tags:

views:

18

answers:

1

Hey folks,

I've got a tcpdump command running from a bash script. looks something like this.

tcpdump -nttttAr /path/to/file -F /my/filter/file

The filter file has a combination of ip addresses and host names. i.e. host 111.111.111.111 or host 112.112.112.112 and not (host abc.com or host def.com or host zyx.com).

And it works great - as long as the host names are all valid. My problem is sometimes these hostnames will not be valid and upon encountering one - tcpdump spits out

tcpdump: Unknown Host

I thought with the -n option it would skip dns lookup - but in anycase I need it to ignore the unknown host and continue along the filter file.

Any ideas?

Thank you in advance.

A: 

The -n option prevents conversion of IP addresses into names, but not the other way around. If you supply a hostname as an argument, it has to be looked up to get the IP address since packets only contain the numeric address and not the hostname. However, there ought to be a way to ignore invalid hostnames, but I can't find one. Perhaps you could pre-process your filter file using dig.

dig +short non-existent-domain.com    # returns null
dig +short google.com                 # returns multiple IP addresses

This could probably be better, but it should show you hostnames in your filter file that aren't valid:

grep -Po '(?<=host )[^ )]*' filterfile | grep -v '[0-9]$' | xargs -I % sh -c 'echo -n "% "; echo $(dig +short %)' | grep -v ' [0-9]'

Any hostnames it prints didn't have IP addresses returned by dig.

Dennis Williamson
i see what you're saying, write it out to check the domain names prior to running the filter.
Chasester
here's something interesting - I've got it looping through the file - digging, and writing the good ones to a new file. And then using that to tcpdump with. It still pops host error's at times.
Chasester
@Chasester: I would attribute that to network or system errors that have many opportunities to crop up during internet communication. You just have to have retries in your code.
Dennis Williamson