从文件中shell脚本的Linux grep命令获取信息 [英] Get information from a file shell script linux grep command
问题描述
我需要帮助从tcpdump的命令网络流量从文件中提取信息outuput
tcpdump的-Xvv -i eth0的> capture.txt
块引用>任给以太网报头,IP和TCP,和的值的字段,表明在该条件下进行了报告,源和目的地IP机(没有在输出重复它们)。
该文件的内容:
09:26:13.245546 IP(TOS为0x0,TTL 1,ID 3439,偏移量为0,旗帜[无],原UDP(17),全长1018)
10.0.0.226.58935> 239.255.255.250.3702:UDP,ACK 555,赢6584,长度990
0×0000:4500 03FA 0d6f 0000 0111 ada8 0A00 00E2è....Ø..........
0×0010:?EFFF FFFA e637 0e76 03e6 7ec0 3c3f 786d ..... 7.v ..〜< XM
0×0020:6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version =1.0。
0x0030:656e 636f 6469 6e67 3D22 7574 662D 3822编码=UTF-8
×0040:3f3e 3c73 6f61 703A 456e 7665><肥皂:ENVE
09:26:13.339173 IP6(hlim 1,下一首部UDP(17)有效载荷长度:998)FE80 :: 21e9:f54b:9ae7:6383.58936> FF02 :: c.3702:UDP,长度990
0×0000:6000 0000 03e6 1101 FE80 0000 0000 0000`...............
0×0010:21e9 f54b 9ae7 6383 FF02 0000 0000 0000 .. K..c .........
0×0020:0000 0000 0000 000C E638 0e76 03e6 666C ......... 8.v..fl
0x0030:3c3f 786d 6c20 7665 7273 696f 6e3d 2231< xml.version =1?
×0040:2e30 2220 656e 636f 6469 6e67 .0.encoding
09:26:13.407313 ARP,以太网(LEN 6),IPv4的(LEN 4),请求谁,有10.0.3.118告诉10.0.1.215,长度46
0×0000:0001 0800 0604 0001 0009 0fcb 0a0c 0A00 ................
0×0010:01d7 0000 0000 0000 0A00 0376 0000 0000 ........... v ....
0×0020:0000 0000 0000 0000 0000 d9c4 62a8 ............湾
09:26:13.525954 IP(TOS为0x0,TTL 128,编号3441,偏移量为0,旗帜[无],原UDP(17),长度161)
10.0.0.226.59131> 239.255.255.250.1900:UDP,长度133
0×0000:4500 00A1 0d71 0000 0111 b0ff 0A00 00E2è.... q ..........
0×0010:EFFF FFFA e6fb 076c 008D 6fa6 4d2d 5345 ....... l..o.M-SE
0×0020:4152 4348 2048 202A 5454 502F器312e 310D ARCH * HTTP / 1.1。
0x0030:0a48 6f73 743A 3233 3235 392e 3235 352E。主持人:239.255.25
×0040:352E 3235 303A 3139 3030 0D0A 5.250:1900 ..
09:26:13.557002 IP(TOS为0x0,TTL 1,ID 3442,偏移量为0,旗帜[无],原UDP(17),长度161)
10.0.0.226.59131> 239.255.255.250.1900:UDP,长度133
0×0000:4500 00A1 0d72 0000 0111 b0fe 0A00 00E2è.... - [R ..........
0×0010:EFFF FFFA e6fb 076c 008D 6fa6 4d2d 5345 ....... l..o.M-SE
0×0020:4152 4348 2048 202A 5454 502F器312e 310D ARCH * HTTP / 1.1。
0x0030:0a48 6f73 743A 3233 3235 392e 3235 352E。主持人:239.255.25
×0040:352E 3235 303A 3139 3030 0D0A 5.250:1900 ..
09:26:13.642734 IP(TOS为0x0,TTL 1,ID 21767,偏移量为0,旗帜[无],原UDP(17),长度684)
10.0.0.237.58882> 239.255.255.250.3702:UDP,长度656
0×0000:4500 02ac 5507 0000 0111 6753 0A00 00ed E. ..ü..... GS ....
