Re: [wallfire-users] Needing help with $count filter option
Brought to you by:
eychenne
Menu
▾
▴
Re: [wallfire-users] Needing help with $count filter option
|
From: James L. <jl...@sl...> - 2005-09-15 20:35:48
|
Herve, If it were me, I would have it position dependent,i.e. : wflogs -f ''$start_time >=3D [00:00:00] && $count > 6' filters before count, and wflogs -f '$count > 6 && $start_time >=3D [00:00:00]' will count before filter. Personally I know I would want to count before filter...I think it would chew up less cpu cycles by dropping my one and two hit items and then filtering. Also, this way you wouldn't have to have any new commands....and, it makes sense logically...just by looking at the line you could be able to see where the counting occurs. Just some thoughts. James On Thu, 15 Sep 2005 20:38:15 +0200 Herve Eychenne <rv...@wa...> wrote: > On Thu, Sep 15, 2005 at 02:03:26AM -0600, James Lay wrote: >=20 > Hi! >=20 > > Here's what I'm trying to do: >=20 > > wflogs -i netfilter -f '$start_time >=3D [00:00:00] && $count > 1' -o > > html --sort=3Ddport,-count --resolve=3D0 --whois=3D0 /var/log/kernel >= > > test.html >=20 > > The above yields nothing at all :( If I remove the $count > 1 then > > I get all sorts of info...including a lot of things that have counts > > above one. Am I missing something? Help! >=20 > Oh, yes. > Filtering currently takes place before summary. > So, as netfilter logs lines concern only one packet at a time, $count > is always equal to 1 (for netfilter). >=20 > I guess filtering _after_ summary would make sense too... > so we should probably enable both. >=20 > Now, the question is : how would we name the long options so that it > is clear that > - the first filter is done before summary (or any other operation such > as sort, obfusctation, etc...). In fact, it is done just after > parsing, so maybe a name like --filter-after-parsing would be good > - the second filter is done after summary (and all), so a name like > --filter-before-output would be good. >=20 > Now, we must keep backward compatibility, by keeping the old -f > letter. >=20 > So once --filter-before-output is implemented (which I intend to do in > the very next days as it is only a few lines of code), I'll have to > choose if it would be better to assign -f to --filter-after-parsing > (which it was until now) or to --filter-before-output (-F been created > and assigned to the other). > Assigning it to --filter-after-parsing would ensure strict > compatibility, but I don't know if it would be that clever, as that > would not make so much difference for most users to assign -f to > --filter-before-output, and it's probably what people would > intuitively expect (as most of them want to use the summary option). >=20 > What do you think? >=20 > Herve >=20 > --=20 > _ > (=B0=3D Herv=E9 Eychenne > //) > v_/_ WallFire project: http://www.wallfire.org/ >=20 >=20 > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. > Download it for free - -and be entered to win a 42" plasma tv or your > very own Sony(tm)PSP. Click here to play: > http://sourceforge.net/geronimo.php > _______________________________________________ wallfire-users > mailing list wal...@li... > https://lists.sourceforge.net/lists/listinfo/wallfire-users |
