Filter error with capitalized connectors
Carter Bullard
carter at qosient.com
Wed Mar 4 08:19:01 EST 2015
Hey Jason,
I'm not sure that I have ever tested or used CAPS for any of the filter reserved words.
You don't get that for free with lex/yacc or flex/bison, but it is easy to add to the compiler.
Since this is not a critical issue, I defer a fix until we startup the next release round.
We seem to be acquiring enough to do though, to start up 3.0.9 ???
Carter
> On Mar 4, 2015, at 3:57 AM, Jason <dn1nj4 at gmail.com> wrote:
>
> Hi Carter,
>
> Earlier this week I came across a strange behavior in 3.0.8 that I've not encountered before dealing with BPF filtering in both ra and racluster. Here, everything looks fine:
>
> $ racluster -r test.bin - host 197.0.1.6 and port 50913
>
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
> 19:59:29.651832 e tcp 197.0.1.6.50913 -> 1.0.2.1.https 1 74 REQ
>
> But if I change the "and" to "AND" it generates a filter error:
> $ racluster -r test.bin - host 197.0.1.6 AND port 50913
> racluster[11137]: 03:51:02.354846 host 197.0.1.6 AND port 50913 filter syntax error
>
> The same is true of "or" connectors. The problem also manifests in ra.
> Is this known/expected behavior?
>
> Thanks,
> Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150304/210dd589/attachment.html>
More information about the argus
mailing list