LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-09-2008, 09:36 AM   #1
tt1ect
LQ Newbie
 
Registered: Oct 2008
Posts: 5

Rep: Reputation: 0
Extracting strings


Hello friends,

I captured and saved to a file in plain txt from wireshark, i am trying to use awk or any command to extract the time, source ip address and destination address, i tried using grep it gives me all the line containg ip address, pls can anybody help me on this

this is how the information looks when you open the file:

No. Time Source Destination Protocol Info
1617 14.30 10.49.48.95 64.191.203.30 HTTP POST /login HTTP/1.1 (application/x-www-form-urlencoded)

tt1ect
 
Old 11-09-2008, 09:52 AM   #2
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
This looks like a simple task for AWK. Assuming that the format is always the same, you simply have to extract by field, using " " (space) as the delimiter.

Example---this print the 2nd, 3rd and 4th field, with tabs:

awk '{print $2"\t"$3"\t"$4}' filename

Really good AWK tutorial (and much more) here:

http://www.grymoire.com/Unix/Awk.html
 
Old 11-09-2008, 10:02 AM   #3
jan61
Member
 
Registered: Jun 2008
Posts: 235

Rep: Reputation: 46
Moin,

you don't need grep in this case. A simple way to get the fields 2 - 4 is cut:
Code:
jan@jack:~/tmp> echo '1617 14.30 10.49.48.95 64.191.203.30 HTTP POST /login HTTP/1.1 (application/x-www-form-urlencoded)' | cut -f2-4 -d' '
14.30 10.49.48.95 64.191.203.30
Another possibility is awk:
Code:
jan@jack:~/tmp> echo '1617 14.30 10.49.48.95 64.191.203.30 HTTP POST /login HTTP/1.1 (application/x-www-form-urlencoded)' | awk ' { print $2, $3, $4 } '
14.30 10.49.48.95 64.191.203.30
Or sed:
Code:
jan@jack:~/tmp> echo '1617 14.30 10.49.48.95 64.191.203.30 HTTP POST /login HTTP/1.1 (application/x-www-form-urlencoded)' | sed 's/^[0-9]* \([^ ]*\) \([^ ]*\) \([^ ]*\) .*/\1 \2 \3/'
14.30 10.49.48.95 64.191.203.30
I would prefer cut for the given input format - it's the simpliest tool.

Jan
 
Old 11-09-2008, 10:15 AM   #4
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Please don't post the same thing twice----(perhaps it was an error)
I'll ask that the two be merged since both have replies
 
Old 11-10-2008, 12:26 PM   #5
jan61
Member
 
Registered: Jun 2008
Posts: 235

Rep: Reputation: 46
Moin,

Quote:
Originally Posted by pixellany View Post
Please don't post the same thing twice----(perhaps it was an error)
I'll ask that the two be merged since both have replies
sorry - it really was an error - think I accidently double clicked the submit button.

Jan
 
Old 11-10-2008, 12:43 PM   #6
Nylex
LQ Addict
 
Registered: Jul 2003
Location: London, UK
Distribution: Slackware
Posts: 7,464

Rep: Reputation: Disabled
To be honest, I'd just save the data from Wireshark/tcpdump as a binary file and then write a C(++) program using libpcap to get the info you want.
 
Old 11-10-2008, 12:52 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,335
Blog Entries: 55

Rep: Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535
Quote:
Originally Posted by Nylex View Post
I'd just save the data from Wireshark/tcpdump as a binary file and then write a C(++) program using libpcap to get the info you want.
Nice answer! Could you please post some code then?
 
Old 11-10-2008, 12:56 PM   #8
Nylex
LQ Addict
 
Registered: Jul 2003
Location: London, UK
Distribution: Slackware
Posts: 7,464

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Nice answer! Could you please post some code then?
Will do so when I've got a spare minute .
 
Old 11-10-2008, 01:42 PM   #9
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Quote:
Originally Posted by jan61 View Post
Moin,



sorry - it really was an error - think I accidently double clicked the submit button.

Jan
My comment was not directed at you!!

OP posted this twice and each one had responses, so the threads were merged.
 
Old 11-10-2008, 03:07 PM   #10
Nylex
LQ Addict
 
Registered: Jul 2003
Location: London, UK
Distribution: Slackware
Posts: 7,464

Rep: Reputation: Disabled
When I was doing my MSc project, I had to analyse tcpdump data and initially tried string parsing. It was very messy, so I just went and learned to use libpcap. Makes life easier!

As requested, here's a C++ program making use of libpcap to get source and destination addresses and ports and timestamps:

Code:
#include <pcap.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <netinet/ether.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <iostream>
using namespace std;

void packet_handler(u_char *args, const struct pcap_pkthdr *packet_header, const u_char *packet);

int main(int argc, const char *argv[])
{
  const char *file = "tcpdump_file";
  char error_buffer[PCAP_ERRBUF_SIZE];
  pcap_t *handle = pcap_open_offline(file, error_buffer);

  pcap_loop(handle, -1, packet_handler, NULL); // Loop until we reach the end of the file
  return 0;
}

void packet_handler(u_char *args, const struct pcap_pkthdr *packet_header,
		    const u_char *packet)
{

  // The IP packet is the payload of the Ethernet frame, so we need to skip the
  // Ethernet frame's header to get to it.
  // The TCP packet is the payload of the IP packet, so we do a similar thing.
  struct ip *ip_packet = (struct ip*)(packet + sizeof(struct ether_header));
  struct tcphdr  *tcp_packet = (struct tcphdr*)(packet + sizeof(struct ether_header)
						+ sizeof(struct ip));

  cout << "Source address: " << inet_ntoa(ip_packet->ip_src) << endl;
  cout << "Destination address: " << inet_ntoa(ip_packet->ip_dst) << endl;

  cout << "Source port: " << ntohs(tcp_packet->source) << endl;
  cout << "Destination port: " << ntohs(tcp_packet->dest) << endl;
 
  struct timeval ts = (*packet_header).ts;
  cout << "Seconds: " << ts.tv_sec << " Microseconds: " << ts.tv_usec << endl;
}
I suggest reading the pcap.h man page ("man pcap") and possibly man pages for other headers too.

Last edited by Nylex; 11-10-2008 at 03:09 PM.
 
Old 11-10-2008, 04:30 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,335
Blog Entries: 55

Rep: Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535
Thanks for the -lpcap example.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Extracting ASCII strings from a Binary files poorrej Linux - Newbie 2 10-31-2008 03:38 AM
grep two strings Hondro Linux - General 3 09-08-2008 09:55 PM
Strings in C++ allomeen Programming 13 01-20-2006 12:05 PM
how to find duplicate strings in vertical column of strings markhod Programming 7 11-02-2005 04:04 AM
strings in c djgerbavore Programming 8 01-11-2005 04:27 PM


All times are GMT -5. The time now is 02:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration