1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
.\"
.\" Argus-5.0 Software
.\" Copyright (c) 2000-2024 QoSient, LLC
.\" All rights reserved.
.\"
.\"
.TH RAGREP 1 "15 March 2023" "ragrep 5.0.3"
.SH NAME
\fBragrep\fP \- grep \fBargus(8)\fP user captured data.
.SH SYNOPSIS
.B ragrep
[\fBoptions\fP] \fB\-e\fP \fIpattern\fP [\fBraoptions\fP] [\fB--\fP \fIfilter-expression\fP]
.br
.B ragrep
[\fBoptions\fP] \fB\-f file\fP [\fBraoptions\fP] [\fB-\fP \fIfilter-expression\fP]
.SH DESCRIPTION
.IX "ragrep command" "" "\fLragrep\fP \(em argus data"
.LP
.B Ragrep
reads
.BR argus
data from an \fIargus-data\fP source, greps the records based on
the regexp specified on the command line, and outputs a valid
\fIargus-stream\fP.
Ragrep works only on the fields for user captured data. Argus must be started with the configration option \fBARGUS_CAPTURE_DATA_LEN\fP set to
a value greater than 0, to have these data captured. See \fBargus.conf(5)\fP for detail.
Ragrep is based on GNU \fBgrep(1)\fP, so the \fIregexp\fP syntax is
the same as for \fBgrep(1)\fP.
.SH OPTIONS
Ragrep, like all ra based clients, supports a number of
\fBra options\fP including filtering of input argus
records through a terminating filter expression.
See \fBra(1)\fP for a complete description of \fBra options\fP.
\fBragrep(1)\fP specific options are:
.PP
.PD 0
.TP 4 4
.B \-c
Suppress normal output; instead print a count of
matching lines for each input file.
With the
.BR \-v ", " \-\^\-invert-match
option (see below), count non-matching lines.
.TP 4 4
.B \-e <regex>
Match regular expression in flow user data fields. Prepend the regex with
either "s:" or "d:" to limit the match to either the source or destination
user data fields. Examples include:
.nf
"^SSH-" - Look for ssh connections on any port.
"s:^GET" - Look for HTTP GET requests in the source buffer.
"d:^HTTP.*Unauth" - Find unauthorized http response.
.fi
.TP
.BI \-f " FILE" "\fR
Obtain patterns from
.IR FILE ,
one per line.
The empty file contains zero patterns, and therefore matches nothing.
.TP
.BR \-i
Ignore case distinctions in both the
.I PATTERN
and the input files.
.TP
.BR \-L
Suppress normal output; instead print the name
of each input file from which no output would
normally have been printed. The scanning will stop
on the first match.
.TP
.BR \-l
Suppress normal output; instead print
the name of each input file from which output
would normally have been printed. The scanning will
stop on the first match.
.TP
.BR \-q
Quiet; do not write anything to standard output.
Exit immediately with zero status if any match is found,
even if an error was detected.
.TP
.BR \-R
Read all files under each directory, recursively;
this is equivalent to the
.B "\-d recurse"
option.
.TP
.B \-v
Reverse the expression matching logic.
.SH DIAGNOSTICS
.PP
Normally, exit status is 0 if selected records are found and 1 otherwise.
But the exit status is 2 if an error occurred, unless the
.B \-q
option is used and a selected line is found.
.SH INVOCATION
A sample invocation of \fBragrep(1)\fP. This call reads \fBargus(8)\fP data
from \fBinputfile\fP and greps all http transactions that generated a "404 Not Found" error.
.TP 5
\fBragrep\fP -r inputfile -e "HTTP.*404"
.SH SEE ALSO
.BR ra(1),
.BR rarc(5),
.BR argus(8),
.SH COPYRIGHT
Copyright (c) 2000-2024 QoSient. All rights reserved.
.SH AUTHORS
.nf
Carter Bullard (carter@qosient.com).
.fi
.SH BUGS
|
