This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
i need get a substring from a file shell script
i need a little help with this shell script. I have a variable, represents a IP/TCP header. I need filter a traffic capture by the header selected.
> var=ttl 128 (only TTL=128)
>
> tcpdump -Xvv -n -i eth0 -c 300 > capture.txt 2>/dev/null
>
I'm trying using grep command, but only have the line with ttl 128, don't the ip source and destination
> grep -i "$var" capture.txt > resultGrep.txt
The result of the tcpdump command is some like this
15:29:18.164566 IP (tos 0x0, ttl 1, id 2394, offset 0, flags [none], proto UDP (17), length 125)
10.0.0.155.58363 > 239.255.255.254.1900: UDP, length 97
0x0000: 4600 0024 0000 0000 0102 3ad3 0a00 0000 F..$......:.....
0x0010: e000 0001 9404 0000 1101 ebfe 0000 0000 ................
0x0020: 0300 0000 0000 0000 0000 0000 0000 ..............
15:29:18.164566 IP (tos 0x0, ttl 128, id 2394, offset 0, flags [none], proto UDP (17), length 125)
10.0.0.131.58363 > 239.255.255.250.1900: UDP, length 97
0x0000: 4600 0024 0000 0000 0102 3ad3 0a00 0000 F..$......:.....
0x0010: e000 0001 9404 0000 1101 ebfe 0000 0000 ................
0x0020: 0300 0000 0000 0000 0000 0000 0000 ..............
15:29:18.164566 IP (tos 0x0, ttl 64, id 2394, offset 0, flags [none], proto UDP (17), length 125)
10.0.0.147.58363 > 239.255.255.255.1900: UDP, length 97
0x0000: 4600 0024 0000 0000 0102 3ad3 0a00 0000 F..$......:.....
0x0010: e000 0001 9404 0000 1101 ebfe 0000 0000 ................
0x0020: 0300 0000 0000 0000 0000 0000 0000 ..............
I need have ip address source and ip address destination from packets with ttl 128 header, in the example the output result must be
10.0.0.131.58363 > 239.255.255.250.1900
If your grep supports displaying a context -A, you can try
grep -A 1 -e 'ttl 128' capture.txt | grep '^ ' | cut -d: -f1
The first grep shows all lines with ttl 128 plus one following line. The second grep filters the lines starting with blanks. The final cut selects everything before the first :.
Related
I'm trying an experiment in Ubuntu 22.04 where I create two TUN/TAP interfaces, assign them IP addresses 192.168.75.1 and 192.168.76.1, map 192.168.75.2 to 76.1 and 76.2 to 75.1 in the code, and try to connect between the two ends. Pings get through successfully, but when I try to SSH between them, it fails.
When I SSH into 75.2 from 75.1, I see the outgoing SSH packet in tcpdump on 75.1 and the incoming one with the new IP addresses in tcpdump on 76.1, but SSHD never responds. I'm recalculating the IPv4 checksum (RFC 791) and TCP checksum (RFC 793) after changing the IP addresses and the checksums show up as correct in the tcpdump.
When I compare the tcpdump of the SSH interaction through the TUN/TAP interface (which fails) and through the regular localhost interface (which succeeds), I can't find any difference apart from the identification field in the IPv4 header (two bytes right after total length) are zero for the packets coming through localhost and nonzero through the TUN/TAP interface. Is there any reason why SSHD would care about this field?
I also disabled the firewall and opened up everything in iptables using iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT && iptables -t nat -F && iptables -t mangle -F && iptables -F && iptables -X. I also tried restarting the SSHD service after the new interfaces were up and assigned IP addresses. I'm really having a hard time finding any difference other than the IPv4 header identification field. Seeing the pings go through makes me think I'm on the right track, at least.
