[Nolug] help with grep

From: Robert Cochran <rcochran_at_archdiocese-no.org>
Date: Mon, 15 Sep 2003 13:04:11 -0500
Message-ID: <PAEBKKDOMNLHAELLLDMJMEHACOAA.rcochran@archdiocese-no.org>

Good afternoon All,

We have some log files that we need to delete the multiple instances of a
violation. We run
grep -i "brod" 091503 > 091503grep (091503 is a tcpdump file)
this gets rid of all the connections we are not looking for. But now we want
to narrow it down to just one instance. Thanks in advance. Below is a
snippet of the log:

11:06:17.140625 10.6.51.3.1084 > 10.1.1.3.53: 6652 A? www.brodcast.net. (34)
(ttl 125, id 16352)
11:06:17.312500 10.6.51.3.1084 > 10.1.1.3.53: 10888 A? www.brodcast.net.
(34) (ttl 125, id 16514)
11:06:17.375000 10.1.94.128.2475 > 10.1.1.3.53: 25125+ A? www.brodcast.net.
(34) (ttl 126, id 53608)
11:06:17.375000 10.1.194.56.4405 > 10.1.1.3.53: 19275+ A? www.brodcast.net.
(34) (ttl 126, id 43340)
11:06:17.390625 10.1.91.254.1159 > 10.1.1.3.53: 7481+ A? www.brodcast.net.
(34) (ttl 126, id 22569)
11:06:17.406250 10.5.108.64.1846 > 10.1.1.3.53: 38213+ A? www.brodcast.net.
(34) (ttl 125, id 16326)
11:06:17.796875 205.152.138.34.53 > 207.77.64.2.53: 10433 A?
www.brodcast.net. (34) (ttl 128, id 11429)
11:06:17.796875 10.1.201.122.3227 > 10.1.1.3.53: 30035+ A? www.brodcast.net.
(34) (ttl 126, id 37750)
11:06:17.859375 207.77.64.2.53 > 205.152.138.34.53: 10433* q:
www.brodcast.net. 1/2/2 www.brodcast.net. A 127.0.0.1 (132) (DF) (ttl 242,
id 40318)
11:06:17.859375 10.1.1.3.53 > 10.1.201.122.3227: 30035* q: www.brodcast.net.
0/0/0 (34) (ttl 128, id 11582)
11:06:17.859375 10.1.1.3.53 > 10.1.190.100.1034: 5870* q: www.brodcast.net.
0/0/0 (34) (ttl 128, id 11583)
11:06:17.859375 10.1.1.3.53 > 10.5.108.64.1846: 38213* q: www.brodcast.net.
0/0/0 (34) (ttl 128, id 11584)
11:06:17.859375 10.1.1.3.53 > 10.1.91.254.1159: 7481* q: www.brodcast.net.
0/0/0 (34) (ttl 128, id 11585)
11:06:17.859375 10.1.1.3.53 > 10.1.94.128.2475: 25125* q: www.brodcast.net.
0/0/0 (34) (ttl 128, id 11586)
11:06:17.859375 10.1.1.3.53 > 10.1.194.56.4405: 19275* q: www.brodcast.net.
0/0/0 (34) (ttl 128, id 11587)
11:06:17.859375 10.1.1.3.53 > 10.6.51.3.1084: 10888* q: www.brodcast.net.
0/0/0 (34) (ttl 128, id 11588)

You can see what we want to do tihe the first 2 lines
Regards,
Robert Cochran

___________________
Nolug mailing list
nolug@nolug.org
Received on 09/15/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST