LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
Reload this Page How would one extract IP Addresses?
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 03-31-2007, 08:31 PM   #1
exl75
Member
 
Registered: Mar 2007
Posts: 54

Rep: Reputation: 15
How would one extract IP Addresses?

Given an excerpt of the firewall log file below,how would one extract/get the IP Address.GREP? SED? Is there any way of doing that?

th1 SRC=212.123.153.188 DST=11.11.11.82 LEN=404 TOS=0x00 PREC=0x00 TTL=114 ID=19
973 PROTO=UDP SPT=4429 DPT=1434 LEN=384
Last edited by exl75; 04-10-2007 at 10:29 PM.
 
Old 03-31-2007, 08:41 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
I'd probably use awk, e.g.

awk '{print $2,$3}' would print out the source and destination addresses of your first line. You could write a little script with awk, Perl, or Python to do some reporting if you wanted to.
 
Old 03-31-2007, 08:45 PM   #3
exl75
Member
 
Registered: Mar 2007
Posts: 54

Original Poster
Rep: Reputation: 15
Please explain a little bit more clearly or more precise.The excerpt info above is in a file.gz. Now,would awk'{print $2,$3}'<file.gz> work? And,if you cant write a script,is there another way to get all the IPs out.
Last edited by exl75; 03-31-2007 at 08:54 PM.
 
Old 03-31-2007, 09:14 PM   #4
anupamsr
Member
 
Registered: Sep 2004
Location: India
Distribution: Kubuntu, Archlinux, Suse, Gentoo, Mandrake
Posts: 371

Rep: Reputation: 30
No that would not because your file is in gz format. I think following command will work:
Code:
$ zcat anda.gz | awk '{print $2"\t"$3}'                                                                                     [4:13]
SRC=212.123.153.188     DST=11.11.11.82
SRC=206.130.246.2       DST=11.11.11.100
 
Old 03-31-2007, 09:17 PM   #5
anupamsr
Member
 
Registered: Sep 2004
Location: India
Distribution: Kubuntu, Archlinux, Suse, Gentoo, Mandrake
Posts: 371

Rep: Reputation: 30
If you want only IP address, you can do something like this:
Code:
zcat anda.gz | sed 's/SRC=\|DST=//g' | awk '{print $2"\t"$3}'
Last edited by anupamsr; 03-31-2007 at 09:29 PM.
 
Old 03-31-2007, 09:47 PM   #6
exl75
Member
 
Registered: Mar 2007
Posts: 54

Original Poster
Rep: Reputation: 15
Thanks a lot. Here's what the first command gave me when I run it against the .gz file:
27 14:25:55
27 14:25:55
27 14:25:58
27 14:26:08
27 14:26:10
27 14:26:10
27 14:26:11
27 14:27:13
27 14:27:15

Below is what the second command gave me.

27 14:25:55
27 14:25:55
27 14:25:58
27 14:26:08
27 14:26:10
27 14:26:10
27 14:26:11
27 14:27:13
Im not quite sure what is the "27"?? Im assuming that "14:27:13" the IP address. Correct? Given the excerpt above.Sounds more like a time stamp..isnt it?
Last edited by exl75; 03-31-2007 at 09:48 PM.
 
Old 03-31-2007, 09:57 PM   #7
fur
Member
 
Registered: Dec 2003
Distribution: Debian, FreeBSD
Posts: 310

Rep: Reputation: 35
$ cat ext
th1 SRC=212.123.153.188 DST=11.11.11.82 LEN=404
th1 SRC=206.130.246.2 DST=11.11.11.100 LEN


$ awk 'BEGIN {FS="[ =]+"} {print $3, $5}' ext
212.123.153.188 11.11.11.82
206.130.246.2 11.11.11.100
 
Old 03-31-2007, 10:04 PM   #8
fur
Member
 
Registered: Dec 2003
Distribution: Debian, FreeBSD
Posts: 310

Rep: Reputation: 35
Quote:
Originally Posted by exl75
Thanks a lot. Here's what the first command gave me when I run it against the .gz file:
27 14:25:55
27 14:25:55
27 14:25:58
27 14:26:08
27 14:26:10
27 14:26:10
27 14:26:11
27 14:27:13
27 14:27:15

Below is what the second command gave me.

