Re: [wallfire-users] Needing help with $count filter option

[Herve E. <rv...@wa...>]

On Thu, Sep 15, 2005 at 02:03:26AM -0600, James Lay wrote:

 Hi!

> Here's what I'm trying to do:

> wflogs -i netfilter -f '$start_time >=3D [00:00:00] && $count > 1' -o
> html --sort=3Ddport,-count --resolve=3D0 --whois=3D0  /var/log/kernel >
> test.html

> The above yields nothing at all :(  If I remove the $count > 1 then I
> get all sorts of info...including a lot of things that have counts
> above one.  Am I missing something?  Help!

Oh, yes.
Filtering currently takes place before summary.
So, as netfilter logs lines concern only one packet at a time, $count
is always equal to 1 (for netfilter).

I guess filtering _after_ summary would make sense too...
so we should probably enable both.

Now, the question is : how would we name the long options so that it is
clear that
- the first filter is done before summary (or any other operation such
  as sort, obfusctation, etc...). In fact, it is done just after
  parsing, so maybe a name like --filter-after-parsing would be good
- the second filter is done after summary (and all), so a name like
  --filter-before-output would be good.

Now, we must keep backward compatibility, by keeping the old -f letter.

So once --filter-before-output is implemented (which I intend to do in
the very next days as it is only a few lines of code), I'll have to
choose if it would be better to assign -f to --filter-after-parsing
(which it was until now) or to --filter-before-output (-F been created
and assigned to the other).
Assigning it to --filter-after-parsing would ensure strict
compatibility, but I don't know if it would be that clever, as that
would not make so much difference for most users to assign -f to
--filter-before-output, and it's probably what people would
intuitively expect (as most of them want to use the summary option).

What do you think?

 Herve

--=20
 _
(=B0=3D  Herv=E9 Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/