0×0010:EFFF E602 FFFA 0e76 0298 5568 3c3f 786d ....... v..Uh< XM
0×0020:6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version =1.0。
0x0030:656e 636f 6469 6e67 3D22 7574 662D 3822编码=UTF-8
×0040:3f3e 3c73 6f61 703A 456e 7665><肥皂:ENVE
09:26:13.642960 IP6(hlim 1,下一首部UDP(17)有效载荷长度:664)FE80 :: b8a2:BD0:4e0b:1bb5.58883> FF02 :: c.3702:UDP,长度656
0×0000:6000 0000 0298 1101 FE80 0000 0000 0000`...............
0×0010:b8a2 0bd0 4e0b 1bb5 FF02 0000 0000 0000 ....ñ...........
0×0020:0000 0000 0000 000C E603 0e76 0298 248C ...........诉。$。
0x0030:3c3f 786d 6c20 7665 7273 696f 6e3d 2231< xml.version =
09:26:13.642999 IP(TOS为0x0,TTL 64,编号21767,偏移量为0,旗帜[无],原UDP(17),长度684)
10.0.0.237.58882> 239.255.255.250.3702:UDP,长度656
0×0000:4500 02ac 5507 0000 0111 6753 0A00 00ed E. ..ü..... GS ....
0×0010:EFFF E602 FFFA 0e76 0298 5568 3c3f 786d ....... v..Uh< XM
0×0020:6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version =1.0。
0x0030:656e 636f 6469 6e67 3D22 7574 662D 3822编码=UTF-8
×0040:3f3e 3c73 6f61 703A 456e 7665><肥皂:ENVE例如是标题为:TTL 1
的结果必然是:
来源:10.0.0.226.58935 ---目的地:239.255.255.250.3702 - 1时间
来源:10.0.0.237.58882 ---目的地:239.255.255.250.3702 - 2次其他的方式:是标题是:ACK或赢:例如:ACK 555
来源:10.0.0.226.58935 ---目的地:239.255.255.250.3702 - 1时间
解决方案使用
AWK
匹配ACK 555
:$ awk的-F'[:]的计算值''/ ACK 555 / {U [稿件来源:$ 1---目标:$ 2] ++} END {为(以U K)打印K,U [K] - 时间(U [K]→1S:)}'文件
来源:10.0.0.226.58935 ---目标:239.255.255.250.3702 1 - 时间匹配
TTL 1
:$ awk的-F'[计算值:]''/ TTL 1 / {函数getline; U [稿件来源:$ 1---目标:$ 2] ++ } END {为(以U K)打印K,U [K] - 时间(U [K]→1S:)}'文件
来源:10.0.0.237.58882 ---目标:239.255.255.250.3702 1 - 时间
来源:10.0.0.226.59131 ---目标:239.255.255.250.1900 1 - 时间
来源:10.0.0.226.58935 ---目标:239.255.255.250.3702 1 - 时间您的例子并不您的预计产量不过相匹配。
I need help to extract information from a file outuput from a network traffic with tcpdump command
tcpdump -Xvv -i eth0 > capture.txt
Given a field of any Ethernet headers, IP and TCP, and a value, indicate the source and destination IP machines that were reported under this condition (without repeating them in the output).
The content of the file:
09:26:13.245546 IP (tos 0x0, ttl 1, id 3439, offset 0, flags [none], proto UDP (17), length 1018) 10.0.0.226.58935 > 239.255.255.250.3702: UDP, ack 555, win 6584, length 990 0x0000: 4500 03fa 0d6f 0000 0111 ada8 0a00 00e2 E....o.......... 0x0010: efff fffa e637 0e76 03e6 7ec0 3c3f 786d .....7.v..~.<?xm 0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0". 0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8" 0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve 09:26:13.339173 IP6 (hlim 1, next-header UDP (17) payload length: 998) fe80::21e9:f54b:9ae7:6383.58936 > ff02::c.3702: UDP, length 990 0x0000: 6000 0000 03e6 1101 fe80 0000 0000 0000 `............... 0x0010: 21e9 f54b 9ae7 6383 ff02 0000 0000 0000 !..K..c......... 0x0020: 0000 0000 0000 000c e638 0e76 03e6 666c .........8.v..fl 0x0030: 3c3f 786d 6c20 7665 7273 696f 6e3d 2231 <?xml.version="1 0x0040: 2e30 2220 656e 636f 6469 6e67 .0".encoding 09:26:13.407313 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.3.118 tell 10.0.1.215, length 46 0x0000: 0001 0800 0604 0001 0009 0fcb 0a0c 0a00 ................ 