I am trying to get the source MAC address of every packet being dumped on the network, excluding any packets involving the host machine. I expect that in order to accomplish this I should get the data from tcpdump with the host's network interface in promiscuous mode.
Note that I am not interested in getting the full header or even the link level header. The -e option is not what I want. I just want the source MAC address for each packet, and nothing more.
This is what I am currently doing right now:
sudo tcpdump -I -elt -i wlan0 not host 127.0.0.1 2>> /dev/null | sed 's/ .*//'
with 127.0.0.1 replaced with the actual IP address of the local network interface.
This works great in some networks, where the source MAC address is the first piece of information that is output by tcpdump. Unfortunately, this has not always been my experience. It seems that the output to tcpdump is protocol-dependent and so on some networks it varies.
I suppose I could rewrite my sed command so that it outputs the first item that matches the regex for a MAC address:
(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}
but I am unsure if the first MAC address in the line will always be the source MAC address.
If there's no way to have tcpdump output the source MAC address directly, is there some way I could have it output the raw bits from the link level header? From there I should be able to piece together the source MAC address.
by using tshark you can do it like that:
example:
tshark -i eth0 -e eth.src -Tfields
Related
So I looked up on google about the difference between the output for hostname -i and hostname -I but couldn't get anything significant.
The output for hostname -i: 127.0.1.1
The output for hostname -I: 192.168.X.X.
All I could get was this:
-i: This option is used to get the IP(network) addresses. This option works only if the hostname is resolvable.
-I: This option is used to get all IP(network) addresses. The option doesn’t depend on the resolvability of the hostname.
It would be great if someone could elaborate on this for me.
From the information in your question I infer that your question is about linux hostname command. That's important as BSD flavor of that command (e.g. found in macOS system) has different argument set.
The man page for linux hostname command is actually very specific about the difference and you have posted already excerpt from it:
-i, --ip-address
Display the network address(es) of the host name. Note that this works only if the host name can be resolved. Avoid
using this option; use hostname --all-ip-addresses instead.
-I, --all-ip-addresses
Display all network addresses of the host. This option enumerates all configured addresses on all network interfaces.
The loopback interface and IPv6 link-local addresses are omitted. Contrary to option -i, this option does not depend
on name resolution. Do not make any assumptions about the order of the output.
The "address being resolved" (the -i argument) means that it is being resolved via DNS. You can get similar results by using some name resolution command as nslookup <yourhostname> or getent hosts <yourhostname>:
$ nslookup myhostname
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: myhostname
Address: X.X.X.X
The -I on the other hand iterates over all network interfaces of your host and sees how they are actually configured. That means it obtains the IP address via completely different method.
Assuming your hostname is set to myhost, hostname -i tries to resolve myhost. You probably have such a line in your /etc/hosts
127.0.0.1 myhost
This will resolve myhost as 127.0.0.1.
With hostname -I you get the addresses of your network interface(s), apparently without the loopback addresses. These addresses might be assigned by DHCP.
In your case with the output 192.168.X.X you only have one interface connected with only an IPv4 address.
My Ubuntu 19.10 system displays one IPv4 address and one IPv6 address when connected to WiFi only or two IPv4 and IPv6 addresses each when connected to both WiFi and Ethernet.
How do I strip out an IP address the resultant line from arp which includes the correct MAC address and the IP address the machine is found at with something like
arp -a | grep "70:d1" > address_file.txt
This gives me the following output:
? (10.0.0.9) at b8:27:eb:3:79:d1 on en0 ifscope [ethernet]
I've tried various incantations of sed with no luck. The latest attempt is:
cat address_file.txt | sed 's/(\d{1,3}\.){3}\d{1,3}//p' address_file.txt
There is probably something procedurally wrong that I'm doing, but I'm running low on patience as this was supposed to be a quick and dirty hack to provide some automation. I would also note that I am using a Mac running OS Mojave as I have read that they are some regex differences between BSD sed and other versions of sed.
I should note that I perform a nmap of the subnet because the arp entry can be stale and the machine will no longer be online or a different address but has produced no traffic.
Use the parenthesis to extract what is inside:
arp -a | sed -e s'/.*(\(.*\)).*/\1/g'
I have tried nmap, nbtscan, fping, arp-scan for the overstated need and all are producing expected output.