Edit #1 with more details:
Output from ifconfig:
custom0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.75.1 netmask 255.255.255.0 broadcast 192.168.75.255
inet6 fe80::80b:cff:fe0d:e00 prefixlen 64 scopeid 0x20<link>
ether 0a:0b:0c:0d:0e:00 txqueuelen 1000 (Ethernet)
RX packets 13 bytes 2341 (2.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38 bytes 5501 (5.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
custom1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.76.1 netmask 255.255.255.0 broadcast 192.168.76.255
inet6 fe80::80b:cff:fe0d:e01 prefixlen 64 scopeid 0x20<link>
ether 0a:0b:0c:0d:0e:01 txqueuelen 1000 (Ethernet)
RX packets 18 bytes 3366 (3.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44 bytes 6561 (6.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Output from tcpdump on custom0 during successful ping. There is a lag, but it does work. Request #11 goes out before reply #1 finally comes back.
1664723041.491324 IP (tos 0x0, ttl 64, id 26129, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.75.1 > 192.168.75.2: ICMP echo request, id 1, seq 11, length 64
0x0000: 4500 0054 6611 4000 4001 bd43 c0a8 4b01 E..Tf.#.#..C..K.
0x0010: c0a8 4b02 0800 6c96 0001 000b 61a8 3963 ..K...l.....a.9c
0x0020: 0000 0000 2a7f 0700 0000 0000 1011 1213 ....*...........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
1664723042.419621 IP (tos 0x0, ttl 64, id 26589, offset 0, flags [none], proto ICMP (1), length 84)
192.168.75.2 > 192.168.75.1: ICMP echo reply, id 1, seq 1, length 64
0x0000: 4500 0054 67dd 0000 4001 fb77 c0a8 4b02 E..Tg...#..w..K.
0x0010: c0a8 4b01 0000 9a32 0001 0001 57a8 3963 ..K....2....W.9c
0x0020: 0000 0000 12ed 0300 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
Output from tcpdump on custom1 during successful ping. On this interface, replies appear immediate.
1664723042.419596 IP (tos 0x0, ttl 64, id 26589, offset 0, flags [none], proto ICMP (1), length 84)
192.168.76.1 > 192.168.76.2: ICMP echo reply, id 1, seq 1, length 64
0x0000: 4500 0054 67dd 0000 4001 f977 c0a8 4c01 E..Tg...#..w..L.
0x0010: c0a8 4c02 0000 9a32 0001 0001 57a8 3963 ..L....2....W.9c
0x0020: 0000 0000 12ed 0300 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
1664723042.419614 IP (tos 0x0, ttl 64, id 25034, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.76.2 > 192.168.76.1: ICMP echo request, id 1, seq 2, length 64
0x0000: 4500 0054 61ca 4000 4001 bf8a c0a8 4c02 E..Ta.#.#.....L.
0x0010: c0a8 4c01 0800 9ae9 0001 0002 58a8 3963 ..L.........X.9c
0x0020: 0000 0000 0835 0400 0000 0000 1011 1213 .....5..........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
0x0050: 3435 3637 4567
Lines added to etc/ssh/sshd_config after the TUN/TAP interfaces were up with assigned IP addresses:
ListenAddress 192.168.75.1
ListenAddress 192.168.76.1
Output from tcpdump on custom0 during unsuccessful SSH attempt:
1664723517.797359 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.75.2 tell 192.168.75.1, length 28
0x0000: 0001 0800 0604 0001 0a0b 0c0d 0e00 c0a8 ................
0x0010: 4b01 0000 0000 0000 c0a8 4b02 K.........K.
1664723517.797403 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.75.2 is-at 01:02:03:04:05:01, length 28
0x0000: 0001 0800 0604 0002 0102 0304 0501 c0a8 ................
0x0010: 4b02 0a0b 0c0d 0e00 c0a8 4b01 K.........K.
1664723517.797407 IP (tos 0x10, ttl 64, id 3817, offset 0, flags [DF], proto TCP (6), length 60)
192.168.75.1.42530 > 192.168.75.2.22: Flags [S], cksum 0x5e34 (correct), seq 3234729807, win 64240, options [mss 1460,sackOK,TS val 3543043583 ecr 0,nop,wscale 9], length 0
0x0000: 4510 003c 0ee9 4000 4006 146f c0a8 4b01 E..<..#.#..o..K.
