Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

tcpdump and awk

Status
Not open for further replies.
concico

concico

Programmer
Feb 18, 2009
3
IT
If i do this command "tcpdump -xls 60 -n dst host 90.90.90.62 and dst port 8080 and udp"
my output is:

11:13:50.309476 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d5 0000 06fa
11:13:50.317439 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d6 0000 06fa
11:13:50.329503 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d7 0000 06fa
11:13:50.337415 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d8 0000 06fa
11:13:50.345464 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d9 0000 06fa
11:13:50.353431 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04da 0000 06fa


My intersting part are those in bold in the first line:

I would an output like this:

riga:XX matrice: XXXXXXXX

where
riga is thre second element in bold
matrice is the combination of the third and the forth element in bold

I do like this:

tcpdump -xls 60 -n dst host $1 and dst port 8080 and udp | awk '/0x0020/ { print "riga: "substr($6,3) " matrice:" $7 $8 }'

And it work fine.

Now i would on output like this:

Port: xxxxx riga:xx matrice:xxxxxxxx

where riga and matrice are the same as before and port is the port of trasmission of the current packet: the first element in bold

Thanks to all
 
Sort by date Sort by votes
awk '$2=="IP"{p=$3;sub(/.*\./,"",p)}/0x0020/ { print "Port:"p" riga: "substr($6,3) " matrice:" $7 $8 }'

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886
 
Upvote 0 Downvote
Now i ahve another question.....

i know that the value riga go from 00 to fe and is increment of 1.

If the value in next packet is not incremented of 1 is possible to print something like

"MISS PACKET!!!!!"(packet miss) and then print the corrent value??

for example:

port: 56529 riga: 00 matrice: 00000118
port: 56529 riga: 01 matrice: 00000118
port: 56529 riga: 03 matrice: 00000118
port: 56529 riga: 06 matrice: 00000118

Shoul became:

port: 56529 riga: 00 matrice: 00000118
port: 56529 riga: 01 matrice: 00000118
***MISS****port: 56529 riga: 02 matrice: 00000118
port: 56529 riga: 03 matrice: 00000118
***MISS***port: 56529 riga: 04 matrice: 00000118
***MISS***port: 56529 riga: 06 matrice: 00000118
port: 56529 riga: 06 matrice: 00000118
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MotorCycleDude
  • Locked
  • Question
awk Question
Replies
12
Views
415
mikrom
mikrom
FrancisMMM
  • Locked
  • Question
awk parsing is getting slower and stalled :(
Replies
1
Views
196
FrancisMMM
FrancisMMM
johnegracejr
  • Locked
  • Question
AWK suffix overwriting original text.
Replies
1
Views
241
feherke
feherke
V_M
  • Locked
  • Question
Awk Command not able to read French/Spanish characters from a file
Replies
1
Views
193
mikrom
mikrom
dlicheri
  • Locked
  • Question
awk - transposing output of program 1
Replies
4
Views
255
mikrom
mikrom

Part and Inventory Search

Sponsor

Back
Top