RE: [Nolug] help with grep

From: Robert Cochran <rcochran_at_archdiocese-no.org>
Date: Mon, 15 Sep 2003 13:44:48 -0500
Message-ID: <PAEBKKDOMNLHAELLLDMJEEHGCOAA.rcochran@archdiocese-no.org>

Thanks Brett,

This is the output I was looking for, I just want one instance of a IP
address. The file is 30MB and as you can see from the log, the queries are
pounding on the firewall. What I want to be able to do is have a file with
just a list of individual violations and not spend all day skimming through
the log files.

11:06:17.312500 10.6.51.3.1084 > 10.1.1.3.53: 10888 A? www.brodcast.net.
(34) (ttl 125, id 16514)
11:06:17.375000 10.1.94.128.2475 > 10.1.1.3.53: 25125+ A? www.brodcast.net.
(34) (ttl 126, id 53608)
11:06:17.375000 10.1.194.56.4405 > 10.1.1.3.53: 19275+ A? www.brodcast.net.
(34) (ttl 126, id 43340)
11:06:17.390625 10.1.91.254.1159 > 10.1.1.3.53: 7481+ A? www.brodcast.net.
(34) (ttl 126, id 22569)
11:06:17.406250 10.5.108.64.1846 > 10.1.1.3.53: 38213+ A? www.brodcast.net.
(34) (ttl 125, id 16326)
11:06:17.796875 205.152.138.34.53 > 207.77.64.2.53: 10433 A?
www.brodcast.net. (34) (ttl 128, id 11429)
11:06:17.796875 10.1.201.122.3227 > 10.1.1.3.53: 30035+ A? www.brodcast.net.
(34) (ttl 126, id 37750)
11:06:17.859375 10.1.1.3.53 > 10.1.190.100.1034: 5870* q: www.brodcast.net.
0/0/0 (34) (ttl 128, id 11583)

Thanks
Robert Cochran

-----Original Message-----
From: owner-nolug@joeykelly.net [mailto:owner-nolug@joeykelly.net]On
Behalf Of Brett D. Estrade
Sent: Monday, September 15, 2003 1:13 PM
To: nolug@joeykelly.net
Subject: Re: [Nolug] help with grep

I am not sure I understand, but here is a try:

grep -i "brod" 091503 | head -n 1 > 091503grep.1line

Brett

On Mon, 15 Sep 2003 13:04:11 -0500, "Robert Cochran"
<rcochran@archdiocese-no.org> said:
> Good afternoon All,
>
> We have some log files that we need to delete the multiple instances of a
> violation. We run
> grep -i "brod" 091503 > 091503grep (091503 is a tcpdump file)
> this gets rid of all the connections we are not looking for. But now we
> want
> to narrow it down to just one instance. Thanks in advance. Below is a
> snippet of the log:
>
> 11:06:17.140625 10.6.51.3.1084 > 10.1.1.3.53: 6652 A? www.brodcast.net.
> (34)
> (ttl 125, id 16352)
> 11:06:17.312500 10.6.51.3.1084 > 10.1.1.3.53: 10888 A? www.brodcast.net.
> (34) (ttl 125, id 16514)
> 11:06:17.375000 10.1.94.128.2475 > 10.1.1.3.53: 25125+ A?
> www.brodcast.net.
> (34) (ttl 126, id 53608)
> 11:06:17.375000 10.1.194.56.4405 > 10.1.1.3.53: 19275+ A?
> www.brodcast.net.
> (34) (ttl 126, id 43340)
> 11:06:17.390625 10.1.91.254.1159 > 10.1.1.3.53: 7481+ A?
> www.brodcast.net.
> (34) (ttl 126, id 22569)
> 11:06:17.406250 10.5.108.64.1846 > 10.1.1.3.53: 38213+ A?
> www.brodcast.net.
> (34) (ttl 125, id 16326)
> 11:06:17.796875 205.152.138.34.53 > 207.77.64.2.53: 10433 A?
> www.brodcast.net. (34) (ttl 128, id 11429)
> 11:06:17.796875 10.1.201.122.3227 > 10.1.1.3.53: 30035+ A?
> www.brodcast.net.
> (34) (ttl 126, id 37750)
> 11:06:17.859375 207.77.64.2.53 > 205.152.138.34.53: 10433* q:
> www.brodcast.net. 1/2/2 www.brodcast.net. A 127.0.0.1 (132) (DF) (ttl
> 242,
> id 40318)
> 11:06:17.859375 10.1.1.3.53 > 10.1.201.122.3227: 30035* q:
> www.brodcast.net.
> 0/0/0 (34) (ttl 128, id 11582)
> 11:06:17.859375 10.1.1.3.53 > 10.1.190.100.1034: 5870* q:
> www.brodcast.net.
> 0/0/0 (34) (ttl 128, id 11583)
> 11:06:17.859375 10.1.1.3.53 > 10.5.108.64.1846: 38213* q:
> www.brodcast.net.
> 0/0/0 (34) (ttl 128, id 11584)
> 11:06:17.859375 10.1.1.3.53 > 10.1.91.254.1159: 7481* q:
> www.brodcast.net.
> 0/0/0 (34) (ttl 128, id 11585)
> 11:06:17.859375 10.1.1.3.53 > 10.1.94.128.2475: 25125* q:
> www.brodcast.net.
> 0/0/0 (34) (ttl 128, id 11586)
> 11:06:17.859375 10.1.1.3.53 > 10.1.194.56.4405: 19275* q:
> www.brodcast.net.
> 0/0/0 (34) (ttl 128, id 11587)
> 11:06:17.859375 10.1.1.3.53 > 10.6.51.3.1084: 10888* q: www.brodcast.net.
> 0/0/0 (34) (ttl 128, id 11588)
>
> You can see what we want to do tihe the first 2 lines
> Regards,
> Robert Cochran
>
> ___________________
> Nolug mailing list
> nolug@nolug.org
=====
http://www.brettsbsd.net/~estrabd

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
___________________
Nolug mailing list
nolug@nolug.org

MessageLabs Virus Scanning Service for the Archdiocese of New Orleans.

___________________
Nolug mailing list
nolug@nolug.org
Received on 09/15/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST