Ratop question
Monah Baki
monahbaki at gmail.com
Wed Nov 5 10:09:49 EST 2014
Can I use the negate operator saying I want to see everything except "GET"?
Thanks
On Wed, Nov 5, 2014 at 10:08 AM, David Edelman <dedelman at iname.com> wrote:
> You get PCRE by adding
> --with-libpcre to the ./configure when you build the clients
>
>
>
> Dave Edelman
>
>
> > On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
> >
> >
> > Hi Monah
> >
> > either just pipe it to | grep POST or see the ra manual
> >
> > -e <regex>
> > Match regular expression in flow user data fields.
> Prepend the
> > regex with either "s:" or "d:" to limit the match to either
> the
> > source or destination user data fields. At this time null
> bytes in
> > the user data buffer terminate search. Examples include:
> > "^SSH-" - Look for ssh connections on any port.
> > "s:^GET" - Look for HTTP GET requests in the
> source buffer.
> > "d:^HTTP.*Unauth" - Find unauthorized http response.
> >
> > Depending on the regular expression library that the system
> sup-
> > ports, you will be able to match many types of binary,
> octal and
> > hex expressions. See regex.3, pcre.3 and the web for examples.
> >
> > so I guess
> > -e "s:^POST "
> > is what you're looking for.
> >
> > /Elof
> >
> >
> >> On Tue, 4 Nov 2014, Monah Baki wrote:
> >>
> >> Hi all,
> >>
> >> Running the following command:
> >>
> >> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco
> trans
> >> sload psize suser:100
> >>
> >>
> >> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
> >> display POSTS instead of GET.
> >>
> >>
> >> Thank you
> >> Monah
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141105/f5409713/attachment.html>
More information about the argus
mailing list