#
# this config demonstrates how to use log_analysis in real mode to monitor
# commands that continuously produce output
#
config_version 0.40.02

add arr log_type_list=
tcpdump

# no date, but there is a timestamp to strip
set var tcpdump_date_pattern=^()\d{2}:\d{2}:\d{2}\.\d{6}\s+
set var tcpdump_date_format=

set arr tcpdump_filenames=
tcpdump

add var PATH=:/usr/local/sbin

set var tcpdump_open_command=tcpdump -nl

set var tcpdump_open_command_is_continuous=1

logtype: tcpdump
	pattern: ($pat{host})\.($pat{word}) \> ($pat{host})\.($pat{word})\:.*
		format: "%-15s => %-15s %s", $1, $3, $4
		use_sprintf
		dest:   packet intercepted
	
	pattern: arp who-has ($pat{ip}) tell ($pat{ip})
		format: "%-15s is looking for %s", $2, $1
		use_sprintf
		dest:   ARP request