Ratop question
elof2 at sentor.se
elof2 at sentor.se
Wed Nov 5 11:17:34 EST 2014
Hi Carter!
For starters, it would be nice if "-v" was mentioned in the ra(1) manual.
I didn't find it, so I created the [^G][^E][^T] regex instead...
/Elof
On Wed, 5 Nov 2014, Carter Bullard wrote:
> Hey Guys,
> There is another twist, of this idea, but it maybe a feature problem for ratop.1.
>
> All the ra* clients support using the -v flag to negate a -e grep expression, just like grep.
>
> Unfortunately the -v option reverses both the sort order and the regex operation
> in ratop.1. This is case of having too many operators, and wanting to use -v,
> like many unix commands, to reverse the logic. sort.1 and grep.1 both use
> -v to negate actions, and rasort.1 and regrep.1 also use -v.
>
> Because ratop.1 incorporates the functions of rasort and ragrep, we
> ‘ inherit ‘ the actions of the -v.
>
> So, use the " -e regex -v “ options to read, an input file, and then when it
> displays the results, use the “ -v “ to get the sort order correct.
>
> Not sure how to correct this, may have to make some changes to .rarc to
> clarify the -v function ???
>
> Carter
>
>> On Nov 5, 2014, at 10:28 AM, elof2 at sentor.se wrote:
>>
>>
>> ... | grep -v "GET "
>>
>> or
>>
>> -e "s:[^G][^E][^T]"
>>
>> /Elof
>>
>> On Wed, 5 Nov 2014, Monah Baki wrote:
>>
>>> Can I use the negate operator saying I want to see everything except "GET"?
>>>
>>>
>>> Thanks
>>>
>>> On Wed, Nov 5, 2014 at 10:08 AM, David Edelman <dedelman at iname.com> wrote:
>>>
>>>> You get PCRE by adding
>>>> --with-libpcre to the ./configure when you build the clients
>>>>
>>>>
>>>>
>>>> Dave Edelman
>>>>
>>>>
>>>>> On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
>>>>>
>>>>>
>>>>> Hi Monah
>>>>>
>>>>> either just pipe it to | grep POST or see the ra manual
>>>>>
>>>>> -e <regex>
>>>>> Match regular expression in flow user data fields.
>>>> Prepend the
>>>>> regex with either "s:" or "d:" to limit the match to either
>>>> the
>>>>> source or destination user data fields. At this time null
>>>> bytes in
>>>>> the user data buffer terminate search. Examples include:
>>>>> "^SSH-" - Look for ssh connections on any port.
>>>>> "s:^GET" - Look for HTTP GET requests in the
>>>> source buffer.
>>>>> "d:^HTTP.*Unauth" - Find unauthorized http response.
>>>>>
>>>>> Depending on the regular expression library that the system
>>>> sup-
>>>>> ports, you will be able to match many types of binary,
>>>> octal and
>>>>> hex expressions. See regex.3, pcre.3 and the web for examples.
>>>>>
>>>>> so I guess
>>>>> -e "s:^POST "
>>>>> is what you're looking for.
>>>>>
>>>>> /Elof
>>>>>
>>>>>
>>>>>> On Tue, 4 Nov 2014, Monah Baki wrote:
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Running the following command:
>>>>>>
>>>>>> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco
>>>> trans
>>>>>> sload psize suser:100
>>>>>>
>>>>>>
>>>>>> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
>>>>>> display POSTS instead of GET.
>>>>>>
>>>>>>
>>>>>> Thank you
>>>>>> Monah
>>>>>>
>>>>
>>>
>>
>
More information about the argus
mailing list