Ratop question
elof2 at sentor.se
elof2 at sentor.se
Wed Nov 5 09:31:50 EST 2014
Hi Monah
either just pipe it to | grep POST or see the ra manual
-e <regex>
Match regular expression in flow user data fields. Prepend
the
regex with either "s:" or "d:" to limit the match to either
the
source or destination user data fields. At this time null
bytes in
the user data buffer terminate search. Examples include:
"^SSH-" - Look for ssh connections on any port.
"s:^GET" - Look for HTTP GET requests in the source
buffer.
"d:^HTTP.*Unauth" - Find unauthorized http response.
Depending on the regular expression library that the system
sup-
ports, you will be able to match many types of binary, octal
and
hex expressions. See regex.3, pcre.3 and the web for examples.
so I guess
-e "s:^POST "
is what you're looking for.
/Elof
On Tue, 4 Nov 2014, Monah Baki wrote:
> Hi all,
>
> Running the following command:
>
> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco trans
> sload psize suser:100
>
>
> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
> display POSTS instead of GET.
>
>
> Thank you
> Monah
>
More information about the argus
mailing list