tags:

views:

18

answers:

1
+1  Q: 

tcpdump - ignore unkown host error

Hey folks,

I've got a tcpdump command running from a bash script. looks something like this.

tcpdump -nttttAr /path/to/file -F /my/filter/file

The filter file has a combination of ip addresses and host names. i.e. host 111.111.111.111 or host 112.112.112.112 and not (host abc.com or host def.com or host zyx.com).

And it works great - as long as the host names are all valid. My problem is sometimes these hostnames will not be valid and upon encountering one - tcpdump spits out 

tcpdump: Unknown Host

I thought with the -n option it would skip dns lookup - but in anycase I need it to ignore the unknown host and continue along the filter file.

Any ideas?

Thank you in advance.

A: 

The -n option prevents conversion of IP addresses into names, but not the other way around. If you supply a hostname as an argument, it has to be looked up to get the IP address since packets only contain the numeric address and not the hostname. However, there ought to be a way to ignore invalid hostnames, but I can't find one. Perhaps you could pre-process your filter file using dig.

dig +short non-existent-domain.com    # returns null
dig +short google.com                 # returns multiple IP addresses

This could probably be better, but it should show you hostnames in your filter file that aren't valid:

grep -Po '(?<=host )[^ )]*' filterfile | grep -v '[0-9]$' | xargs -I % sh -c 'echo -n "% "; echo $(dig +short %)' | grep -v ' [0-9]'

Any hostnames it prints didn't have IP addresses returned by dig.

Dennis Williamson  2010-10-05 20:28:08
i see what you're saying, write it out to check the domain names prior to running the filter.
Chasester  2010-10-05 20:41:24
here's something interesting - I've got it looping through the file - digging, and writing the good ones to a new file. And then using that to tcpdump with. It still pops host error's at times.
Chasester  2010-10-11 23:46:21
@Chasester: I would attribute that to network or system errors that have many opportunities to crop up during internet communication. You just have to have retries in your code.
Dennis Williamson  2010-10-12 01:03:10

related questions

How do I make bash reverse-search work in Terminal.app without it displaying garbled output?
How to redirect all stderr in bash?
Getting ssh to execute a command in the background on target machine
How do you use ssh in a shell script?
Why doesn't **sort** sort the same on every machine?
Bash reg-exp substitution
RSync only if filesystem is mounted
Is there any way to prevent find from digging down recursively into subdirectories?
How can I set LANG to ascii?
Bash One Liner: copy template_*.txt to foo_*.txt?
Delete all but the most recent X files in bash
Bash Pipe Handling
Why doesn't **find** find anything?
Are there any tools to convert Markdown documents to HTML en masse?
generate a core dump in linux
How do I send a file as an email attachment using Linux command line?
Why shouldn't I "bet the future of the company" on shell scripts?
How do I generate ASCII codes 2 and 3 in a Bash command line?
How to resolve symbolic links in a shell script
showing a message box from a bash script in linux
How do you find the age of a long-running Linux process?
what's in your .bashrc ?
Shell scripting input redirection oddities
Calling Bash Commands From Ruby
What should a longtime Windows user know when starting to use Linux?