[geeks] Pattern matching tcpdump output...
Caleb Shay
caleb at webninja.com
Wed Nov 6 12:15:34 CST 2002
I must be misunderstanding something then:
caleb at Chinstrap caleb $ echo 192.168.0.1.80 | awk -F. '{print $1 "." $2
"." $3 "." $4}'
192.168.0.1
caleb at Chinstrap caleb $ echo 192.168.0.1 | awk -F. '{print $1 "." $2 "."
$3 "." $4}'
192.168.0.1
Caleb
On Wed, 2002-11-06 at 12:53, Will Mc Donald wrote:
> That'd *only* work for the 2nd type of lines. Ideally I want something that'll
> grab SRC and DEST IP from any line. I suppose I could check to make sure the
> fields are as I expect them to be and if they don't match the usual format
> treat them accordingly.
>
> Will.
>
>
> ----- Original Message -----
> From: "Caleb Shay" <caleb at webninja.com>
> To: <geeks at sunhelp.org>
> Sent: Wednesday, November 06, 2002 5:22 PM
> Subject: Re: [geeks] Pattern matching tcpdump output...
>
>
> > Couldn't you just use awk -F. '{print $1 "." $2 "." $3 "." $4}' ?, then
> > it doesn't matter if you pass it eg 192.168.0.1.80 OR 192.168.0.1,
> > you'll still just get the IP.
> >
> > Caleb
> >
> > On Wed, 2002-11-06 at 10:52, Will Mc Donald wrote:
> >
> > > But every now and then some packet without a port in the 3rd/5th fields
> pops
> > > up, e.g.
> > >
> > > 14:19:11.487086 P 192.168.60.143 > 192.168.60.144: icmp: 194.75.36.143
> udp
> > > port 1050 unreachable [tos 0xc0]
> > > 14:19:18.100373 P 192.168.60.149 > 192.168.60.148: icmp: echo request
> > > 14:19:18.100426 P 192.168.60.148 > 192.168.60.149: icmp: echo reply
> > >
> > > Generally I'm stripping out $3, $4 and $5 in awk then attempting to
> extract
> > > the IP addresses with...
> > >
> > > ~ s/(\d+\.\d+\.\d+\.\d+)\.\w+\s*>\s*(\d+\.\d+\.\d+\.\d+).*/$1 $2/g;
> > >
> > > But the second form of output (without port) is messing that up.
> _______________________________________________
> GEEKS: http://www.sunhelp.org/mailman/listinfo/geeks
--
More information about the geeks
mailing list