How to filter results by srcid when it is arbitrary text

Carter Bullard carter at qosient.com
Mon Jul 25 23:17:38 EDT 2011


Hey Kevin,
So it will need the quotes escaped, and I have a fix that should enable srcid \"str\" filters, such as:

   ra - src \"eth1\"

If you can send a few records with your string srcid, I can test with the new scanner.l, grammar.y and argus_code.c.

Carter

On Jul 25, 2011, at 2:50 PM, The Branches wrote:

> Carter,
> 
> I'm assigning 3-4 character textual labels as the srcid values for argus records corresponding to different sniffing interfaces and it is working quite nicely.   One thing I have not been able to figure out yet is how to reference the srcid in a filter expression when it is arbitrary text.  I've tried a variety of ways to do this, like:
> 
> ra -r argus.out - "srcid eth2"
> ra -r argus.out - srcid "eth2"
> ra -r argus.out - srcid \"eth2\"
> ra -r argus.out - "srcid 'eth2'"
> ra -r argus.out - "srcid \'eth2\'"
> 
> but I always get back a syntax error complaining about the eth2 part.  It seems to consider any kind of single or double quote usage around the eth2 part as an illegal character situation, but without using quotes it tries to resolve eth2 to an IP number.
> 
> No press on this.  My argus records from different source interfaces drop into different filenames corresponding to the srcid anyway.  Eventually it would be nice to filter by srcid when it is arbitrary text.
> 
> Kevin
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110725/e9d0081c/attachment.bin>


More information about the argus mailing list