[geeks] Pattern matching tcpdump output...
Will Mc Donald
wmcdonald at ntlworld.com
Wed Nov 6 11:53:49 CST 2002
That'd *only* work for the 2nd type of lines. Ideally I want something that'll
grab SRC and DEST IP from any line. I suppose I could check to make sure the
fields are as I expect them to be and if they don't match the usual format
treat them accordingly.
Will.
----- Original Message -----
From: "Caleb Shay" <caleb at webninja.com>
To: <geeks at sunhelp.org>
Sent: Wednesday, November 06, 2002 5:22 PM
Subject: Re: [geeks] Pattern matching tcpdump output...
> Couldn't you just use awk -F. '{print $1 "." $2 "." $3 "." $4}' ?, then
> it doesn't matter if you pass it eg 192.168.0.1.80 OR 192.168.0.1,
> you'll still just get the IP.
>
> Caleb
>
> On Wed, 2002-11-06 at 10:52, Will Mc Donald wrote:
>
> > But every now and then some packet without a port in the 3rd/5th fields
pops
> > up, e.g.
> >
> > 14:19:11.487086 P 192.168.60.143 > 192.168.60.144: icmp: 194.75.36.143
udp
> > port 1050 unreachable [tos 0xc0]
> > 14:19:18.100373 P 192.168.60.149 > 192.168.60.148: icmp: echo request
> > 14:19:18.100426 P 192.168.60.148 > 192.168.60.149: icmp: echo reply
> >
> > Generally I'm stripping out $3, $4 and $5 in awk then attempting to
extract
> > the IP addresses with...
> >
> > ~ s/(\d+\.\d+\.\d+\.\d+)\.\w+\s*>\s*(\d+\.\d+\.\d+\.\d+).*/$1 $2/g;
> >
> > But the second form of output (without port) is messing that up.
More information about the geeks
mailing list