0x0010: 01d7 0000 0000 0000 0a00 0376 0000 0000 ...........v.... 0x0020: 0000 0000 0000 0000 0000 d9c4 62a8 ............b. 09:26:13.525954 IP (tos 0x0, ttl 128, id 3441, offset 0, flags [none], proto UDP (17), length 161) 10.0.0.226.59131 > 239.255.255.250.1900: UDP, length 133 0x0000: 4500 00a1 0d71 0000 0111 b0ff 0a00 00e2 E....q.......... 0x0010: efff fffa e6fb 076c 008d 6fa6 4d2d 5345 .......l..o.M-SE 0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1. 0x0030: 0a48 6f73 743a 3233 392e 3235 352e 3235 .Host:239.255.25 0x0040: 352e 3235 303a 3139 3030 0d0a 5.250:1900.. 09:26:13.557002 IP (tos 0x0, ttl 1, id 3442, offset 0, flags [none], proto UDP (17), length 161) 10.0.0.226.59131 > 239.255.255.250.1900: UDP, length 133 0x0000: 4500 00a1 0d72 0000 0111 b0fe 0a00 00e2 E....r.......... 0x0010: efff fffa e6fb 076c 008d 6fa6 4d2d 5345 .......l..o.M-SE 0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1. 0x0030: 0a48 6f73 743a 3233 392e 3235 352e 3235 .Host:239.255.25 0x0040: 352e 3235 303a 3139 3030 0d0a 5.250:1900.. 09:26:13.642734 IP (tos 0x0, ttl 1, id 21767, offset 0, flags [none], proto UDP (17), length 684) 10.0.0.237.58882 > 239.255.255.250.3702: UDP, length 656 0x0000: 4500 02ac 5507 0000 0111 6753 0a00 00ed E...U.....gS.... 0x0010: efff fffa e602 0e76 0298 5568 3c3f 786d .......v..Uh<?xm 0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0". 0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8" 0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve 09:26:13.642960 IP6 (hlim 1, next-header UDP (17) payload length: 664) fe80::b8a2:bd0:4e0b:1bb5.58883 > ff02::c.3702: UDP, length 656 0x0000: 6000 0000 0298 1101 fe80 0000 0000 0000 `............... 0x0010: b8a2 0bd0 4e0b 1bb5 ff02 0000 0000 0000 ....N........... 0x0020: 0000 0000 0000 000c e603 0e76 0298 248c ...........v..$. 0x0030: 3c3f 786d 6c20 7665 7273 696f 6e3d 2231 <?xml.version=" 09:26:13.642999 IP (tos 0x0, ttl 64, id 21767, offset 0, flags [none], proto UDP (17), length 684) 10.0.0.237.58882 > 239.255.255.250.3702: UDP, length 656 0x0000: 4500 02ac 5507 0000 0111 6753 0a00 00ed E...U.....gS.... 0x0010: efff fffa e602 0e76 0298 5568 3c3f 786d .......v..Uh<?xm 0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0". 0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8" 0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve
For example is the header is: ttl 1
The result must be:
Source: 10.0.0.226.58935 --- Destination: 239.255.255.250.3702 - 1 Time Source: 10.0.0.237.58882 --- Destination: 239.255.255.250.3702 - 2 Times
Other way: is the header is: ack or win: for example: ack 555
Source: 10.0.0.226.58935 --- Destination: 239.255.255.250.3702 - 1 Time
解决方案Using
awk
matchingack 555
:$ awk -F'[:>]' '/ack 555/{u["Source: "$1"--- Destination:"$2]++}END{for(k in u)print k,u[k]" - time"(u[k]>1?"s":"")}' file Source: 10.0.0.226.58935 --- Destination: 239.255.255.250.3702 1 - time
Matching
ttl 1
:$ awk -F'[>:]' '/ttl 1,/{getline;u["Source: "$1"--- Destination:"$2]++}END{for(k in u)print k,u[k]" - time"(u[k]>1?"s":"")}' file Source: 10.0.0.237.58882 --- Destination: 239.255.255.250.3702 1 - time Source: 10.0.0.226.59131 --- Destination: 239.255.255.250.1900 1 - time Source: 10.0.0.226.58935 --- Destination: 239.255.255.250.3702 1 - time
You example doesn't match your expected output however.
这篇关于从文件中shell脚本的Linux grep命令获取信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!