0x0010: c0a8 4b02 a622 0016 c0ce 0f4f 0000 0000 ..K..".....O....
0x0020: a002 faf0 5e34 0000 0204 05b4 0402 080a ....^4..........
0x0030: d32e 8dff 0000 0000 0103 0309 ............
1664723518.803703 IP (tos 0x10, ttl 64, id 3818, offset 0, flags [DF], proto TCP (6), length 60)
192.168.75.1.42530 > 192.168.75.2.22: Flags [S], cksum 0x5a46 (correct), seq 3234729807, win 64240, options [mss 1460,sackOK,TS val 3543044589 ecr 0,nop,wscale 9], length 0
0x0000: 4510 003c 0eea 4000 4006 146e c0a8 4b01 E..<..#.#..n..K.
0x0010: c0a8 4b02 a622 0016 c0ce 0f4f 0000 0000 ..K..".....O....
0x0020: a002 faf0 5a46 0000 0204 05b4 0402 080a ....ZF..........
0x0030: d32e 91ed 0000 0000 0103 0309 ............
Output from tcpdump on custom1 during unsuccessful SSH attempt:
1664723519.732730 IP (tos 0x10, ttl 64, id 3817, offset 0, flags [DF], proto TCP (6), length 60)
192.168.76.2.42530 > 192.168.76.1.22: Flags [S], cksum 0x5c34 (correct), seq 3234729807, win 64240, options [mss 1460,sackOK,TS val 3543043583 ecr 0,nop,wscale 9], length 0
0x0000: 4510 003c 0ee9 4000 4006 126f c0a8 4c02 E..<..#.#..o..L.
0x0010: c0a8 4c01 a622 0016 c0ce 0f4f 0000 0000 ..L..".....O....
0x0020: a002 faf0 5c34 0000 0204 05b4 0402 080a ....\4..........
0x0030: d32e 8dff 0000 0000 0103 0309 ............
The exact failure message is ssh: connect to host 192.168.75.2 port 22: No route to host.
Output of route -n:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.50.1 0.0.0.0 UG 100 0 0 enp38s0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp38s0
192.168.50.0 0.0.0.0 255.255.255.0 U 100 0 0 enp38s0
192.168.75.0 0.0.0.0 255.255.255.0 U 0 0 0 custom0
192.168.76.0 0.0.0.0 255.255.255.0 U 0 0 0 custom1
Edit #2:
I posted the code on GitHub along with a README at https://github.com/johnwstanford/bifrost. It's written in Rust. I also fixed the issue of the lag by calling poll on the file descriptor before trying to read from it, but the rest of the behavior is still the same.
I'm currently using ImageMagick and gm to process images from a buffer. My problem is that I cannot control what file types are put in the buffer but wish to have everything turned to jpg.
Not sure how to do that using the buffer since I'm not giving it an output file path with extension.
gm(buf).command('convert').in('-auto-orient','-resize','500x','-quality','92','-strip','-quality','100','jpg').toBuffer((err, buffer) => err ? reject(err) : resolve(buffer));
I don't know anything about the node.js bindings of ImageMagick or GraphicsMagick, but I do know that if you do this in Terminal, you will force a JPEG output, so maybe you can adapt that...
# Make a 1x1 black image and write to stdout as JPEG. Dump result with 'xxd'
gm convert xc:black jpg:- | xxd
00000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0048 ......JFIF.....H
00000010: 0048 0000 ffdb 0043 0008 0606 0706 0508 .H.....C........
00000020: 0707 0709 0908 0a0c 140d 0c0b 0b0c 1912 ................
00000030: 130f 141d 1a1f 1e1d 1a1c 1c20 242e 2720 ........... $.'
00000040: 222c 231c 1c28 3729 2c30 3134 3434 1f27 ",#..(7),01444.'
00000050: 393d 3832 3c2e 3334 32ff c000 0b08 0001 9=82<.342.......
00000060: 0001 0101 1100 ffc4 0014 0001 0000 0000 ................
00000070: 0000 0000 0000 0000 0000 0008 ffc4 0014 ................
