[geeks] Pattern matching tcpdump output...

[Will Mc Donald]

Guys,

can anyone help me out with some problems I'm having trying to track down
land_attack errors on our LAN? Our firewall's complaining about them but
helpfully not providing the SRC/DEST IP address it thinks is being spoofed.

I'm running tcpdump on a box connected to the monitoring port of the switch
and trying to find packets with the same source and destination IP and it's
proving a little beyond my awk/grep/whatever capabilities. With some pointers
from one of our developers I've tried using perl regexps to extract and the
match IP addresses from the output.

Usually the tcpdump output is of the form...

14:19:08.668090 P 192.168.60.80.1022 > 192.168.60.145.2049: udp 140 (DF)
14:19:08.668200 P 192.168.60.144.2049 > 192.168.60.80.1022: udp 96
14:19:08.668785 P 192.168.60.80.1022 > 192.168.60.145.2049: udp 108 (DF)
14:19:08.668880 P 192.168.60.144.2049 > 192.168.60.80.1022: udp 96
14:19:08.669554 P 192.168.60.80.1022 > 192.168.60.145.2049: udp 108 (DF)
14:19:08.669653 P 192.168.60.144.2049 > 192.168.60.80.1022: udp 96

But every now and then some packet without a port in the 3rd/5th fields pops
up, e.g.

14:19:11.487086 P 192.168.60.143 > 192.168.60.144: icmp: 194.75.36.143 udp
port 1050 unreachable [tos 0xc0]
14:19:18.100373 P 192.168.60.149 > 192.168.60.148: icmp: echo request
14:19:18.100426 P 192.168.60.148 > 192.168.60.149: icmp: echo reply

Generally I'm stripping out $3, $4 and $5 in awk then attempting to extract
the IP addresses with...

~ s/(\d+\.\d+\.\d+\.\d+)\.\w+\s*>\s*(\d+\.\d+\.\d+\.\d+).*/$1 $2/g;

But the second form of output (without port) is messing that up.

So, can anyone enlighten me as to the best way to extract and match SRC and
DEST from this sort of output? Am I doing this in an unnecessarily
complex/brain damaged way (highly probable)?

Cheers,

Will.