tcpdump and awk

[concico]

If i do this command "tcpdump -xls 60 -n dst host 90.90.90.62 and dst port 8080 and udp"
my output is:

11:13:50.309476 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d5 0000 06fa
11:13:50.317439 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d6 0000 06fa
11:13:50.329503 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d7 0000 06fa
11:13:50.337415 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d8 0000 06fa
11:13:50.345464 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04d9 0000 06fa
11:13:50.353431 IP 10.1.100.54.40573 > 90.90.90.62.8080: UDP, length 277
0x0000: 4500 0131 0000 4000 4011 16ed 0a01 6436
0x0010: 5a5a 5a3e 9e7d 1f90 011d 23fe 0000 0000
0x0020: 6400 00e6 0175 9401 04da 0000 06fa


My intersting part are those in bold in the first line:

I would an output like this:

riga:XX matrice: XXXXXXXX

where
riga is thre second element in bold
matrice is the combination of the third and the forth element in bold

I do like this:

tcpdump -xls 60 -n dst host $1 and dst port 8080 and udp | awk '/0x0020/ { print "riga: "substr($6,3) " matrice:" $7 $8 }'

And it work fine.

Now i would on output like this:

Port: xxxxx riga:xx matrice:xxxxxxxx

where riga and matrice are the same as before and port is the port of trasmission of the current packet: the first element in bold

Thanks to all

 

[feherke]

Hi

awk '[red]/^\w/{sub(/.*\./,"",$3);printf"port: %s ",$3}[/red] /0x0020/ { print "riga: "substr($6,3) " matrice:" $7 $8 }'

Feherke.

http://rootshell.be/~feherke/

 

[PHV]

awk '$2=="IP"{p=$3;sub(/.*\./,"",p)}/0x0020/ { print "Port:"p" riga: "substr($6,3) " matrice:" $7 $8 }'

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886

 

[concico]

thanks a lot.....

 

[concico]

Now i ahve another question.....

i know that the value riga go from 00 to fe and is increment of 1.

If the value in next packet is not incremented of 1 is possible to print something like

"MISS PACKET!!!!!"(packet miss) and then print the corrent value??

for example:

port: 56529 riga: 00 matrice: 00000118
port: 56529 riga: 01 matrice: 00000118
port: 56529 riga: 03 matrice: 00000118
port: 56529 riga: 06 matrice: 00000118

Shoul became:

port: 56529 riga: 00 matrice: 00000118
port: 56529 riga: 01 matrice: 00000118
***MISS****port: 56529 riga: 02 matrice: 00000118
port: 56529 riga: 03 matrice: 00000118
***MISS***port: 56529 riga: 04 matrice: 00000118
***MISS***port: 56529 riga: 06 matrice: 00000118
port: 56529 riga: 06 matrice: 00000118

 

[Annihilannic]

Did you resolve this, concico?

Annihilannic.