请叫怎么处理/usr/sbin/tcpdump -i eth2 arp 的输出结果;

mii_tool

怎么写这个shell,处理/usr/sbin/tcpdump -i eth2 arp 的输出结果

例如:
要求执行30秒

之后比如输出结果为

14:56:46.002083 arp reply 192.168.1.95 is-at 00:07:e9:0a:83:1b (oui Unknown)
14:56:46.311967 arp who-has 192.168.0.7 tell 192.168.0.254
14:56:46.312061 arp reply 192.168.0.7 is-at 00:0b:2f:1b:1a:ae (oui Unknown)
14:56:46.339961 arp who-has 192.168.0.85 tell 192.168.0.254
14:56:46.340164 arp reply 192.168.0.85 is-at 00:07:e9:0a:3f:87 (oui Unknown)
14:56:46.429956 arp who-has 192.168.1.195 tell 192.168.0.254
14:56:46.430313 arp reply 192.168.1.195 is-at 00:07:e9:0a:82:c7 (oui Unknown)
14:56:46.664942 arp who-has 192.168.0.87 tell 192.168.0.254
14:56:46.864927 arp who-has 192.168.0.18 tell 192.168.0.254
14:56:46.865721 arp reply 192.168.0.18 is-at 00:0b:2f:1b:32:34 (oui Unknown)
14:56:46.920996 arp who-has 192.168.1.64 tell 192.168.0.57
14:56:47.663878 arp who-has 192.168.0.87 tell 192.168.0.254
14:56:48.094845 arp who-has 192.168.1.113 tell 192.168.0.254
14:56:48.095088 arp reply 192.168.1.113 is-at 00:07:e9:0a:82:f9 (oui Unknown)
14:56:48.143841 arp who-has 192.168.0.83 tell 192.168.0.254
14:56:48.144240 arp reply 192.168.0.83 is-at 00:07:e9:0a:6f:f1 (oui Unknown)
14:56:48.156792 arp who-has 192.168.1.64 tell 192.168.0.57
14:56:48.162838 arp who-has 192.168.0.202 tell 192.168.0.254
14:56:48.163418 arp reply 192.168.0.202 is-at 00:1b:24:9b:f8:b7 (oui Unknown)
14:56:48.281187 arp who-has 192.168.1.10 tell 192.168.0.252
14:56:48.281339 arp who-has 192.168.1.11 tell 192.168.0.252
14:56:48.285631 arp who-has 192.168.1.18 tell 192.168.0.252
14:56:48.286753 arp who-has 192.168.1.20 tell 192.168.0.252
14:56:48.287020 arp who-has 192.168.1.21 tell 192.168.0.252
14:56:48.288157 arp who-has 192.168.1.23 tell 192.168.0.252
14:56:48.288430 arp who-has 192.168.1.25 tell 192.168.0.252
14:56:48.292944 arp who-has 192.168.1.31 tell 192.168.0.252
14:56:48.293374 arp who-has 192.168.1.33 tell 192.168.0.252
14:56:48.294484 arp who-has 192.168.1.36 tell 192.168.0.252
14:56:48.300106 arp who-has 192.168.1.55 tell 192.168.0.252
14:56:48.300414 arp who-has 192.168.1.56 tell 192.168.0.252
14:56:48.303888 arp who-has 192.168.1.60 tell 192.168.0.252
14:56:48.305169 arp who-has 192.168.1.62 tell 192.168.0.252
14:56:48.313496 arp who-has 192.168.1.72 tell 192.168.0.252

请问我改怎么写这个shell.实现
is-at 后面mac地址出现3次以上的输出出来
tell 后面的ip地址出现3次以上的输出出来,输出格式为

次数            IP或MAC
20                    192.168.0.252
3                      00:1b:24:9b:f8:b7

请问这个shell 怎么写,在线等.

waker

awk '{a[$6]++}
END{for(i in a)print i,a[i]}' urfile

有空请读基础12篇

mii_tool

可以写具体点吗?
本人初学,着急,谢谢.

寂寞烈火

try

1. 
   
2. ...|awk '/is-at/{mac[$(NF-2)]++}END{for(i in mac)if(mac[i]>3){print mac[i],i}};/tell/{ip[$NF]++}END{for(j in ip)if(ip[j]>3){print ip[j],j}}'
   

复制代码

mii_tool

ok,好用
那么我怎么写可以让/usr/sbin/tcpdump -i eth2 arp 只让这个命令执行 30秒？？？

[ 本帖最后由 mii_tool 于 2007-11-13 15:53 编辑 ]

寂寞烈火

原帖由 mii_tool 于 2007-11-13 15:35 发表
ok,好用
那么我怎么写可以让/usr/sbin/tcpdump -i eth2 arp 只让这个命令执行 30秒？？？

tcpdump没法指定运行时间, 可以用-c count 来指定劫获count个数据包后退出

mii_tool

谢谢，写完了。

5iwww

嘿嘿  LZ准备抓arp欺骗吧 我也是用这个方法呢