LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-26-2012, 07:48 PM   #1
casperdaghost
Member
 
Registered: Aug 2009
Posts: 349

Rep: Reputation: 16
regex one or none -


This is truncated from a tcpdump
I want to start parsing out just the hex parts of the frames.

Code:
more 2frames
09:09:34.005167 IP 14.162.102.4.45666 > 20.20.85.14.26555: Flags [.]
  0x0000:  4500 0028 0032 4000 3a06 2305 933e 6604  
  0x0010:  cec8 558e afd4 6767 7c3d 4623 375c 36c0  
  0x0020:  5010 1fff 2a83 0000 0000 0000 0000       
09:09:34.719098 IP 20.20.85.14.26555 > 14.162.102.4.45666: Flags [P.]
  0x0000:  4500 002b fa2b 4000 4006 2308 cec8 558e 
  0x0010:  933e 6604 6767 afd4 375c 36c0 7c3d 4623 
  0x0020:  5018 16d0 1db7 0000 0001 48
So when I run the frames over this with a perl one-liner. i just get a few frames. the thrid line of the frame is missing (because it has less fields, and becaucse the field is 2 digits, not four)

Code:
more 2frames | perl -nle 'print /\s\s(\w{4}\s\w{4}\s\w{4}\s\w{4}\s\w{4}\s\w{4}\s\w{4}\s\w{2,4})\s/'

4500 0028 0032 4000 3a06 2305 933e 6604
cec8 558e afd4 6767 7c3d 4623 375c 36c0


4500 002b fa2b 4000 4006 2308 cec8 558e
933e 6604 6767 afd4 375c 36c0 7c3d 4623
I know that i need to change the regex to change the regex capture to 2,4 - but there is a setting in the regex to capture either one or none -- ? but i dont know where to put it.

Last edited by casperdaghost; 09-26-2012 at 07:50 PM.
 
Old 09-26-2012, 10:20 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Not sure whether this will do you, but how about:
Code:
more 2frames | perl -nle 'if( $_ =~ m/^  0x....:  (.*)$/){print $1}'
4500 0028 0032 4000 3a06 2305 933e 6604  
cec8 558e afd4 6767 7c3d 4623 375c 36c0  
5010 1fff 2a83 0000 0000 0000 0000       
4500 002b fa2b 4000 4006 2308 cec8 558e 
933e 6604 6767 afd4 375c 36c0 7c3d 4623 
5018 16d0 1db7 0000 0001 48

Cheers,
Tink
 
Old 09-26-2012, 11:16 PM   #3
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,248
Blog Entries: 8

Rep: Reputation: 235Reputation: 235Reputation: 235
Or you could use grep:
Code:
... | grep -o '[0-9a-f]\{4\}\( [0-9a-f]\{2,4\}\)\+'
... | egrep -o '[0-9a-f]{4}( [0-9a-f]{2,4})+'
---- Edit ----

Grep needs a guide and the one above is not really working. A way to solve it is to pipe again on another grep call but that's already bloated.

Here's for awk.
Code:
... | awk '/[a-f0-9]+x[a-f0-9]+:/ { sub(/.*: +/, ""); print $0; }'

Last edited by konsolebox; 09-26-2012 at 11:47 PM.
 
Old 09-27-2012, 01:42 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
I guess it depends on what the non-hex recs can contain, but
Code:
grep '0x' t.t

  0x0000:  4500 0028 0032 4000 3a06 2305 933e 6604
  0x0010:  cec8 558e afd4 6767 7c3d 4623 375c 36c0
  0x0020:  5010 1fff 2a83 0000 0000 0000 0000
  0x0000:  4500 002b fa2b 4000 4006 2308 cec8 558e
  0x0010:  933e 6604 6767 afd4 375c 36c0 7c3d 4623
  0x0020:  5018 16d0 1db7 0000 0001 48
or you can use
Code:
grep '  0x' t.t
#OR
grep '^  0x' t.t
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] differences between shell regex and php regex and perl regex and javascript and mysql golden_boy615 Linux - General 2 04-19-2011 02:10 AM
Perl to find regex and print following 5 lines after regex casperdaghost Linux - Newbie 3 08-29-2010 09:08 PM
Regex Help subcon42 Linux - General 4 03-13-2010 03:57 AM
regex with sed to process file, need help on regex dwynter Linux - Newbie 5 08-31-2007 06:10 AM
Need a regex, I suck at regex's d3funct Programming 4 02-25-2002 09:28 PM


All times are GMT -5. The time now is 01:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration