Ratop question

Wed Nov 5 11:10:09 EST 2014

Hey Guys,
There is another twist, of this idea, but it maybe a feature problem for ratop.1.

All the ra* clients support using the -v flag to negate a -e grep expression, just like grep.

Unfortunately the -v option reverses both the sort order and the regex operation
in  ratop.1.  This is  case of having too many operators, and wanting to use -v,
like many unix commands, to reverse the logic.  sort.1 and grep.1 both use
-v to negate actions, and rasort.1 and regrep.1 also use -v.   

Because ratop.1 incorporates the functions of rasort and ragrep, we
‘ inherit ‘ the actions of the -v.

So, use the " -e regex -v “ options to read, an input file, and then when it
displays the results, use the “ -v “ to get the sort order correct.

Not sure how to correct this, may have to make some changes to .rarc to
clarify the -v function ???

Carter

> On Nov 5, 2014, at 10:28 AM, elof2 at sentor.se wrote:
> 
> 
> ... | grep -v "GET "
> 
> or
> 
> -e "s:[^G][^E][^T]"
> 
> /Elof
> 
> On Wed, 5 Nov 2014, Monah Baki wrote:
> 
>> Can I use the negate operator saying I want to see everything except "GET"?
>> 
>> 
>> Thanks
>> 
>> On Wed, Nov 5, 2014 at 10:08 AM, David Edelman <dedelman at iname.com> wrote:
>> 
>>> You get PCRE by adding
>>> --with-libpcre to the ./configure when you build the clients
>>> 
>>> 
>>> 
>>> Dave Edelman
>>> 
>>> 
>>>> On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
>>>> 
>>>> 
>>>> Hi Monah
>>>> 
>>>> either just pipe it to | grep POST or see the ra manual
>>>> 
>>>>      -e <regex>
>>>>          Match  regular  expression  in  flow user data fields.
>>> Prepend the
>>>>          regex with either "s:" or "d:" to limit the  match  to  either
>>> the
>>>>          source  or destination user data fields. At this time null
>>> bytes in
>>>>          the user data buffer terminate search.  Examples include:
>>>>             "^SSH-"           - Look for ssh connections on any port.
>>>>             "s:^GET"          - Look for HTTP GET requests in the
>>> source buffer.
>>>>             "d:^HTTP.*Unauth" - Find unauthorized http response.
>>>> 
>>>>          Depending on the regular expression library that  the  system
>>> sup-
>>>>          ports,  you  will  be able to match many types of binary,
>>> octal and
>>>>          hex expressions.  See regex.3, pcre.3 and the web for examples.
>>>> 
>>>> so I guess
>>>>  -e "s:^POST "
>>>> is what you're looking for.
>>>> 
>>>> /Elof
>>>> 
>>>> 
>>>>> On Tue, 4 Nov 2014, Monah Baki wrote:
>>>>> 
>>>>> Hi all,
>>>>> 
>>>>> Running the following command:
>>>>> 
>>>>> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco
>>> trans
>>>>> sload psize suser:100
>>>>> 
>>>>> 
>>>>> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
>>>>> display POSTS instead of GET.
>>>>> 
>>>>> 
>>>>> Thank you
>>>>> Monah
>>>>> 
>>> 
>> 
> 