monahbaki at gmail.com
Wed Nov 5 10:09:49 EST 2014
Can I use the negate operator saying I want to see everything except "GET"?
On Wed, Nov 5, 2014 at 10:08 AM, David Edelman <dedelman at iname.com> wrote:
> You get PCRE by adding
> --with-libpcre to the ./configure when you build the clients
> Dave Edelman
> > On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
> > Hi Monah
> > either just pipe it to | grep POST or see the ra manual
> > -e <regex>
> > Match regular expression in flow user data fields.
> Prepend the
> > regex with either "s:" or "d:" to limit the match to either
> > source or destination user data fields. At this time null
> bytes in
> > the user data buffer terminate search. Examples include:
> > "^SSH-" - Look for ssh connections on any port.
> > "s:^GET" - Look for HTTP GET requests in the
> source buffer.
> > "d:^HTTP.*Unauth" - Find unauthorized http response.
> > Depending on the regular expression library that the system
> > ports, you will be able to match many types of binary,
> octal and
> > hex expressions. See regex.3, pcre.3 and the web for examples.
> > so I guess
> > -e "s:^POST "
> > is what you're looking for.
> > /Elof
> >> On Tue, 4 Nov 2014, Monah Baki wrote:
> >> Hi all,
> >> Running the following command:
> >> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco
> >> sload psize suser:100
> >> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
> >> display POSTS instead of GET.
> >> Thank you
> >> Monah
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the argus