Ratop question

elof2 at sentor.se elof2 at sentor.se
Wed Nov 5 09:31:50 EST 2014

Hi Monah

either just pipe it to | grep POST or see the ra manual

        -e <regex>
            Match  regular  expression  in  flow user data fields.  Prepend 
            regex with either "s:" or "d:" to limit the  match  to  either 
            source  or destination user data fields. At this time null 
bytes in
            the user data buffer terminate search.  Examples include:
               "^SSH-"           - Look for ssh connections on any port.
               "s:^GET"          - Look for HTTP GET requests in the source 
               "d:^HTTP.*Unauth" - Find unauthorized http response.

            Depending on the regular expression library that  the  system 
            ports,  you  will  be able to match many types of binary, octal 
            hex expressions.  See regex.3, pcre.3 and the web for examples.

so I guess
    -e "s:^POST "
is what you're looking for.


On Tue, 4 Nov 2014, Monah Baki wrote:

> Hi all,
> Running the following command:
> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco trans
> sload psize suser:100
> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
> display POSTS instead of GET.
> Thank you
> Monah

More information about the argus mailing list