[Intrusions] tcpdump one-liner

Mark Stingley cw3sting at yahoo.com
Mon Sep 20 21:27:51 GMT 2004 

--- otaku otaku <hackerotaku at gmail.com> wrote:

> greetings to all,
> 
> to the poster that posted the tcpdump oneliner 
> Is there something extra you compiled into tcpdump
> i tried your example 
> and recieve the following error:
> 
> tcpdump: fread: Unknown error: 0
> 
> > For example:
> > 
> > ttcpdump -ennr 2002.10.14 | awk '{print
> > $2"\t"$4"\t"$11"\t"$13}' | tr -d "," | sed
> s/":$"//g
> > > mac2ip.txt

I'm sorry Otaku.  The command line wrapped, and I
guess it wasn't apparent that "2002.10.14" is the
libpcap capture file to read.  Also, I have no idea
how the "ttcpdump" came about, other than editor
copy/paste error.

Here's a breakdown:

The "-e" switch is to get the MAC addresses,
the "nn" make sure we don't lookup hosts or ports,
and "r" has to be followed by the capture filename.

The reason I don't use any "v" verbose commands is
because at this point I'm only building a database for
quick and easy analysis.

So a corrected, easier to read example is:

tcpdump -ennr <CAPTURE-FILE-NAME> | \
        awk '{print $2"\t"$4"\t"$11"\t"$13}' | \
        tr -d "," | sed s/":$"//g > mac2ip.txt

where <CAPTURE-FILE-NAME> is the name of the libpcap
formatted capture file you want to read from and
"mac2ip.txt" is just a filename I use to describe that
format.

This results in a text file what contains the tab
delimited source MAC / destination MAC / source IP
address.port / destination IP address.port, like so:

reading from file 2002.10.14, link-type EN10MB
(Ethernet)
00:00:0c:04:b2:33       00:03:e3:d9:26:c0      
170.129.50.120.62872    64.154.80.45.80
00:00:0c:04:b2:33       00:03:e3:d9:26:c0      
170.129.50.120.62872    64.154.80.45.80
00:00:0c:04:b2:33       00:03:e3:d9:26:c0      
170.129.50.120.62873    64.154.80.45.80
00:00:0c:04:b2:33       00:03:e3:d9:26:c0      
170.129.50.120.62873    64.154.80.45.80
00:00:0c:04:b2:33       00:03:e3:d9:26:c0      
170.129.50.120.63087    64.154.80.45.80

The "tr" command deletes commas and the "sed" command
removes that colon ":" that's attached to the
destination ip address.


=====



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

More information about the Intrusions mailing list