Ratop question

elof2 at sentor.se elof2 at sentor.se
Wed Nov 5 09:31:50 EST 2014


Hi Monah

either just pipe it to | grep POST or see the ra manual

        -e <regex>
            Match  regular  expression  in  flow user data fields.  Prepend 
the
            regex with either "s:" or "d:" to limit the  match  to  either 
the
            source  or destination user data fields. At this time null 
bytes in
            the user data buffer terminate search.  Examples include:
               "^SSH-"           - Look for ssh connections on any port.
               "s:^GET"          - Look for HTTP GET requests in the source 
buffer.
               "d:^HTTP.*Unauth" - Find unauthorized http response.

            Depending on the regular expression library that  the  system 
sup-
            ports,  you  will  be able to match many types of binary, octal 
and
            hex expressions.  See regex.3, pcre.3 and the web for examples.

so I guess
    -e "s:^POST "
is what you're looking for.

/Elof


On Tue, 4 Nov 2014, Monah Baki wrote:

> Hi all,
>
> Running the following command:
>
> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco trans
> sload psize suser:100
>
>
> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
> display POSTS instead of GET.
>
>
> Thank you
> Monah
>



More information about the argus mailing list