l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 May 22 13:00

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] network blinken lights experiment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] network blinken lights experiment

On Mon, May 19, 2003 at 11:08:02AM -0700, dylan wrote:
> Here is my question - is it possible for a shell script / perl script to
> monitor a filtered data stream from 'tcpdump' -- looking for key pieces of
> text. when there is a match on say "FTP"  or "WWW" or "SSH", the shell
> script or perl script would output a single byte of data to the serial port:


  I have used perl and tcpdump before to monitor and reconstruct
application flows from a third party machine on the network (in a remote
logging sort of mode).

  This is a neat little project... could be used for a blinking
intrusion detection system that sits on your monitor for example.

> $ tcpdump | grep -v stuff_to_filter | some_perl_or_shell_script > /dev/ttyS0
> so for every packet with a header that matches
> SSH   --> output a '1'
> WWW   --> output a '2'
> FTP   --> output a '3'   .... and so on.

  As Nicole mentioned, unless you get practically no traffic you should
do this a different way... a high speed ssh file transfer would completely
flood a slow serial channel with '1's ... 

  I would recommend you have your script print a byte every on some sort
of timer... the byte would indicate which types of packets have happened
in the last interval of time... you can check which bits are present on
the basic stamp and light the correct button.

  0x1 - means SSH
  0x2 - means http
  0x4 - means ftp

  I'm not going to paste perl code that does this right now... since
I don't have code samples of this any handy.

> is it possible to search streams of data like this, and would such a search
> actually provide reliable information?
> any ideas?

On Mon, May 19, 2003 at 03:00:57PM -0700, wenk@praxis.homedns.org wrote:
> On Mon, 19 May 2003, dylan wrote:
> I wonder if using tcpdump would be the best way of doing this... 
> And yes, you could do the whole thing via perl using perl regular 
> expressions.  Either do a open INBUF, "tail -f <file> |"; or maybe 
> there is a way to do it completely in perl.

  You have the right idea going,  just open the tcpdump from inside of
perl... if you log the data to a file and read the file you will
eventually fill up the hard drive.  there is probably no reason to store
the output... ;)

open INPUT, "tcpdump -nl |";
open OUTPUT, "> /dev/ttyS0";

  You can also get tcpdump to do most of the filtering for you:
tcpdump -nl port 22 or port 80 or port 20 or port 21
tcpdump -nl port 22 or port 80 or port 20 or port 21 and dst host HOSTNAME

On Wed, May 21, 2003 at 08:46:40PM -0700, dylan wrote:
> ngrep -q -D | awk -f netled.awk > /dev/ttyS0

> seems to work.. however, ngrep doesn't always report the packets as soon as
> they occur....need to figure out how to make it more responsive..

  There are three possible reasons... you could be sending too much data
to the device... so it falls behind, as I mentioned above.

  When tcpdump is run on the screen the output is line buffered so you
don't notice... but when directed to a file block buffering happens.
you can add the -l option to tcpdump to get it to line buffering
to files.

  If you don't use the -n option tcpdump resolves host names and port
numbers... depending on your configuration the DNS lookups can take a 
long time and can even cause tcpdump to miss packets.

GPG key: http://simons-clan.com/~msimons/gpg/msimons.asc
Fingerprint: 524D A726 77CB 62C9 4D56  8109 E10C 249F B7FA ACBE

Attachment: pgp00027.pgp
Description: PGP signature

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.