Just moozing

Before you can check your notes, you must make them…

Bash one-liners

with one comment

At the office, we like one-liners…

Manipulating PCAPs

We had a need for working with lots of 150 MB PCAP files.

mergecat -a *.pcap -w - | tcpdump -r - -w router.pcap -n host 192.168.1.1

Don’t forget the -a if you have lots of data, otherwise it will parse all files before piping data to tcpdump.

 

How to generate PCAP listing

This is not a cool one-liner, but I use something like this to get an overview of the PCAPs.

capinfos -T -m -Q mycapture.pcap

 

Csv file manipulation

Normal people would probably import the file into a spreadsheet.

tail -n +2 pcaplisting.txt | cut -f4 | paste -sd+ | bc

Sum all values from column 4 except the first line.

 

Digging

Some of our tools gives us files with IP addresses, so automating lookup is relevant.

for ip in $(tail -n +2 datafile.csv | cut -d ',' -f2); do echo -n "$ip "; dig -x $ip +short; done

Generate a list of IP address combined with the reverse DNS name. The IP addresses come from the second column of the datafile, and excludes the first line.

 

Links:

 

Advertisements

Written by moozing

November 18, 2014 at 12:00

Posted in Tech

Tagged with , ,

One Response

Subscribe to comments with RSS.

  1. […] We combine tstat with mergecap as I described in a earlier post. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: