Ratop question

[elof2 at sentor.se]

... | grep -v "GET "

or

-e "s:[^G][^E][^T]"

/Elof

On Wed, 5 Nov 2014, Monah Baki wrote:

> Can I use the negate operator saying I want to see everything except "GET"?
>
>
> Thanks
>
> On Wed, Nov 5, 2014 at 10:08 AM, David Edelman <dedelman at iname.com> wrote:
>
>> You get PCRE by adding
>>  --with-libpcre to the ./configure when you build the clients
>>
>>
>>
>> Dave Edelman
>>
>>
>>> On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
>>>
>>>
>>> Hi Monah
>>>
>>> either just pipe it to | grep POST or see the ra manual
>>>
>>>       -e <regex>
>>>           Match  regular  expression  in  flow user data fields.
>> Prepend the
>>>           regex with either "s:" or "d:" to limit the  match  to  either
>> the
>>>           source  or destination user data fields. At this time null
>> bytes in
>>>           the user data buffer terminate search.  Examples include:
>>>              "^SSH-"           - Look for ssh connections on any port.
>>>              "s:^GET"          - Look for HTTP GET requests in the
>> source buffer.
>>>              "d:^HTTP.*Unauth" - Find unauthorized http response.
>>>
>>>           Depending on the regular expression library that  the  system
>> sup-
>>>           ports,  you  will  be able to match many types of binary,
>> octal and
>>>           hex expressions.  See regex.3, pcre.3 and the web for examples.
>>>
>>> so I guess
>>>   -e "s:^POST "
>>> is what you're looking for.
>>>
>>> /Elof
>>>
>>>
>>>> On Tue, 4 Nov 2014, Monah Baki wrote:
>>>>
>>>> Hi all,
>>>>
>>>> Running the following command:
>>>>
>>>> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco
>> trans
>>>> sload psize suser:100
>>>>
>>>>
>>>> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
>>>> display POSTS instead of GET.
>>>>
>>>>
>>>> Thank you
>>>> Monah
>>>>
>>
>