Monday, October 15, 2012

Bash to Check Packet Captures (Again)

To expand on the previous example a little..

To do a little more specific searching if you need, say,  certain packets from an IP in a certain time frame:

1.Put your file names into a file:

Here's the output of ls -lah:

-rw-r--r--. 1 root root 573M Oct 15 07:42 external3.1350301240

Our file name is in the ninth field (separated by spaces, the default in awk)

So we list the files, grep for a date, pipe the output into awk, telling it to print to the screen (stdout) the ninth field and redirect to a file called "list":

ls -lah | grep 'Oct 15' | awk '{print $9}' > list

Use this list of files to search for an IP address and write the packets out to another pcap file:

for i in $( cat list );do tcpdump -nnvve -r $i -s0 -X 'host' -w interesting_events.pcap

No comments:

Blog Archive