Filtering on pcr ratios
Carter Bullard
carter at qosient.com
Wed Apr 9 16:46:32 EDT 2014
Hey Jesse,
Suppose to work….
The trick with debugging the filters is to print out
the filter pseudocode, to see what it thinks the filter
is suppose to do. This is what I get:
% ra -b - pcr lte -0.1
(000) ldb hdr[0]
(001) and #16
(002) jeq #0x10 jt 3 jf 6
(003) ldf hdr[360]
(004) jgt #-0.100000 jt 6 jf 5
(005) ret #150
(006) ret #0
So this is a good filter. Load the argus record
header, make sure is a FAR, and the load a floating
point number 360 bytes off of the beginning of the block.
Do the compare and return.
But I also see what you’re seeing, so I must have
declared one of variables on the stack, as unsigned ???
I’ll fix that also.
Carter
On Apr 9, 2014, at 4:39 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> Hello,
>
> I was attempting to filter on pcr ratios and encountered two issues.
>
> *) I cannot seem to filter for negative values
>
> # ra -R 07 -s pcr -N o10 - tcp and pcr lte "-0.1"
>
> this prints help, as do all situations where I quote, escape, etc. Is it possible to filter on a negative value?
>
> *) I get non-matching values when filtering for values less than zero:
>
> # ra -R 07 -s pcr -N o10 - tcp and pcr lte 0.000000
> PCRatio
> 1.000000
> 1.000000
> -0.857742
> -0.556561
> -0.580071
> -0.000806
> 1.000000
> -0.434112
> -0.233966
> -0.509885
>
> Although only values of exactly "1.00000" show up in this output, if I look at more records there are quite a few positive values that are less than 1.00000.
>
> Am I trying to do something unsupported? I assumed that I could filter on pcr, but perhaps not?
>
> Cheers,
>
> Jesse
>
> --
> Jesse Bowling
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140409/7942051a/attachment.sig>
More information about the argus
mailing list