00000080: 1001 0000 0000 0000 0000 0000 0000 0000 ................
00000090: 0000 ffda 0008 0101 0000 3f00 3fbf ffd9 ..........?.?...
It is just the same with ImageMagick and, say, PNG output:
magick xc:black png:-
I use tcpdump to capture some data, but found that the FIN and ACK packets have some payload while the length is 0. Can anyone explain that? When I use Wireshark to see the pcap file, all is right. Why is that?
20:56:05.174314 IP 10.0.2.15.20281 > 192.168.4.80.21224: Flags [.], ack 1721, win 33232, length 0
0x0000: 0004 0001 0006 0800 2793 4e00 0000 0800 ........'.N.....
0x0010: 4500 0028 417a 4000 4006 284f 0a00 020f E..(Az#.#.(O....
0x0020: c0a8 0450 4f39 52e8 b35c bf82 f4d8 b0ba ...PO9R..\......
0x0030: 5010 81d0 d121 0000 4745 5420 2f75 7365 P....!..GET./use
0x0040: 7273 2f31 3f75 7365 rs/1?use
20:56:15.179096 IP 10.0.2.15.20281 > 192.168.4.80.21224: Flags [F.], seq 649, ack 1721, win 33232, length 0
0x0000: 0004 0001 0006 0800 2793 4e00 0000 0800 ........'.N.....
0x0010: 4500 0028 417b 4000 4006 284e 0a00 020f E..(A{#.#.(N....
0x0020: c0a8 0450 4f39 52e8 b35c bf82 f4d8 b0ba ...PO9R..\......
0x0030: 5011 81d0 d121 0000 0000 0000 0000 2e31 P....!.........1
0x0040: 2035 3030 2049 6e74 .500.Int
20:56:15.179528 IP 192.168.4.80.21224 > 10.0.2.15.20281: Flags [.], ack 650, win 65535, length 0
0x0000: 0000 0001 0006 5254 0012 3502 0000 0800 ......RT..5.....
0x0010: 4500 0028 73f3 0000 4006 35d6 c0a8 0450 E..(s...#.5....P
0x0020: 0a00 020f 52e8 4f39 f4d8 b0ba b35c bf83 ....R.O9.....\..
0x0030: 5010 ffff 2438 0000 0000 0000 0000 2e31 P...$8.........1
0x0040: 2035 3030 2049 6e74 6572 6e61 6c20 .500.Internal.
20:56:15.181826 IP 192.168.4.80.21224 > 10.0.2.15.20281: Flags [F.], seq 1721, ack 650, win 65535, length 0
0x0000: 0000 0001 0006 5254 0012 3502 0000 0800 ......RT..5.....
0x0010: 4500 0028 73f5 0000 4006 35d4 c0a8 0450 E..(s...#.5....P
0x0020: 0a00 020f 52e8 4f39 f4d8 b0ba b35c bf83 ....R.O9.....\..
0x0030: 5011 ffff 2437 0000 0000 0000 0000 7365 P...$7........se
0x0040: 7273 2f31 3f75 7365 725f 6964 3d35 rs/1?user_id=5
20:56:15.181884 IP 10.0.2.15.20281 > 192.168.4.80.21224: Flags [.], ack 1722, win 33232, length 0
0x0000: 0004 0001 0006 0800 2793 4e00 0000 0800 ........'.N.....
0x0010: 4500 0028 eaf7 4000 4006 7ed1 0a00 020f E..(..#.#.~.....
0x0020: c0a8 0450 4f39 52e8 b35c bf83 f4d8 b0bb ...PO9R..\......
0x0030: 5010 81d0 a266 0000 4745 5420 2f75 7365 P....f..GET./use
0x0040: 7273 2f31 3f75 7365 rs/1?use
I'm running tcpdump in two identical Linux machines with this command:
tcpdump -i enp0s8 -nn -XX -vvv
During an ARP request in the sender machine I see:
20:03:29.113813 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.2, length 28
0x0000: 0800 27bb f251 0800 27cf ce8e 0806 0001 ..'..Q..'.......
