How to parse snoop's output format with a shellscript

Posted on 2006-06-06
Last Modified: 2012-08-14
A side question to:

I have a snoop launched with the following command line:

snoop -d bge2 -x54 -ta host

but the format is something quite unreadable:

        0: 3139 4031 3932 2e31 3638 2e31 3034 2e32    19@
       16: 3030 3a35 3036 3020 5349 502f 322e 300d    00:5060 SIP/2.0.
       32: 0a43 616c 6c2d 4944 3a20 3230 3833 3533    .Call-ID: 208353
       48: 3165 6537 6138 6533 6236 6266 6135 3565    1ee7a8e3b6bfa55e
       64: 6537 3239 3532 3864 3962 4031 3932 2e31    e729528d9b@192.1
       80: 3638 2e31 3034 2e31 3532 0d0a 4353 6571    68.104.152..CSeq
       96: 3a20 3120 494e 5649 5445 0d0a 4672 6f6d    : 1 INVITE..From
      112: 3a20 3c73 6970 3a54 5031 5f41 5032 4031    : <sip:TP1_AP2@1
      128: 3932 2e31 3638 2e31 3034 2e31 3532 3e3b>;
      144: 7461 673d 3132 3334 3536 3738 390d 0a54    tag=123456789..T
      160: 6f3a 203c 7369 703a 3131 3940 3139 322e    o: <sip:119@192.
      176: 3136 382e 3130 342e 3230 303e 0d0a 5669    168.104.200>..Vi
      192: 613a 2053 4950 2f32 2e30 2f55 4450 2031    a: SIP/2.0/UDP 1
      208: 3932 2e31 3638 2e31 3034 2e31 3532 3a35
      224: 3036 303b 6272 616e 6368 3d7a 3968 4734    060;branch=z9hG4
      240: 624b 3530 3166 6636 6235 6534 3465 3662    bK501ff6b5e44e6b
      256: 6563 3138 6162 6165 3130 6632 3363 3031    ec18abae10f23c01
      272: 3664 0d0a 4d61 782d 466f 7277 6172 6473    6d..Max-Forwards
      288: 3a20 3235 350d 0a43 6f6e 7465 6e74 2d4c    : 255..Content-L
      304: 656e 6774 683a 2030 0d0a 0d0a              ength: 0....

I am interested only in the ASCII part of the traffic, possibly put on one line; how can I make a shell script to parse only the ASCII part of this output?
Question by:Emanuele_Ciriachi
    LVL 22

    Accepted Solution

    OK - this possibly a job for sed:

    snoop -d bge2 -x54 -ta host | sed -e 's/ *//' | sed -e 's/.*  //' | sed -e :a -e '/.$/N; s/\n//; ta'

    Lets explain:

    sed -e 's/ *//'

    substitutes all the leading spaces for nothing, effectively stripping them off.

    sed -e 's/.*    //'

    is a substitution whereby everything up to to a 4 space block is substituted with nothing. Effectively, this removes all of the binary data

    sed -e :a -e '/.$/N; s/\n//; ta'

    can possibly be improved, but basically this adds the following line to the one before (when it ends in anything).

    Obviously, this is not that easy to remember, and requires a bit of typing each time, which I suspect you do not want to do, therefore:

    alias wibble="sed -e 's/ *//' | sed -e 's/.*  //' | sed -e :a -e '/.$/N; s/\n//; ta'

    and then you can:

    snoop -d bge2 -x54 -ta host | wibble

    Depending on the exact chars your command outputs, you may need to alter the commands above (particularly number and location of spaces!), hence the explainations!

    Better still, put the alias command in your ~/.bashrc file, then it is automatically run each time you log in:)
    LVL 27

    Expert Comment

    Hello, Emanuele_Ciriachi.
    Are you trying to get CDR's and call billing info directly from network captures :-)
    Your question is about Solaris, not about Linux.

    Anyway, there is an 'ethereal' package for both OSes. From shell script you may use text version 'tethereal'. Read manual first, of course.

    Also, I guess, you need to say, what exactly do you need to get from that output? What for do you need to parse and what portions of data are interesting?
    LVL 22

    Expert Comment

    I guess I ought to give you the output from my commands above? (Your data was cut and pasted into data.txt):

    [pje@bigserver tmp]# cat data.txt | wibble
    19@ SIP/2.0..Call-ID: 2083531ee7a8e3b6bfa55ee729528d9b@ 1 INVITE..From: <sip:TP1_AP2@>;tag=123456789..To: <sip:119@>..Via: SIP/2.0/UDP;branch=z9hG4bK501ff6b5e44e6bec18abae10f23c016d..Max-Forwards: 255..Content-Length: 0....
    LVL 1

    Author Comment

    Thanks for all the great suggestions. I am not in the test lab today so cannot try it out, will let you know.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
    Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now