But I am facing some trouble with the arp command its not working and showing something like this:
? (10.240.253.2) at 80:a1:d7:7c:22:94 [ether] on eth0
<something>.local (10.240.253.53) at 9c:2a:70:d8:50:ed [ether] on eth0
I have tried arp -a and arp -a -n both. Also I tried running ping -b <broadcast ip address> before these command but ping -b does not execute at all means it does nothing.
On other systems in my network it is running fine. But it seems there is some setting problem with my computer that I am not aware of.
arp is not a scanner. It queries your system's ARP cache.
Therefore, it will only show IP and MAC addresses of hosts which have sent ARP queries or answers recently seen by your system.
As you mention, nmap, for example, is much more suited to what you're trying to do than arp.
So, I'm trying to write a simple bash script to send my internal IP address to a website of mine on startup. I am on a network with DHCP, so I don't always know what the IP address of my Raspberry Pi will be after I do a reboot over ssh. I figured I could fix this by sending my website the current IP on startup. I haven't written many bash scripts, and I'm not really sure how to send data to my website. Right now I was just trying in the terminal this:
wget -qO- http://http://mywebsite.com/private/CurrentIP.php?send=$(/sbin/ifconfig eth0|grep 'inet addr:')
But I'm not having any luck. I don't actually know much about linux, and I'm trying to learn. That's why I got the raspberry pi actually. Anyway, can someone head me in the right direction?
I already know I need to put it in /etc/init.d/.
You could do this:
IP_ADDR=$(ifconfig eth0 | sed -rn 's/^.*inet addr:(([0-9]+\.){3}[0-9]+).*$/\1/p')
wget -q -O /dev/null http://mywebsite.com/private/CurrentIP.php?send=${IP_ADDR}
...but if your machine is stuck behind NAT, $IP_ADDR won't be your externally-visible address. Might want to use $_SERVER['REMOTE_ADDR'] in your PHP instead of/in addition to this to get the address for your client that your server sees.
Edit: Sounds like you want to be able to find your Raspberry Pi on your local (DHCP-managed) network after reboots. Have you considered using Multicast DNS instead?
How it works in practice: Let's say you've set the hostname of your RasPi to gooseberry. If you've enabled a multicast DNS server on that machine, other computers on the same network segment that can send multicast DNS queries will be able to find it at the domain name gooseberry.local. This is a peer-to-peer protocol and not dependent on gooseberry receiving any specific address via DHCP - so if it reboots and receives a new address, other machines should still be able to find it.
Mac OS X has this enabled out of the box; this can be enabled on most Linux distros (on Debian/Ubuntu you'd install the avahi-daemon and libnss-mdns packages); not sure about Windows, but a quick Google shows encouraging results.
This worked for me (wget part untested, but it finds IP address):
interface="eth0"
ip_addr=$(ifconfig ${interface} | sed -rn 's/^.*inet *([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}).*$/\1/p')
wget -q -O /dev/null http://mywebsite.com/private/CurrentIP.php?send=${ip_addr}
Can't you use:
hostname --ip-address
I'm not sure whether to post it here or at ServerFault.
Anyway, I'm trying to work around company's firewall to connect to some media sharing site using my phone's 3g network. I've come up with a simple ip route command which take pppd's inet address as it's parameter. But, I want to make it a little bit more automated by reading the inet address right from the script, not by passing it via command line parameter.
Here's the scenario, to make it more obvious:
The command invocation as of now: $jumpfirewall xxx.xxx.xxx.xxx
The command invocation I want: $jumpfirewall
Do you know some command or library that I can use to read it from command line?
Adapted from cyberciti:
/sbin/ifconfig ppp0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'
The ifconfig ppp0 will get information for your primary PPP interface; the grep cuts it down to the line containing the IP address; the cut splits out everything after inet addr: up to bcast:, giving something like 1.2.3.4 Bcast:; and the awk call will print only the first (space-separated) field, leaving you with only the IP address.
pppd automatically calls a script in /etc/ppp/ip-up when a link is brought up. In this script, $4 is the local IP address of the PPP link. (On some distributions, /etc/ppp/ip-up is set to call the scripts in /etc/ppp/ip-up.d, with $PPP_LOCAL set to the IP address, so you can place your script there).
This way, you won't have to manually call the script - just bring up the PPP link and it'll be run automatically. There's a corresponding /etc/ppp/ip-down you can use to undo your route when the link goes down.