tcpdump grep/pipe summary

r00t · 02-02-2013, 11:53 AM

Is it possible to grep something from the tcpdump summary? Like: tcpdump -nn -c100 | grep "packets dropped by kernel"
But that somehow doesn't work, it only pipes the packets itself, but the summary seems to be written to another stdout or something. I want to grep/awk one of these lines:

0 packets captured
0 packets received by filter
0 packets dropped by kernel

Any suggestions? The -l option also doesn't help.

business_kid · 02-02-2013, 12:57 PM

tcpdump -options > some_file 2>&1
grep <search_terms> some_file

r00t · 02-02-2013, 01:04 PM

Ah well, that did the trick. Could've thought of that. Thanks!

business_kid · 02-03-2013, 09:29 AM

Welcome. If you're repeating this constantly and wish to be esoteric, you might try

mkfifo my.fifo
tcpdump options > my.fifo 2>&1
cat my.fifo | grep <search terms>

This has the advantage of being self cleaning, as tcpdump should fill the fifo (First In First Out) and cat will empty it again.

I think your option with corrected syntax is shorter
tcpdump -nn -c100 | egrep 'packets\ dropped\ by\ kernel'

Any non alpha-numeric character (.,*&^%$£!#~' etc.) needs an escape before it is treated as an ordinary character in grep's search. egrep uses Posix reg. exp. rules.

r00t · 02-03-2013, 10:58 AM

Thank you for your reply and your explaination, very helpful. I'm now trying to do the same with the script from the first answer of this topic and it doesn't work with both of your solutions. Any suggestion on this one? Thank you in advance, much appreciated.

David the H. · 02-04-2013, 10:35 AM

So the lines you want are being sent to stderr, correct?

So just redirect stderr to (the same place as) stdout, and then dump stdout to /dev/null.

Code:

tcpdump -options 2>&1 >/dev/null | grep whatever

Note that the order of the redirections is important. If you reversed them then both outputs would end up going to /dev/null.

redirections and file descriptors explained

r00t · 02-10-2013, 11:52 AM

Isn't this exactly the same as business_kid suggested? It doesn't work with the script I linked.

David the H. · 02-11-2013, 10:02 AM

The principle is identical, except that business_kid threw an unnecessary tempfile/pipe to the mix. My post demonstrates how it can all be done with a single command. Also, I took the time to add a link so that you can study it in more detail.

And it doesn't help much to just say that something "didn't work". What exactly did you try, and what exactly happened when you tried it? We can't see your screen, so we can't figure out what went wrong unless you give us enough detail to work with.