27 14:25:55
27 14:25:55
27 14:25:58
27 14:26:08
27 14:26:10
27 14:26:10
27 14:26:11
27 14:27:13
Im not quite sure what is the "27"?? Im assuming that "14:27:13" the IP address. Correct? Given the excerpt above.Sounds more like a time stamp..isnt it?

looks like a timestamp, guessing the "27" is the 27th day of the month.


You may need to adjust the "$numbers" that are in those commands.

There are a ton of tutorials on how to use sed, and awk online. I would suggest reading over a few of them just to get a basic idea of how these commands work as they can be quite helpful.
 
Old 03-31-2007, 10:07 PM   #9
exl75
Member
 
Registered: Mar 2007
Posts: 54

Original Poster
Rep: Reputation: 15
When I run that command..here's what I get:

awk 'BEGIN {FS="[ =]+"} {print $3, $5}'anda.log.gz
awk: 1: unexpected character '.'
Last edited by exl75; 04-02-2007 at 12:18 PM.
 
Old 03-31-2007, 10:32 PM   #10
fur
Member
 
Registered: Dec 2003
Distribution: Debian, FreeBSD
Posts: 310

Rep: Reputation: 35
Quote:
Originally Posted by exl75
When I run that command..here's what I get:

awk 'BEGIN {FS="[ =]+"} {print $3, $5}'honeynet-Feb1_FebXX.log.gz
awk: 1: unexpected character '.'

Two things. You wont be able to run awk on a gzip file. Either uncompress it first, or use zcat on the file, then pipe it into the awk command. Also you didn't put a space between the end of the awk command and the file name.
 
Old 04-01-2007, 02:16 AM   #11
exl75
Member
 
Registered: Mar 2007
Posts: 54

Original Poster
Rep: Reputation: 15
Eureka!! I found it..this command gives me the ip address out of the log file.Thanks a lot for all your help.

zcat anda.log.gz | sed 's/SRC=\|DST=//g' | awk '{print $12"\t"$13}' | more

This is just a portion of the output that I got:
.............. ...........
192.150.249.87 11.11.11.89
211.168.230.94 11.11.11.70
211.168.230.94 11.11.11.72
211.168.230.94 11.11.11.64
211.168.230.94 11.11.11.69
211.168.230.94 11.11.11.73
211.168.230.94 11.11.11.75
211.168.230.94 11.11.11.80
211.168.230.94 11.11.11.67
............. ..........
............. ..........
Last edited by exl75; 04-02-2007 at 12:19 PM.
 
Old 04-01-2007, 03:46 AM   #12
anupamsr
Member
 
Registered: Sep 2004
Location: India
Distribution: Kubuntu, Archlinux, Suse, Gentoo, Mandrake
Posts: 371

Rep: Reputation: 30
On a side note, instead of "more", use "less". It is wayyy better
 
Old 04-01-2007, 06:27 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
moved to Linux - General as this isn't actually about networking in itself.

hope you found the information you're after.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mapping IP addresses to MAC addresses basilio Linux - Networking 17 09-12-2007 01:48 AM
mechanics of mapping process memory addresses to physical addresses on amd64 Tischbein Linux - Kernel 2 02-01-2007 08:09 PM
where to extract? Damon Spector Linux From Scratch 2 11-09-2005 08:08 PM
Bookmarks: How to extract labels and addresses? JZL240I-U Linux - Newbie 8 03-15-2004 04:24 AM
extract help emperor13 Linux - General 1 12-02-2001 11:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 07:00 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration