Filter type 'appbytes' behavior unexpected
Jesse Bowling
jessebowling at gmail.com
Mon Oct 7 17:00:41 EDT 2013
On 10/07/2013 03:04 PM, Carter Bullard wrote:
> So what to do??? I'm always for improving stuff. The filters
> could use the ability to fetch fields and do operations on them, like:
>
> ra -r file - (src host/24 = dst host/24) // same subnet
> ra -r file - ((src appbytes + dst appbytes) / (src bytes + dst bytes)) < 0.5 // efficiency
>
>
> If its important, then I can do the work, unless of course, you want
> to do it…
>
> So what are the real queries you want to do ??????
>
Wow, thanks for the informative post! In fact, I did not have any
particular queries in mind, but was a bit surprised by the behavior that
did not match my expectation (or in my mind, the reading of the man
page). Now it seems clear that I did not read the man page clearly
enough...Specifying 'dst appbytes' got me what I really needed.
That being said, I think the two examples you gave would be great
filters to be able to implement...and being able to filter on computed
fields would also be quite nice...but it won't be me that programs the
functionatlity and I don't believe my current level of filter needs
justifies asking you to work on it either.... :)
Cheers,
Jesse
More information about the argus
mailing list