Re: [wallfire-users] Needing help with $count filter option
Brought to you by:
eychenne
Menu
▾
▴
Re: [wallfire-users] Needing help with $count filter option
|
From: James L. <jl...@sl...> - 2005-09-15 20:39:03
|
Herve, Didn't address your question in my first email...but I would have these long options: --count-before-filter --filter-before-count James On Thu, 15 Sep 2005 20:38:15 +0200 Herve Eychenne <rv...@wa...> wrote: > On Thu, Sep 15, 2005 at 02:03:26AM -0600, James Lay wrote: >=20 > Hi! >=20 > > Here's what I'm trying to do: >=20 > > wflogs -i netfilter -f '$start_time >=3D [00:00:00] && $count > 1' -o > > html --sort=3Ddport,-count --resolve=3D0 --whois=3D0 /var/log/kernel >= > > test.html >=20 > > The above yields nothing at all :( If I remove the $count > 1 then > > I get all sorts of info...including a lot of things that have counts > > above one. Am I missing something? Help! >=20 > Oh, yes. > Filtering currently takes place before summary. > So, as netfilter logs lines concern only one packet at a time, $count > is always equal to 1 (for netfilter). >=20 > I guess filtering _after_ summary would make sense too... > so we should probably enable both. >=20 > Now, the question is : how would we name the long options so that it > is clear that > - the first filter is done before summary (or any other operation such > as sort, obfusctation, etc...). In fact, it is done just after > parsing, so maybe a name like --filter-after-parsing would be good > - the second filter is done after summary (and all), so a name like > --filter-before-output would be good. >=20 > Now, we must keep backward compatibility, by keeping the old -f > letter. >=20 > So once --filter-before-output is implemented (which I intend to do in > the very next days as it is only a few lines of code), I'll have to > choose if it would be better to assign -f to --filter-after-parsing > (which it was until now) or to --filter-before-output (-F been created > and assigned to the other). > Assigning it to --filter-after-parsing would ensure strict > compatibility, but I don't know if it would be that clever, as that > would not make so much difference for most users to assign -f to > --filter-before-output, and it's probably what people would > intuitively expect (as most of them want to use the summary option). >=20 > What do you think? >=20 > Herve >=20 > --=20 > _ > (=B0=3D Herv=E9 Eychenne > //) > v_/_ WallFire project: http://www.wallfire.org/ >=20 >=20 > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. > Download it for free - -and be entered to win a 42" plasma tv or your > very own Sony(tm)PSP. Click here to play: > http://sourceforge.net/geronimo.php > _______________________________________________ wallfire-users > mailing list wal...@li... > https://lists.sourceforge.net/lists/listinfo/wallfire-users |
