Ratop question

Wed Nov 5 15:13:20 EST 2014

Hey /Elof,
I think your regex is the correct answer, as its the ‘official’ regex way of doing things.
We do have a complete man page for ragrep.1.
I’ll add it to the manpage for 3.0.9, which I’ll start in another few weeks.

Carter

> On Nov 5, 2014, at 11:17 AM, elof2 at sentor.se wrote:
> 
> 
> Hi Carter!
> 
> For starters, it would be nice if "-v" was mentioned in the ra(1) manual.
> I didn't find it, so I created the [^G][^E][^T] regex instead...
> 
> /Elof
> 
> 
> On Wed, 5 Nov 2014, Carter Bullard wrote:
> 
>> Hey Guys,
>> There is another twist, of this idea, but it maybe a feature problem for ratop.1.
>> 
>> All the ra* clients support using the -v flag to negate a -e grep expression, just like grep.
>> 
>> Unfortunately the -v option reverses both the sort order and the regex operation
>> in  ratop.1.  This is  case of having too many operators, and wanting to use -v,
>> like many unix commands, to reverse the logic.  sort.1 and grep.1 both use
>> -v to negate actions, and rasort.1 and regrep.1 also use -v.
>> 
>> Because ratop.1 incorporates the functions of rasort and ragrep, we
>> ‘ inherit ‘ the actions of the -v.
>> 
>> So, use the " -e regex -v “ options to read, an input file, and then when it
>> displays the results, use the “ -v “ to get the sort order correct.
>> 
>> Not sure how to correct this, may have to make some changes to .rarc to
>> clarify the -v function ???
>> 
>> Carter
>> 
>>> On Nov 5, 2014, at 10:28 AM, elof2 at sentor.se wrote:
>>> 
>>> 
>>> ... | grep -v "GET "
>>> 
>>> or
>>> 
>>> -e "s:[^G][^E][^T]"
>>> 
>>> /Elof
>>> 
>>> On Wed, 5 Nov 2014, Monah Baki wrote:
>>> 
>>>> Can I use the negate operator saying I want to see everything except "GET"?
>>>> 
>>>> 
>>>> Thanks
>>>> 
>>>> On Wed, Nov 5, 2014 at 10:08 AM, David Edelman <dedelman at iname.com> wrote:
>>>> 
>>>>> You get PCRE by adding
>>>>> --with-libpcre to the ./configure when you build the clients
>>>>> 
>>>>> 
>>>>> 
>>>>> Dave Edelman
>>>>> 
>>>>> 
>>>>>> On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
>>>>>> 
>>>>>> 
>>>>>> Hi Monah
>>>>>> 
>>>>>> either just pipe it to | grep POST or see the ra manual
>>>>>> 
>>>>>>     -e <regex>
>>>>>>         Match  regular  expression  in  flow user data fields.
>>>>> Prepend the
>>>>>>         regex with either "s:" or "d:" to limit the  match  to  either
>>>>> the
>>>>>>         source  or destination user data fields. At this time null
>>>>> bytes in
>>>>>>         the user data buffer terminate search.  Examples include:
>>>>>>            "^SSH-"           - Look for ssh connections on any port.
>>>>>>            "s:^GET"          - Look for HTTP GET requests in the
>>>>> source buffer.
>>>>>>            "d:^HTTP.*Unauth" - Find unauthorized http response.
>>>>>> 
>>>>>>         Depending on the regular expression library that  the  system
>>>>> sup-
>>>>>>         ports,  you  will  be able to match many types of binary,
>>>>> octal and
>>>>>>         hex expressions.  See regex.3, pcre.3 and the web for examples.
>>>>>> 
>>>>>> so I guess
>>>>>> -e "s:^POST "
>>>>>> is what you're looking for.
>>>>>> 
>>>>>> /Elof
>>>>>> 
>>>>>> 
>>>>>>> On Tue, 4 Nov 2014, Monah Baki wrote:
>>>>>>> 
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> Running the following command:
>>>>>>> 
>>>>>>> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco
>>>>> trans
>>>>>>> sload psize suser:100
>>>>>>> 
>>>>>>> 
>>>>>>> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
>>>>>>> display POSTS instead of GET.
>>>>>>> 
>>>>>>> 
>>>>>>> Thank you
>>>>>>> Monah
>>>>>>> 
>>>>> 
>>>> 
>>> 