bash tcpdump:仅输出源地址和目标地址
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13492611/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
tcpdump: Output only source and destination addresses
提问by Eigir
Problem description:
问题描述:
I want to print only the source and destination address from a tcpdump[1].
我只想从 tcpdump[1] 打印源地址和目标地址。
Have one working solution, but believe it could be improved a lot. An example that captures 5 packets, just as an example of what I'm looking for:
有一个可行的解决方案,但相信它可以改进很多。一个捕获 5 个数据包的示例,作为我正在寻找的示例:
tcpdump -i eth1 -n -c 5 ip | \
cut -d" " -f3,5 | \
sed -e 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)\..* \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*$/ > /'
Question:
题:
Can this be done in any easier way? Performance is also an issue here.
这可以以更简单的方式完成吗?性能也是一个问题。
[1] A part of a test if the snort home_net is correctly defined, or if we see traffic not defined in the home_net.
[1] 如果 snort home_net 定义正确,或者我们看到 home_net 中未定义流量,则作为测试的一部分。
Solution:
解决方案:
Ok, thanks to everyone who have replied to this one. There have been two concerns related to the answers, one is the compatibility across different linux-versions and the second one is speed.
好的,感谢所有回答这个问题的人。有两个与答案相关的问题,一个是跨不同 linux 版本的兼容性,第二个是速度。
Here is the results on the speed test I did. First the grep-version:
这是我所做的速度测试的结果。首先是grep版本:
time tcpdump -l -r test.dmp -n ip 2>/dev/null | grep -P -o '([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*? > ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' | grep -P -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | xargs -n 2 echo >/dev/null
real 0m5.625s
user 0m0.513s
sys 0m4.305s
Then the sed-version:
然后是 sed 版本:
time tcpdump -n -r test.dmp ip | sed -une 's/^.* \(\([0-9]\{1,3\}\.\?\)\{4\}\)\..* \(\([0-9]\{1,3\}\.\?\)\{4\}\)\..*$/ > /p' >/dev/null
reading from file test.dmp, link-type EN10MB (Ethernet)
real 0m0.491s
user 0m0.496s
sys 0m0.020s
And the fastest one, the awk-version:
最快的 awk 版本:
time tcpdump -l -r test.dmp -n ip | awk '{ print gensub(/(.*)\..*/,"\1","g",), , gensub(/(.*)\..*/,"\1","g",) }' >/dev/null
reading from file test.dmp, link-type EN10MB (Ethernet)
real 0m0.093s
user 0m0.111s
sys 0m0.013s
Unfortunately I have not been able to test how compatible they are, but the awk needs gnu awk to work due to the gensub function. Anyway, all three solutions works on the two platforms I have tested them on. :)
不幸的是,我无法测试它们的兼容性,但是由于 gensub 功能,awk 需要 gnu awk 才能工作。无论如何,所有三个解决方案都适用于我测试过的两个平台。:)
回答by Steve
Here's one way using GNU awk:
这是使用的一种方法GNU awk:
tcpdump -i eth1 -n -c 5 ip | awk '{ print gensub(/(.*)\..*/,"\1","g",), , gensub(/(.*)\..*/,"\1","g",) }'
回答by anishsane
Try this:
尝试这个:
tcpdump -i eth1 -n -c 5 ip 2>/dev/null | sed -r 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* > ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/ > /'
If running from a .sh script, remember to escape \1 & \2 as required.
如果从 .sh 脚本运行,请记住根据需要转义 \1 & \2。
回答by F. Hauri
WarningYou have to use unbufferedou line-bufferedoutput to monitor the output of another command like tcpdump.
警告您必须使用无缓冲或行缓冲的输出来监视另一个命令的输出,例如tcpdump.
But you command seem correct.
但你的命令似乎是正确的。
To simplify, you could:
为简化起见,您可以:
tcpdump -i eth1 -n -c 5 ip |
sed -une 's/^.* \(\([0-9]\{1,3\}\.\?\)\{4\}\)\..* \(\([0-9]\{1,3\}\.\?\)\{4\}\)\..*$/ > /p'
Notice the uswitchusefull without -c 5at tcpdump
注意u没有-c 5at tcpdump的switch有用
tcpdump -ni eth1 ip |
sed -une 's/^.* \(\([0-9]\{1,3\}\.\?\)\{4\}\)\..* \(\([0-9]\{1,3\}\.\?\)\{4\}\)\..*$/ > /p'
回答by anishsane
& here is a grep only solution:
&这是一个仅限grep的解决方案:
tcpdump -l -i eth1 -n -c 5 ip 2>/dev/null | grep -P -o '([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*? > ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' | grep -P -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | xargs -n 2 echo
Note -l, in case you don't want to limit the number of packets using -c.
请注意-l,如果您不想使用-c.