0x0010: 0800 0604 0001 0800 27cf ce8e 0a00 0002 ........'.......
0x0020: 0000 0000 0000 0a00 0001 ..........
but in the destination machine:
20:03:29.114928 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell 10.0.0.2, length 46
0x0000: 0800 27bb f251 0800 27cf ce8e 0806 0001 ..'..Q..'.......
0x0010: 0800 0604 0001 0800 27cf ce8e 0a00 0002 ........'.......
0x0020: 0000 0000 0000 0a00 0001 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 ............
Why the packet is zerofilled reaching a length of 46?
The ARP message itself is 28 bytes long, exactly as you indicated. Now, with correct Ethernet implementations, the outgoing frame has to be padded to be at least 64 bytes long. There are some quirks about this, however - the device that originated this ARP message may itself be capable of sending it in an untagged frame or in 802.1Q-tagged frame. The tag size is always accounted towards the total frame size, resulting in different paddings:
I need help to extract coincidences from a file.
I capture network traffic with tcpdump command
tcpdump -Xvv -i eth0 > captureFile.txt
Given any field of IP headers, TCP and Ethernet specify all values found in the captured traffic and count how many times that value for that field. For example if suppose TTL = 128 TTL = 64 then indicate how many packets have that field with each of these values.
The content of the file:
09:26:13.245546 IP (tos 0x0, ttl 1, id 3439, offset 0, flags [none], proto UDP (17), length 1018)
10.0.0.226.58935 > 239.255.255.250.3702: UDP, length 990
0x0000: 4500 03fa 0d6f 0000 0111 ada8 0a00 00e2 E....o..........
0x0010: efff fffa e637 0e76 03e6 7ec0 3c3f 786d .....7.v..~.<?xm
0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0".
0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8"
0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve
09:26:13.339173 IP6 (hlim 1, next-header UDP (17) payload length: 998) fe80::21e9:f54b:9ae7:6383.58936 > ff02::c.3702: UDP, length 990
0x0000: 6000 0000 03e6 1101 fe80 0000 0000 0000 `...............
0x0010: 21e9 f54b 9ae7 6383 ff02 0000 0000 0000 !..K..c.........
0x0020: 0000 0000 0000 000c e638 0e76 03e6 666c .........8.v..fl
0x0030: 3c3f 786d 6c20 7665 7273 696f 6e3d 2231 <?xml.version="1
0x0040: 2e30 2220 656e 636f 6469 6e67 .0".encoding
09:26:13.407313 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.3.118 tell 10.0.1.215, length 46
0x0000: 0001 0800 0604 0001 0009 0fcb 0a0c 0a00 ................
0x0010: 01d7 0000 0000 0000 0a00 0376 0000 0000 ...........v....
0x0020: 0000 0000 0000 0000 0000 d9c4 62a8 ............b.
09:26:13.525954 IP (tos 0x0, ttl 128, id 3441, offset 0, flags [none], proto UDP (17), length 161)
10.0.0.226.59131 > 239.255.255.250.1900: UDP, length 133
0x0000: 4500 00a1 0d71 0000 0111 b0ff 0a00 00e2 E....q..........
0x0010: efff fffa e6fb 076c 008d 6fa6 4d2d 5345 .......l..o.M-SE
0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1.
0x0030: 0a48 6f73 743a 3233 392e 3235 352e 3235 .Host:239.255.25
0x0040: 352e 3235 303a 3139 3030 0d0a 5.250:1900..
09:26:13.557002 IP (tos 0x0, ttl 1, id 3442, offset 0, flags [none], proto UDP (17), length 161)
10.0.0.226.59131 > 239.255.255.250.1900: UDP, length 133
0x0000: 4500 00a1 0d72 0000 0111 b0fe 0a00 00e2 E....r..........
0x0010: efff fffa e6fb 076c 008d 6fa6 4d2d 5345 .......l..o.M-SE
0x0020: 4152 4348 202a 2048 5454 502f 312e 310d ARCH.*.HTTP/1.1.
0x0030: 0a48 6f73 743a 3233 392e 3235 352e 3235 .Host:239.255.25
0x0040: 352e 3235 303a 3139 3030 0d0a 5.250:1900..
