awk:创建从Bro日志(conn.log)中可以看到的每个源IP的目标端口列表 [英] awk: create list of destination ports seen for each source IP from a bro log (conn.log)

问题描述

我正在尝试通过练习解决awk中的问题，但是遇到了麻烦. 我希望awk(或gawk)能够打印特定源IP地址的所有唯一目标端口.

源IP地址是字段1($ 1)，目的端口是字段4($ 4).

I'm trying to solve a problem in awk as an exercise but I'm having trouble. I want awk (or gawk) to be able to print all unique destination ports for a particular source IP address.

The source IP address is field 1 ($1) and the destination port is field 4 ($4).

Cut for brevity:
SourceIP          SrcPort   DstIP           DstPort
192.168.1.195       59508   98.129.121.199  80
192.168.1.87        64802   192.168.1.2     53
10.1.1.1            41170   199.253.249.63  53
10.1.1.1            62281   204.14.233.9    443

我想您会将每个源IP存储在数组的索引中.但是我不太确定如何将目标端口存储为值.也许您可以继续附加到字符串，例如索引的值.每个匹配项为"80，" ..."80,443，"....但这也许不是最佳解决方案.

I imagine you would store each Source IP as in index to an array. But I'm not quite sure how you would store destination ports as values. Maybe you can keep appending to a string, being the value of the index e.g. "80,"..."80,443,"... for each match. But maybe that's not the best solution.

我不太担心输出，我只想看看awk如何实现这一点.虽然，对于输出，我在想类似的东西，

I'm not too concerned about output, I really just want to see how one can approach this in awk. Though, for output I was thinking something like,

Source IP:dstport, dstport, dstport
192.168.1.195:80,443,8088,5900

我正在修补这样的东西，

I'm tinkering with something like this,

awk '{ if ( NR == 1) next; arr[$1,$4] = $4 } END { for (i in arr) print arr[i] }' infile

但无法弄清楚如何为二维数组打印出元素及其值.似乎沿着这条线可以完成唯一的目标端口任务，因为每个端口都将覆盖元素的值.

but cannot figure out how to print out the elements and their values for a two-dimensional array. It seems something along this line would take care of the unique destination port task because each port is overwriting the value of the element.

注意: awk/gawk 解决方案将得到答案！

Note: awk/gawk solution will get the answer!

解决方案略微修改了Kent的解决方案，以打印我的问题中提到的唯一目标端口并跳过列标题行.

Solution slightly modified Kent's solution to print unique destination ports as mentioned in my question and to skip the column header line.

awk '{ if ( NR == 1 ) next ; if ( a[$1] && a[$1] !~ $4 ) a[$1] = a[$1]","$4; else a[$1] = $4 } END {for(x in a)print x":"a[x]}'

推荐答案

这是使用awk的一种方法:

here is one way with awk:

 awk '{k=$1;a[k]=a[k]?a[k]","$4:$4}END{for(x in a)print x":"a[x]}' file

以您的示例为例，输出为:

with your example, the output is:

kent$  awk '{k=$1;a[k]=a[k]?a[k]","$4:$4}END{for(x in a)print x":"a[x]}' file                                                                                               
192.168.1.195:80
192.168.1.87:53
10.1.1.1:53,443

(我省略了标题行)

编辑

k=$1;a[k]=a[k]?a[k]","$4:$4

与以下内容完全相同:

if (a[$1])                   # if a[$1] is not empty
    a[$1] = a[$1]","$4       # concatenate $4 to it separated by ","
else                         # else if a[$1] is empty
    a[$1] = $4               # let a[$1]=$4

我使用k=$1只是为了保存一些输入内容.还有x=boolean?a:b表达式

I used k=$1 just for saving some typing. also the x=boolean?a:b expression

我希望说明可以使您理解密码.

I hope the explanation could let you understand the codes.

这篇关于awk:创建从Bro日志(conn.log)中可以看到的每个源IP的目标端口列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！