Extract unique IPs from live tcpdump capture

后端未结

关注

 3  840

礼貌的吻别 2021-02-10 16:47

I am using the following command to output IPs from live tcpdump capture

sudo tcpdump -nn -q ip -l | awk \'{print $3; fflush(stdout)}\' >> ips.txt
<

3条回答

南方客 (楼主)

2021-02-10 17:18

To extract unique IPs from tcpdump you can use:

awk '{ ip = gensub(/([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/,"\\1","g",$3); if(!d[ip]) { print ip; d[ip]=1; fflush(stdout) } }' YOURFILE

So your command to see unique IPs live would be:

sudo tcpdump -nn -q ip -l | awk '{ ip = gensub(/([0-9]+.[0-9]+.[0-9]+.[0-9]+)(.*)/,"\\1","g",$3); if(!d[ip]) { print ip; d[ip]=1; fflush(stdout) } }'

This will print each IP to output as soon as they appear, so it cannot sort them. If you want to sort those, you can save the output to a file and then use sort tool:

sudo tcpdump -nn -q ip -l | awk '{ ip = gensub(/([0-9]+.[0-9]+.[0-9]+.[0-9]+)(.*)/,"\\1","g",$3); if(!d[ip]) { print ip; d[ip]=1; fflush(stdout) } }' > IPFILE
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4  IPFILE

Example output:

34.216.156.21
95.46.98.113
117.18.237.29
151.101.65.69
192.168.1.101
192.168.1.102
193.239.68.8
193.239.71.100
202.96.134.133

NOTE: make sure you are using gawk. It doesn't work with mawk.

0 讨论(0)

查看其它3个回答