Ratop question

elof2 at sentor.se elof2 at sentor.se
Wed Nov 5 11:17:34 EST 2014


Hi Carter!

For starters, it would be nice if "-v" was mentioned in the ra(1) manual.
I didn't find it, so I created the [^G][^E][^T] regex instead...

/Elof


On Wed, 5 Nov 2014, Carter Bullard wrote:

> Hey Guys,
> There is another twist, of this idea, but it maybe a feature problem for ratop.1.
>
> All the ra* clients support using the -v flag to negate a -e grep expression, just like grep.
>
> Unfortunately the -v option reverses both the sort order and the regex operation
> in  ratop.1.  This is  case of having too many operators, and wanting to use -v,
> like many unix commands, to reverse the logic.  sort.1 and grep.1 both use
> -v to negate actions, and rasort.1 and regrep.1 also use -v.
>
> Because ratop.1 incorporates the functions of rasort and ragrep, we
> ‘ inherit ‘ the actions of the -v.
>
> So, use the " -e regex -v “ options to read, an input file, and then when it
> displays the results, use the “ -v “ to get the sort order correct.
>
> Not sure how to correct this, may have to make some changes to .rarc to
> clarify the -v function ???
>
> Carter
>
>> On Nov 5, 2014, at 10:28 AM, elof2 at sentor.se wrote:
>>
>>
>> ... | grep -v "GET "
>>
>> or
>>
>> -e "s:[^G][^E][^T]"
>>
>> /Elof
>>
>> On Wed, 5 Nov 2014, Monah Baki wrote:
>>
>>> Can I use the negate operator saying I want to see everything except "GET"?
>>>
>>>
>>> Thanks
>>>
>>> On Wed, Nov 5, 2014 at 10:08 AM, David Edelman <dedelman at iname.com> wrote:
>>>
>>>> You get PCRE by adding
>>>> --with-libpcre to the ./configure when you build the clients
>>>>
>>>>
>>>>
>>>> Dave Edelman
>>>>
>>>>
>>>>> On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
>>>>>
>>>>>
>>>>> Hi Monah
>>>>>
>>>>> either just pipe it to | grep POST or see the ra manual
>>>>>
>>>>>      -e <regex>
>>>>>          Match  regular  expression  in  flow user data fields.
>>>> Prepend the
>>>>>          regex with either "s:" or "d:" to limit the  match  to  either
>>>> the
>>>>>          source  or destination user data fields. At this time null
>>>> bytes in
>>>>>          the user data buffer terminate search.  Examples include:
>>>>>             "^SSH-"           - Look for ssh connections on any port.
>>>>>             "s:^GET"          - Look for HTTP GET requests in the
>>>> source buffer.
>>>>>             "d:^HTTP.*Unauth" - Find unauthorized http response.
>>>>>
>>>>>          Depending on the regular expression library that  the  system
>>>> sup-
>>>>>          ports,  you  will  be able to match many types of binary,
>>>> octal and
>>>>>          hex expressions.  See regex.3, pcre.3 and the web for examples.
>>>>>
>>>>> so I guess
>>>>>  -e "s:^POST "
>>>>> is what you're looking for.
>>>>>
>>>>> /Elof
>>>>>
>>>>>
>>>>>> On Tue, 4 Nov 2014, Monah Baki wrote:
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Running the following command:
>>>>>>
>>>>>> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco
>>>> trans
>>>>>> sload psize suser:100
>>>>>>
>>>>>>
>>>>>> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
>>>>>> display POSTS instead of GET.
>>>>>>
>>>>>>
>>>>>> Thank you
>>>>>> Monah
>>>>>>
>>>>
>>>
>>
>


More information about the argus mailing list