Ratop question
David Edelman
dedelman at iname.com
Wed Nov 5 10:08:24 EST 2014
You get PCRE by adding
--with-libpcre to the ./configure when you build the clients
Dave Edelman
> On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
>
>
> Hi Monah
>
> either just pipe it to | grep POST or see the ra manual
>
> -e <regex>
> Match regular expression in flow user data fields. Prepend the
> regex with either "s:" or "d:" to limit the match to either the
> source or destination user data fields. At this time null bytes in
> the user data buffer terminate search. Examples include:
> "^SSH-" - Look for ssh connections on any port.
> "s:^GET" - Look for HTTP GET requests in the source buffer.
> "d:^HTTP.*Unauth" - Find unauthorized http response.
>
> Depending on the regular expression library that the system sup-
> ports, you will be able to match many types of binary, octal and
> hex expressions. See regex.3, pcre.3 and the web for examples.
>
> so I guess
> -e "s:^POST "
> is what you're looking for.
>
> /Elof
>
>
>> On Tue, 4 Nov 2014, Monah Baki wrote:
>>
>> Hi all,
>>
>> Running the following command:
>>
>> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco trans
>> sload psize suser:100
>>
>>
>> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
>> display POSTS instead of GET.
>>
>>
>> Thank you
>> Monah
>>
More information about the argus
mailing list