[geeks] Pattern matching tcpdump output...
Caleb Shay
caleb at webninja.com
Wed Nov 6 11:22:02 CST 2002
Couldn't you just use awk -F. '{print $1 "." $2 "." $3 "." $4}' ?, then
it doesn't matter if you pass it eg 192.168.0.1.80 OR 192.168.0.1,
you'll still just get the IP.
Caleb
On Wed, 2002-11-06 at 10:52, Will Mc Donald wrote:
> But every now and then some packet without a port in the 3rd/5th fields pops
> up, e.g.
>
> 14:19:11.487086 P 192.168.60.143 > 192.168.60.144: icmp: 194.75.36.143 udp
> port 1050 unreachable [tos 0xc0]
> 14:19:18.100373 P 192.168.60.149 > 192.168.60.148: icmp: echo request
> 14:19:18.100426 P 192.168.60.148 > 192.168.60.149: icmp: echo reply
>
> Generally I'm stripping out $3, $4 and $5 in awk then attempting to extract
> the IP addresses with...
>
> ~ s/(\d+\.\d+\.\d+\.\d+)\.\w+\s*>\s*(\d+\.\d+\.\d+\.\d+).*/$1 $2/g;
>
> But the second form of output (without port) is messing that up.
More information about the geeks
mailing list