09:26:13.642734 IP (tos 0x0, ttl 1, id 21767, offset 0, flags [none], proto UDP (17), length 684)
10.0.0.237.58882 > 239.255.255.250.3702: UDP, length 656
0x0000: 4500 02ac 5507 0000 0111 6753 0a00 00ed E...U.....gS....
0x0010: efff fffa e602 0e76 0298 5568 3c3f 786d .......v..Uh<?xm
0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0".
0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8"
0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve
09:26:13.642960 IP6 (hlim 1, next-header UDP (17) payload length: 664) fe80::b8a2:bd0:4e0b:1bb5.58883 > ff02::c.3702: UDP, length 656
0x0000: 6000 0000 0298 1101 fe80 0000 0000 0000 `...............
0x0010: b8a2 0bd0 4e0b 1bb5 ff02 0000 0000 0000 ....N...........
0x0020: 0000 0000 0000 000c e603 0e76 0298 248c ...........v..$.
0x0030: 3c3f 786d 6c20 7665 7273 696f 6e3d 2231 <?xml.version="
09:26:13.642999 IP (tos 0x0, ttl 64, id 21767, offset 0, flags [none], proto UDP (17), length 684)
10.0.0.237.58882 > 239.255.255.250.3702: UDP, length 656
0x0000: 4500 02ac 5507 0000 0111 6753 0a00 00ed E...U.....gS....
0x0010: efff fffa e602 0e76 0298 5568 3c3f 786d .......v..Uh<?xm
0x0020: 6c20 7665 7273 696f 6e3d 2231 2e30 2220 l.version="1.0".
0x0030: 656e 636f 6469 6e67 3d22 7574 662d 3822 encoding="utf-8"
0x0040: 3f3e 3c73 6f61 703a 456e 7665 ?><soap:Enve
The result must be:
ttl 64 - 1 time
ttl 128 - 1 time
ttl 1 - 3 times
I think this would be exactly same as your expected output.
grep -ioP 'ttl \d+' file|awk '{a[$0]++}END{for(x in a)print x" - "a[x]" times"}'
output would be:
ttl 1 - 3 times
ttl 64 - 1 times
ttl 128 - 1 times
well not exactly same, since I didn't check time and times.. do you really need it? it could be done easily..
EDIT
as OP asks, output time/times depends on the count:
grep -ioP 'ttl \d+' file|awk '{a[$0]++}END{for(x in a)print x" - "a[x]" time"(a[x]>1?"s":"")}'
output:
ttl 1 - 3 times
ttl 64 - 1 time
ttl 128 - 1 time
It's a bit long and I'm sure it can be refactored quite a lot but it works if you don't|can't have perl installed:
grep ttl captureFile.txt | awk '{print $5,$6}' | sed 's/,//' | sort | uniq -c | awk '{print $2,$3,"-",$1,"times"}'
Two approaches:
If you have perl,
captureFile.txt |
perl -ne '/ttl (\d+),/ and $TTL{$1}++;
END { for my $ttl (keys %TTL) {print "* ttl $1 - $TTL{$ttl} time\n"}}'
Should do it. But I think uniq -c may also work with grep...
captureFile.txt | egrep -o 'ttl ([0-9]+)' | uniq -c
And to get the exact output format you asked for, just add this after uniq -c
| awk '{print "* ttl "$3" - "$1" time"}'
grep "ttl [0-9]*" captureFile.txt -o
Would get only the relevant parts of the text file.
grep "ttl [0-9]*" captureFile.txt -o |
awk 'NF{ count[ toupper( $0 ) ]++}
END{ for ( name in count ) { print "*" name " - " count[ name ] " times"
};
}'
Would get the formatting you wanted.
Simple awk script:
$ awk -F, '/ttl/{u[$2]++}END{for(k in u)print k" - "u[k]" time"(u[k]>1?"s":"")}'
ttl 128 - 1 time
ttl 64 - 1 time
ttl 1 - 3 times
No need to waste sub-process.