0

I'm new in ubuntu.

I have this IP regex '\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}\b' I have a network pcap file, I want to use this regex and the grep -e to find all IP address in the file.

I tried: egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' -f Ncapture.pcap

How can I use the grep command to find IP in a network pcap file?

jobin
  • 27,708
c_motti
  • 3
  • 1
  • 2
  • Can you please post a small sample part of the pcap file? – jobin Dec 12 '13 at 11:23
  • sure here a sample:/Downloads$ tcpdump -tttt -r Ncapture.pcap reading from file Ncapture.pcap, link-type EN10MB (Ethernet) 2013-01-12 18:37:42.871346 ARP, Request who-has 192.168.0.12 tell 192.168.0.1, length 46 2013-01-12 18:38:02.227995 IP 192.168.0.1.1901 > 239.255.255.250.1900: UDP, length 300 2013-01-12 18:38:02.231699 IP 192.168.0.1.1901 > – c_motti Dec 12 '13 at 12:08
  • 1
    Please edit your question with the contents of the file. – jobin Dec 12 '13 at 12:09

1 Answers1

1

Your egrep command is working for me, to make the grep -e work just escape the control characters, and to make it print only the IP-s use the -o option for grep:

tcpdump -nr Ncapture.pcap | grep -oe '\(\(25[0-5]\|2[0-4][0-9]\|[01]\?[0-9][0-9]\?\)\(\.\|$\)\)\{4\}'

But as I see this will print a dot at the end of the IP, if you don't like that, then you have to add the last octet separatly, i.e:

tcpdump -nr Ncapture.pcap | grep -oe '\(\(25[0-5]\|2[0-4][0-9]\|[01]\?[0-9][0-9]\?\)\(\.\|$\)\)\{3\}\(25[0-5]\|2[0-4][0-9]\|[01]\?[0-9][0-9]\?\)'

To make it only print an IP once:

tcpdump -nr Ncapture.pcap | grep -oe '\(\(25[0-5]\|2[0-4][0-9]\|[01]\?[0-9][0-9]\?\)\(\.\|$\)\)\{3\}\(25[0-5]\|2[0-4][0-9]\|[01]\?[0-9][0-9]\?\)' | sort | uniq
falconer
  • 15,026
  • 3
  • 48
  • 68