[SOLVED] Remove End of string from pattern

Ra'Jiska · 10-14-2015, 12:15 PM

Hello there,

I got an IP via TCPDUMP and I'd like to be able to to have the port of this IP removed.
Here is the format: 62.106.118.118.49954 ; how would I be able to remove the end '.49954' so I'd have: 62.106.118.118 ?

Thanks.

P.S: Don't worry about the IP, it's used against me to do DoS.

grail · 10-14-2015, 12:31 PM

Please show us what you have done to try and solve this? Also you do not indicate if it is in a script, on the command line or any particular language. Help us to help you.

Ra'Jiska · 10-14-2015, 12:41 PM

Quote:

Originally Posted by grail

Please show us what you have done to try and solve this? Also you do not indicate if it is in a script, on the command line or any particular language. Help us to help you.

Alrighty, yup', it's actually a script.
Someone is currently DoSing me and I'd like to have his ban automatic.

What I do is I send the output of tcpdump to a file, each line look like this:

19:20:45.620829 IP 62.106.118.118.49954 > xx.xx.xx.xx.xxxx: UDP, length 0

In this, I do only want to take '62.106.118.118' which is a variable, however, I did not manage to remove the extra '.49954'.
Here is what I've done so far to achieve this: echo "19:20:45.620829 IP 62.106.118.118.49954 > xx.xx.xx.xx.xxxx: UDP, length 0" | grep -o -P '(?<=IP ).*(?= >)' ; which outputs: 62.106.118.118.49954 .

Now, from this output, I'd like to get read of the four last characters (which might be variable).
Thank you very much for your help !

grail · 10-14-2015, 01:38 PM

Ok, I am still a little lost by some of the terminology.

Is the string '19:20:45.620829 IP 62.106.118.118.49954 > xx.xx.xx.xx.xxxx: UDP, length 0' stored in a variable?
If yes, I would do the following:

Code:

str='19:20:45.620829 IP 62.106.118.118.49954 > xx.xx.xx.xx.xxxx: UDP, length 0'

ip=${str#*IP }
ip=${ip% *}
ip=${ip%.*}

echo "$ip"

If on the other hand it is output and we have to use grep:

Code:

echo '19:20:45.620829 IP 62.106.118.118.49954 > xx.xx.xx.xx.xxxx: UDP, length 0' | grep -oP '(?<=IP ).*(?=\.[0-9]* >)'

Ra'Jiska · 10-14-2015, 01:44 PM

Thank you very much, the second part helped and did the job.
Dunno exacly how it does it but will make sure to check some documentation when I'll have time to !

Thanks again.

chrism01 · 10-14-2015, 09:18 PM

Given the result at post #3 I was thinking of piping through cut

Code:

echo '62.106.118.118.49954'|cut -d'.' -f1-4
62.106.118.118

grail · 10-15-2015, 10:13 AM

Quote:

Dunno exacly how it does it but will make sure to check some documentation when I'll have time to !

Actually, I just added to your existing code

Now the look behind needs to see a period followed by numbers and then your space and greater than sign

Ra'Jiska · 10-16-2015, 06:29 AM

Quote:

Originally Posted by chrism01

Given the result at post #3 I was thinking of piping through cut

Code:

echo '62.106.118.118.49954'|cut -d'.' -f1-4
62.106.118.118

Oh yea, this one is quite good too, thank you !

And yup', I saw Grail, I meant the end which I had trouble to understand (and is less intuitive than chrism01's one).
That said, thank you very much guys, you allowed me to make a script that prevents the bad boy from continuing to DOS my server !