Bash to Check Packet Captures (Again)


To expand on the previous example a little..

To do a little more specific searching if you need, say,  certain packets from an IP in a certain time frame:

1.Put your file names into a file:

Here's the output of ls -lah:

-rw-r--r--. 1 root root 573M Oct 15 07:42 external3.1350301240


Our file name is in the ninth field (separated by spaces, the default in awk)

So we list the files, grep for a date, pipe the output into awk, telling it to print to the screen (stdout) the ninth field and redirect to a file called "list":


ls -lah | grep 'Oct 15' | awk '{print $9}' > list


Use this list of files to search for an IP address and write the packets out to another pcap file:


for i in $( cat list );do tcpdump -nnvve -r $i -s0 -X 'host 10.10.10.1' -w interesting_events.pcap