mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
cdd8827cc4
The script parsed conn.log to find the 4-tuple and then runs tcpdump to find the relevant packets.
37 lines
667 B
Bash
Executable file
37 lines
667 B
Bash
Executable file
#! /usr/bin/env bash
|
|
#
|
|
# Searches the connection with UID $1 in conn.log, and then extracts
|
|
# it from trace file $2.
|
|
|
|
if [ $# != 2 ]; then
|
|
echo "usage: `basename $0` <uid> <trace>"
|
|
exit 1
|
|
fi
|
|
|
|
uid=$1
|
|
trace=$2
|
|
|
|
if [ ! -e conn.log ]; then
|
|
echo "no conn.log found"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -e $trace ]; then
|
|
echo "trace $trace not found"
|
|
exit 1
|
|
fi
|
|
|
|
filter=`awk -v uid=$uid '$2==uid { printf("host %s and port %s and host %s and port %s\n", $3, $4, $5, $6)}' <conn.log`
|
|
|
|
if [ "$filter" == "" ]; then
|
|
echo uid $uid not found in conn.log
|
|
exit 1
|
|
fi
|
|
|
|
echo filter: $filter
|
|
|
|
out=$trace.$uid
|
|
|
|
tcpdump -r $trace -w $out "$filter"
|
|
|
|
echo connection in $out
|