1RAGREP(1)                   General Commands Manual                  RAGREP(1)
2
3
4

NAME

6       ragrep - grep argus(8) user captured data.
7

SYNOPSIS

9       ragrep [options] -e pattern [raoptions] [-- filter-expression]
10       ragrep [options] -f file    [raoptions] [- filter-expression]
11

DESCRIPTION

13       Ragrep  reads  argus  data from an argus-data source, greps the records
14       based on the regexp specified on the command line, and outputs a  valid
15       argus-stream.
16
17       Ragrep  works  only on the fields for user captured data. Argus must be
18       started with the configration option ARGUS_CAPTURE_DATA_LEN  set  to  a
19       value  greater  than  0, to have these data captured. See argus.conf(5)
20       for detail.
21
22       Ragrep is based on GNU grep(1), so the regexp syntax is the same as for
23       grep(1).
24

OPTIONS

26       Ragrep,  like  all  ra  based  clients, supports a number of ra options
27       including filtering of input argus records through a terminating filter
28       expression.   See  ra(1)  for  a  complete  description  of ra options.
29       ragrep(1) specific options are:
30
31       -c  Suppress normal output; instead print a count of matching lines for
32           each  input  file.  With the -v, --invert-match option (see below),
33           count non-matching lines.
34
35       -e <regex>
36           Match regular expression in flow user  data  fields.   Prepend  the
37           regex  with  either  "s:"  or "d:" to limit the match to either the
38           source or destination user data fields.  Examples include:
39              "^SSH-"           - Look for ssh connections on any port.
40              "s:^GET"          - Look for HTTP GET requests in the source buffer.
41              "d:^HTTP.*Unauth" - Find unauthorized http response.
42
43       -f FILE
44           Obtain patterns from FILE, one per line.  The empty  file  contains
45           zero patterns, and therefore matches nothing.
46
47       -i  Ignore case distinctions in both the PATTERN and the input files.
48
49       -L  Suppress  normal  output; instead print the name of each input file
50           from which no output would normally have been printed.   The  scan‐
51           ning will stop on the first match.
52
53       -l  Suppress  normal  output; instead print the name of each input file
54           from which output would normally have been printed.   The  scanning
55           will stop on the first match.
56
57       -q  Quiet;  do not write anything to standard output.  Exit immediately
58           with zero status if any match  is  found,  even  if  an  error  was
59           detected.
60
61       -R  Read  all  files under each directory, recursively; this is equiva‐
62           lent to the -d recurse option.
63
64       -v  Reverse the expression matching logic.
65

DIAGNOSTICS

67       Normally, exit status is 0 if selected records are found and  1  other‐
68       wise.   But  the  exit  status is 2 if an error occurred, unless the -q
69       option is used and a selected line is found.
70
71

INVOCATION

73       A sample invocation of ragrep(1).  This call reads argus(8)  data  from
74       inputfile  and  greps  all  http transactions that generated a "404 Not
75       Found" error.
76
77       ragrep -r inputfile -e "HTTP.*404"
78

SEE ALSO

80       ra(1), rarc(5), argus(8),
81

COPYRIGHT

83       Copyright (c) 2000-2016 QoSient. All rights reserved.

AUTHORS

85       Carter Bullard (carter@qosient.com).

BUGS

87ragrep 3.0.8                     15 March 2010                       RAGREP(1)