LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   regex one or none - (https://www.linuxquestions.org/questions/linux-newbie-8/regex-one-or-none-4175429195/)

casperdaghost 09-26-2012 06:48 PM
regex one or none -
 
This is truncated from a tcpdump
I want to start parsing out just the hex parts of the frames.

Code:
more 2frames
09:09:34.005167 IP 14.162.102.4.45666 > 20.20.85.14.26555: Flags [.]
  0x0000:  4500 0028 0032 4000 3a06 2305 933e 6604 
  0x0010:  cec8 558e afd4 6767 7c3d 4623 375c 36c0 
  0x0020:  5010 1fff 2a83 0000 0000 0000 0000     
09:09:34.719098 IP 20.20.85.14.26555 > 14.162.102.4.45666: Flags [P.]
  0x0000:  4500 002b fa2b 4000 4006 2308 cec8 558e
  0x0010:  933e 6604 6767 afd4 375c 36c0 7c3d 4623
  0x0020:  5018 16d0 1db7 0000 0001 48
So when I run the frames over this with a perl one-liner. i just get a few frames. the thrid line of the frame is missing (because it has less fields, and becaucse the field is 2 digits, not four)

Code:
more 2frames | perl -nle 'print /\s\s(\w{4}\s\w{4}\s\w{4}\s\w{4}\s\w{4}\s\w{4}\s\w{4}\s\w{2,4})\s/'

4500 0028 0032 4000 3a06 2305 933e 6604
cec8 558e afd4 6767 7c3d 4623 375c 36c0


4500 002b fa2b 4000 4006 2308 cec8 558e
933e 6604 6767 afd4 375c 36c0 7c3d 4623
I know that i need to change the regex to change the regex capture to 2,4 - but there is a setting in the regex to capture either one or none -- ? but i dont know where to put it.

Tinkster 09-26-2012 09:20 PM
Not sure whether this will do you, but how about:
Code:
more 2frames | perl -nle 'if( $_ =~ m/^  0x....:  (.*)$/){print $1}'
4500 0028 0032 4000 3a06 2305 933e 6604 
cec8 558e afd4 6767 7c3d 4623 375c 36c0 
5010 1fff 2a83 0000 0000 0000 0000     
4500 002b fa2b 4000 4006 2308 cec8 558e
933e 6604 6767 afd4 375c 36c0 7c3d 4623
5018 16d0 1db7 0000 0001 48

Cheers,
Tink

konsolebox 09-26-2012 10:16 PM
Or you could use grep:
Code:
... | grep -o '[0-9a-f]\{4\}\( [0-9a-f]\{2,4\}\)\+'
... | egrep -o '[0-9a-f]{4}( [0-9a-f]{2,4})+'
---- Edit ----

Grep needs a guide and the one above is not really working. A way to solve it is to pipe again on another grep call but that's already bloated.

Here's for awk.
Code:
... | awk '/[a-f0-9]+x[a-f0-9]+:/ { sub(/.*: +/, ""); print $0; }'

chrism01 09-27-2012 12:42 AM
I guess it depends on what the non-hex recs can contain, but
Code:
grep '0x' t.t

  0x0000:  4500 0028 0032 4000 3a06 2305 933e 6604
  0x0010:  cec8 558e afd4 6767 7c3d 4623 375c 36c0
  0x0020:  5010 1fff 2a83 0000 0000 0000 0000
  0x0000:  4500 002b fa2b 4000 4006 2308 cec8 558e
  0x0010:  933e 6604 6767 afd4 375c 36c0 7c3d 4623
  0x0020:  5018 16d0 1db7 0000 0001 48
or you can use
Code:
grep '  0x' t.t
#OR
grep '^  0x' t.t


All times are GMT -5. The time now is 06:25 PM.