Read output from tcpdump

h3x has asked for the wisdom of the Perl Monks concerning the following question:

Hallo Monks, am running tcpdump and i want to pipe its output to a perl script that gets me the source ip address and the dst ip address plus the port number. Here is sample of my dump:

14:42:35.155151 IP 192.168.11.128.3415 > 66.249.93.9.53: UDP, length 3
+4
14:42:35.305392 IP 66.102.9.104.80 > 192.168.11.100.40323: tcp 0
14:42:35.305540 IP 192.168.11.100.40323 > 66.102.9.104.80: tcp 0
14:42:35.374936 IP 192.168.11.6.22 > 192.168.11.128.59921: tcp 64
14:42:35.375069 IP 192.168.11.128.59921 > 192.168.11.6.22: tcp 0
14:42:35.405160 IP 72.21.192.209.53 > 192.168.11.128.49172: UDP, lengt
+h 48
14:42:35.405302 IP 192.168.11.128 > 72.21.192.209: icmp 84: 192.168.11
+.128 udp port 49172 unreachable
14:42:35.605651 IP 130.89.175.33.80 > 192.168.11.100.47614: tcp 1448
[download]

Any help will be highly appreciated. Thanks

Comment on Read output from tcpdump Download Code

Replies are listed 'Best First'.
Re: Read output from tcpdump by Fletch (Bishop) on Aug 07, 2008 at 12:22 UTC
Looking at CPAN there's several modules (Net::Frame::Dump::Offline looking quite promising) which read tcpdump files which would be much more direct than trying to parse the text representation. The cake is a lie. The cake is a lie. The cake is a lie.	[reply]
Re: Read output from tcpdump by apl (Monsignor) on Aug 07, 2008 at 12:18 UTC
First, you'll want to replace the square brackets with angle brackets in your post, to make it more readable... Then, you'll want to read the RegEx tutorials.	[reply]
Re: Read output from tcpdump by lorn (Monk) on Aug 07, 2008 at 17:50 UTC
You can try Net::TcpDumpLog Lorn -http://lornlab.org -slackwarezine.com.br	[reply]
Re: Read output from tcpdump by Perlbotics (Archbishop) on Aug 07, 2008 at 18:55 UTC
Since you want to pipe the text output through your program, the following fragement might help: #!/usr/bin/perl use strict; while (<>) { if ( /IP\s+(\d+\.\d+\.\d+\.\d+)(\.(\d+))?\s+>\s+(\d+\.\d+\.\d+\.\d ++)(\.(\d+))?\:\s+(\w+)/ ) { my ($srcip, $srcport, $dstip, $dstport, $proto) = ($1, $3, $4, $6, $7); # icmp: port := 0 (should be n/a) printf "%16s [%5d] --> %16s [%5d] (%s)\n", $srcip, $srcport, $dstip, $dstport, lc($proto); } } __END__ Piping your example through it yields (works with: tcpdump -nlq): 192.168.11.128 [ 3415] --> 66.249.93.9 [ 53] (udp) 66.102.9.104 [ 80] --> 192.168.11.100 [40323] (tcp) 192.168.11.100 [40323] --> 66.102.9.104 [ 80] (tcp) 192.168.11.6 [ 22] --> 192.168.11.128 [59921] (tcp) 192.168.11.128 [59921] --> 192.168.11.6 [ 22] (tcp) 72.21.192.209 [ 53] --> 192.168.11.128 [49172] (udp) 192.168.11.128 [ 0] --> 72.21.192.209 [ 0] (icmp) [download]	[reply] [d/l]
Re^2: Read output from tcpdump by Anonymous Monk on Nov 16, 2009 at 13:04 UTC
Very good... And how you will do it if you want to tell the number of packets from one ip to another ip within the same port?	[reply]
Re: Read output from tcpdump by eosbuddy (Scribe) on Aug 07, 2008 at 17:46 UTC
Just a suggestion (not a solution), why not use: `sytem 'netstat -ntu';` [download] I aware that this drags you away from your original question, but I feel netstat is much more cool, particularly, for the purpose you mentioned in your original post.	[reply] [d/l]