f' command)
>> >Class:         sw-bug
>> >Severity:      non-critical
>> >Priority:      low
>>
>> >Environment:   <machine, os, target, libraries (multiple lines)>
>>
>> System:  Linux argus-fedora.forem.be 2.6.5-1.358 #1 Sat May 8  
>> 09:04:50 EDT 2004 i686 i686 i386 GNU/Linux
>> Arch:    i686
>>
>> Paths:    /export/home/argus/argus-clients-3.0.0.rc.39/bin/ra /usr/ 
>> bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
>>
>>
>> RA:      Ra Version 3.0.0.rc.39
>>
>>
>> GCC:     Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/ 
>> 3.3.3/specs
>> Configured with: ../configure --prefix=/usr --mandir=/usr/share/man  
>> --infodir=/usr/share/info --enable-shared --enable-threads=posix -- 
>> disable-checking --disable-libunwind-exceptions --with-system-zlib  
>> --enable-__cxa_atexit --host=i386-redhat-linux
>> Thread model: posix
>> gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)
>>
>> LIBC:
>> lrwxrwxrwx  1 root root 13 Jun  9  2004 /lib/libc.so.6 ->  libc-2.3.3.so
>> -rwxr-xr-x  1 root root 1443920 May 11  2004 /lib/libc-2.3.3.so
>> -rw-r--r--  1 root root 2308174 May 11  2004 /usr/lib/libc.a
>> -rw-r--r--  1 root root 204 May 11  2004 /usr/lib/libc.so
>> lrwxrwxrwx  1 root root 10 Jun  9  2004 /usr/lib/libc-client.a -> c- 
>> client.a
>> lrwxrwxrwx  1 root root 16 Jun  9  2004 /usr/lib/libc-client.so ->  
>> libc-client.so.0
>> -rwxr-xr-x  1 root root 763688 Apr  7  2004 /usr/lib/libc-client.so.0
>>
>>
>
>

Regards,

-- 
Stephane.Peters at forem.be

More information about the argus mailing list