需要帮助从 bash 脚本格式化 Tshark 命令字符串
Need help formatting Tshark command string from bash script
我正在尝试 运行 多个并行实例到 tshark 以梳理目录中的大量 pcap 文件并将过滤后的内容复制到新文件。我正在 运行 遇到 Tshark 在我输入的命令上抛出错误的问题。
它一定与 tshark 解释命令字符串的方式有关,因为我可以将格式化的命令字符串复制/粘贴到控制台并且它 运行 很好。我试过用几种方法格式化命令,并阅读了其他有类似问题的人的帖子。我相信我的格式正确...但仍然出现错误。
这是我正在处理的内容:
脚本 #1:- 过滤器
#Takes user arguments <directory> and <filter> and runs a filter on all captures for a given directory.
#
#TO DO:
#Add user prompts and data sanitization to avoid running bogus job.
#Add concatenation via mergecap /w .pcap suffix
#Delete filtered, unmerged files
#Add mtime filter for x days of logs
starttime=$(date)
if [ = '']; then echo "no directory specified, you must specify a directory (VLAN)"
else if [ = '']; then echo "no filter specified, you must specify a valid tshark filter expression"
else
echo > /home/captures-user/filtered/filter-reference
find /home/captures-user/Captures/ -type f | xargs -P 5 -L 1 /home/captures-user/tshark-worker
rm /home/captures-user/filtered/filter-reference
fi
fi
echo Start time is $starttime
echo End time is $(date)
脚本 #2:- tshark-worker
# = path and file name
#takes the output from the 'filter' command stored in a file and loads a local variable with it
filter=$(cat /home/captures-user/filtered/filter-reference)
#strips the directory off the current working file
file=$(sed 's/.*\///' <<< )
echo 'is the file to run' $filter 'on.'
#runs the filter and places the filtered results in the /filtered directory
command=$"tshark -r -Y '$filter' -w /home/captures-user/filtered/$file-filtered"
echo $command
$command
当我 运行 ./filter ICE 'ip.addr == 1.1.1.1'
我得到每个文件的以下输出。请注意,在过滤器表达式中包含 ==
不是问题,我已尝试替换 'or' 并获得相同的输出。此外,tshark 没有任何别名,也没有使用该名称的脚本。它是 /usr/sbin.
中的原始 tshark 可执行文件
输出:
/home/captures-user/Captures/ICE/ICE-2019-05-26_00:00:01 is the file to run ip.addr == 1.1.1.1 on.
tshark -r /home/captures-user/Captures/ICE/ICE-2019-05-26_00:00:01 -Y 'ip.addr == 1.1.1.1' -w /home/captures-user/filtered/ICE-2019-05-26_00:00:01-filtered
tshark: Display filters were specified both with "-d" and with additional command-line arguments.
正如我在评论中提到的,我认为这是引用问题以及由于过滤器中的空格(并且可能在文件名 and/or 路径中)导致命令的构造方式的问题。
您可以尝试将 tshark-worker
脚本更改为如下内容:
# = path and file name
#takes the output from the 'filter' command stored in a file and loads a local variable with it
filter="$(cat /home/captures-user/filtered/filter-reference)"
#strips the directory off the current working file
file="$(sed 's/.*\///' <<< )"
echo 'is the file to run' $filter 'on.'
#runs the filter and places the filtered results in the /filtered directory
tshark -r "" -Y "${filter}" -w "${file}"-filtered
我正在尝试 运行 多个并行实例到 tshark 以梳理目录中的大量 pcap 文件并将过滤后的内容复制到新文件。我正在 运行 遇到 Tshark 在我输入的命令上抛出错误的问题。
它一定与 tshark 解释命令字符串的方式有关,因为我可以将格式化的命令字符串复制/粘贴到控制台并且它 运行 很好。我试过用几种方法格式化命令,并阅读了其他有类似问题的人的帖子。我相信我的格式正确...但仍然出现错误。
这是我正在处理的内容:
脚本 #1:- 过滤器
#Takes user arguments <directory> and <filter> and runs a filter on all captures for a given directory.
#
#TO DO:
#Add user prompts and data sanitization to avoid running bogus job.
#Add concatenation via mergecap /w .pcap suffix
#Delete filtered, unmerged files
#Add mtime filter for x days of logs
starttime=$(date)
if [ = '']; then echo "no directory specified, you must specify a directory (VLAN)"
else if [ = '']; then echo "no filter specified, you must specify a valid tshark filter expression"
else
echo > /home/captures-user/filtered/filter-reference
find /home/captures-user/Captures/ -type f | xargs -P 5 -L 1 /home/captures-user/tshark-worker
rm /home/captures-user/filtered/filter-reference
fi
fi
echo Start time is $starttime
echo End time is $(date)
脚本 #2:- tshark-worker
# = path and file name
#takes the output from the 'filter' command stored in a file and loads a local variable with it
filter=$(cat /home/captures-user/filtered/filter-reference)
#strips the directory off the current working file
file=$(sed 's/.*\///' <<< )
echo 'is the file to run' $filter 'on.'
#runs the filter and places the filtered results in the /filtered directory
command=$"tshark -r -Y '$filter' -w /home/captures-user/filtered/$file-filtered"
echo $command
$command
当我 运行 ./filter ICE 'ip.addr == 1.1.1.1'
我得到每个文件的以下输出。请注意,在过滤器表达式中包含 ==
不是问题,我已尝试替换 'or' 并获得相同的输出。此外,tshark 没有任何别名,也没有使用该名称的脚本。它是 /usr/sbin.
输出:
/home/captures-user/Captures/ICE/ICE-2019-05-26_00:00:01 is the file to run ip.addr == 1.1.1.1 on.
tshark -r /home/captures-user/Captures/ICE/ICE-2019-05-26_00:00:01 -Y 'ip.addr == 1.1.1.1' -w /home/captures-user/filtered/ICE-2019-05-26_00:00:01-filtered
tshark: Display filters were specified both with "-d" and with additional command-line arguments.
正如我在评论中提到的,我认为这是引用问题以及由于过滤器中的空格(并且可能在文件名 and/or 路径中)导致命令的构造方式的问题。
您可以尝试将 tshark-worker
脚本更改为如下内容:
# = path and file name
#takes the output from the 'filter' command stored in a file and loads a local variable with it
filter="$(cat /home/captures-user/filtered/filter-reference)"
#strips the directory off the current working file
file="$(sed 's/.*\///' <<< )"
echo 'is the file to run' $filter 'on.'
#runs the filter and places the filtered results in the /filtered directory
tshark -r "" -Y "${filter}" -w "${file}"-filtered