How to filter results by srcid when it is arbitrary text

Carter Bullard carter at qosient.com
Mon Jul 25 20:36:40 EDT 2011


Hey Kevin,
It should work with " 's around the label:
   ra -r file - srcid "eth1"

I'll check it out later tonight.
Carter

On Jul 25, 2011, at 2:50 PM, The Branches <branchbunch at gmail.com> wrote:

> Carter,
> 
> I'm assigning 3-4 character textual labels as the srcid values for argus records corresponding to different sniffing interfaces and it is working quite nicely.   One thing I have not been able to figure out yet is how to reference the srcid in a filter expression when it is arbitrary text.  I've tried a variety of ways to do this, like:
> 
> ra -r argus.out - "srcid eth2"
> ra -r argus.out - srcid "eth2"
> ra -r argus.out - srcid \"eth2\"
> ra -r argus.out - "srcid 'eth2'"
> ra -r argus.out - "srcid \'eth2\'"
> 
> but I always get back a syntax error complaining about the eth2 part.  It seems to consider any kind of single or double quote usage around the eth2 part as an illegal character situation, but without using quotes it tries to resolve eth2 to an IP number.
> 
> No press on this.  My argus records from different source interfaces drop into different filenames corresponding to the srcid anyway.  Eventually it would be nice to filter by srcid when it is arbitrary text.
> 
> Kevin
> 



More information about the argus mailing list