asked on

AWK Problem

given awk script return as sth given below again but there are 2 mistakes

1. at the end of ttl there is a ) sign we need to remove it
2. 4510 00b8 9f05 4000 4006 74f0 b909 9d0f this part need to be as this 45 10 00 b8 9f 05 40 00 40 06 74 f0 b9 09 9d 0f

tcpdump -nnlq -v -X   | awk '/ IP /{gsub(",","");ttl=$6;proto=$14;leng=$17;}/ > /{gsub(/:/,"");a=$1;b=$3;}/0x0000:/{n=split(a,s,/[.]/);sub("[.]" s[n] "$"," " s[n],a);n=split(b,s,/[.]/);sub("[.]" s[n] "$"," " s[n],b);$1="";$NF="";print a, b, proto,leng,ttl,$0 }'

Open in new window

185.9.157.15 22 88.236.119.53 52607 TCP 184) 64  4510 00b8 9f05 4000 4006 74f0 b909 9d0f
88.236.119.53 52607 185.9.157.15 22 TCP 40) 118  4500 0028 167f 4000 7606 c816 58ec 7735

Open in new window

orginal output :

18:13:29.926429 IP (tos 0x0, ttl 118, id 7114, offset 0, flags [DF], proto TCP (6), length 40)
    88.236.119.53.52607 > 185.9.157.15.22: tcp 0
        0x0000:  4500 0028 1bca 4000 7606 c2cb 58ec 7735  E..(..@.v...X.w5
        0x0010:  b909 9d0f cd7f 0016 490b 1937 b656 8930  ........I..7.V.0
        0x0020:  5010 413a d900 0000 0000 0000 0000       P.A:..........

Open in new window

ozo

awk '/ IP /{gsub("[,)]","");ttl=$6;proto=$14;leng=$17;}/ > /{gsub(/:/,"");a=$1;b=$3;}/0x0000:/{n=split(a,s,/[.]/);sub("[.]" s[n] "$"," " s[n],a);n=split(b,s,/[.]/);sub("[.]" s[n] "$"," " s[n],b);$1="";$NF="";gsub(" ..","& ");print a, b, proto,leng,ttl,$0 }'

FireBall

ASKER

should we get first 64 hex instead of 32 ?

FireBall

ASKER

And also after a while it returns as an error that :

awk: (FILENAME=- FNR=1554) fatal: Unmatched ( or \(: /[.](hlim$/
222 packets captured
222 packets received by filter
0 packets dropped by kernel

Open in new window

ASKER CERTIFIED SOLUTION

ozo

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

FireBall

ASKER

I am not familiar with awk :) if you help me i will be glad for that also i have one more question after that :)