Re: IPtables log pharser

Fri, 16 Nov 2001 07:16:28 -0800 

Here's what I use.  It's two files and it uses awk.

- Bob Glover

################ Start of packetlog
#!/bin/bash
packetlog.awk < /var/log/messages
# be sure to chmod 755 packetlog.awk
################ End of packetlog

################ Start of packetlog.awk
#!/bin/awk -f

/kernel:.* IN=.* OUT=.* MAC=.* SRC=/ {

# set variables for each possible component of the log entry
TABLE = ""
LEN1 = LEN2 = -1
TCP_FLAGS=""
TIMESTAMP=sprintf("%3s %2s %8s",$1,$2,$3)
for (i=1; i<=NF; i++)
   {
   if ($i ~ /IN=./)     { IN=$i;        sub("IN=","",IN);       TABLE="IN" }
   if ($i ~ /OUT=./)    { OUT=$i;       sub("OUT=","",OUT);     TABLE="OUT" }
   if ($i ~ /MAC=./)    { MAC=$i;       sub("MAC=","",MAC) }
   if ($i ~ /SRC=./)    { SRC=$i;       sub("SRC=","",SRC) }
   if ($i ~ /DST=./)    { DST=$i;       sub("DST=","",DST) }
   if ($i ~ /SPT=./)    { SPT=$i;       sub("SPT=","",SPT) }
   if ($i ~ /DPT=./)    { DPT=$i;       sub("DPT=","",DPT) }
   if ($i ~ /WINDOW=./) { WINDOW=$i;    sub("WINDOW=","",WINDOW) }
   if ($i ~ /URGP=./)   { URGP=$i;      sub("URGP=","",URGP) }
   if ($i ~ /RES=./)    { RES=$i;       sub("RES=","",RES) }
   if ($i ~ /PREC=./)   { PREC=$i;      sub("PREC=","",PREC) }
   if ($i ~ /PROTO=./)  { PROTO=$i;     sub("PROTO=","",PROTO) }
   if ($i ~ /ID=./)     { ID=$i;        sub("ID=","",ID)   }
   if ($i ~ /TTL=./)    { TTL=$i;       sub("TTL=","",TTL) }
   if ($i ~ /TOS=./)    { TOS=$i;       sub("TOS=","",TOS) }
   if ($i ~ /LEN=./)    { sub("LEN=","",$i);    if (LEN1 == -1)
                                                   LEN1=$i
                                                else
                                                   LEN2=$i
                        }

   if ($i == "ACK")     TCP_FLAGS=TCP_FLAGS "a"
   if ($i == "FIN")     TCP_FLAGS=TCP_FLAGS "f"
   if ($i == "PSH")     TCP_FLAGS=TCP_FLAGS "p"
   if ($i == "RST")     TCP_FLAGS=TCP_FLAGS "r"
   if ($i == "SYN")     TCP_FLAGS=TCP_FLAGS "s"
   if ($i == "URG")     TCP_FLAGS=TCP_FLAGS "u"
   }
 
if (TABLE == "IN")
   {
   INT = IN
   SRCDST = sprintf("%11s  %5d <-- %-5d  %11s",DST,DPT,SPT,SRC)
   }
else
   {
   INT = OUT
   SRCDST = SRC "  " SPT " --> " DPT "  " DST
   }
 
if (PROTO == "TCP")
   PROTOINFO = sprintf("TCP:%-6s",TCP_FLAGS)
else
   PROTOINFO = sprintf("%-10s",PROTO)
 
print TIMESTAMP " " INT " " PROTOINFO SRCDST
}
########### End of packetlog.awk



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to