View previous topic :: View next topic |
Author |
Message |
OdinsDream Veteran
Joined: 01 Jun 2002 Posts: 1057
|
Posted: Tue Apr 22, 2003 4:25 am Post subject: Bizzare experience with awk - doesn't work with pipes.... |
|
|
I'm attempting to pass the output of a tethereal session through awk to tease out fields I'm interested in. This works:
$ tethereal options > packets_captured
$ awk '{print $2}' packets_captured
It prints out the information I need. However, I need to be doing this as the packets are captured and displayed, so I tried what seems equivalent:
$ tethereal options | awk '{print $2}'
This just prints "Capturing on eth0", and nothing. I've verified that information is flowing, but it just doesn't seem to pass through awk.
What am I doing wrong here? _________________ s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi
Don't blame me. I didn't vote for him.
http://john.simplykiwi.com |
|
Back to top |
|
|
seang Tux's lil' helper
Joined: 18 Jun 2002 Posts: 88 Location: France
|
Posted: Tue Apr 22, 2003 6:19 am Post subject: |
|
|
To utter those immortal (and not overly helpful...) words: it works for me!
The only thing I can think of: what tethereal options do you use? I tried it with none at all. |
|
Back to top |
|
|
OdinsDream Veteran
Joined: 01 Jun 2002 Posts: 1057
|
Posted: Wed Apr 23, 2003 4:10 pm Post subject: |
|
|
seang wrote: | To utter those immortal (and not overly helpful...) words: it works for me!
The only thing I can think of: what tethereal options do you use? I tried it with none at all. |
Code: |
tethereal -i eth0 -R "aim.fnac.family == 4 && (aim.fnac.subtype == 6 || aim.fnac.subtype == 7)" "tcp port 5190" | awk -F"AIM Message " '{print $2}'
|
In theory should split the output, like:
Code: |
Capturing on eth0
10.469012 155.47.25.94 -> 205.188.8.48 AIM Message to: Screenname -> hi
|
based on the field separator: "AIM Message ", so the 2nd half of this would end up being:
Code: |
to: Screenname -> hi
|
Which, it should print.... _________________ s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi
Don't blame me. I didn't vote for him.
http://john.simplykiwi.com |
|
Back to top |
|
|
seang Tux's lil' helper
Joined: 18 Jun 2002 Posts: 88 Location: France
|
Posted: Fri Apr 25, 2003 6:30 am Post subject: |
|
|
You've got me interested!! I tried a simpler version of a filter as:
Code: | tethereal -i eth0 "tcp port 80" |
which of course spits out the web traffic.
I then feed that through awk with:
Code: | tethereal -i eth0 "tcp port 80" |awk -F"HTTP GET " '{print $2}' |
and get what I (and you!) would expect, e.g.:
Code: | /us.yimg.com/i/my/top7.gif HTTP/1.1
/us.yimg.com/i/spacer.gif HTTP/1.1
/eur.yimg.com/i//de/icon/m/nws.gif HTTP/1.1
|
Your filter is of course fancier, but I assume that it works fine, so what's up here? Well frankly, I can't see But one additional thought springs to mind: you know your filter works, and you know the awk expression works - how about a failsafe check that guarantees that when you run the two together you are indeed getting matches on the filter? I'm just speculating wildly that maybe during the tests nothing matches? So something like:
Code: | tethereal -i eth0 -R "aim.fnac.family == 4 && (aim.fnac.subtype == 6 || aim.fnac.subtype == 7)" "tcp port 5190" | tee full.log | awk -F"AIM Message " '{print $2}' |
and then check full.log to be certain that during that run you did have correct data?
I admit this is a pretty thin suggestion, but it's all I can think of! I'd love to know what the solution is to this. |
|
Back to top |
|
|
OdinsDream Veteran
Joined: 01 Jun 2002 Posts: 1057
|
Posted: Fri Apr 25, 2003 11:50 pm Post subject: |
|
|
Apparently the -R option, which specifies the display filters to use, affect the use of awk.
If I omit this part of my command, I get the expected output.
Code: |
tethereal -i eth0 "tcp port 5190" | awk -F"AIM Message " '{print $2}'
|
This does work, but I also get tons of whitespace, which is happening when other AIM data flows through awk, besides simply the conversations. How can I filter this out? _________________ s/(?<!gnu\/)linux(?! kernel)/GNU\/Linux/gi
Don't blame me. I didn't vote for him.
http://john.simplykiwi.com |
|
Back to top |
|
|
seang Tux's lil' helper
Joined: 18 Jun 2002 Posts: 88 Location: France
|
Posted: Mon Apr 28, 2003 7:56 am Post subject: |
|
|
Now that one I know (although it may not be the most awk'ly elegant way to do it):
Change your Quote: | tethereal -i eth0 "tcp port 5190" | awk -F"AIM Message " '{print $2}' |
to (say)
Quote: | tethereal -i eth0 "tcp port 5190" | awk -F"AIM Message " '/AIM Message/ {print $2}' |
i.e. add in the match via /AIM Message/
Sean |
|
Back to top |
|
|
|