Greping a tcpdump with tshark

StackOverflow https://stackoverflow.com/questions/20306923

  •  06-08-2022
  •  | 
  •  

Question

I'm trying to program a little "dirty" website filter - e.g. an user wants to visit an erotic website (based on domain name)

So basically, I got something like

#!/bin/bash
sudo tshark -i any tcp port 80 or tcp port 443 -V | grep "Host.*keyword"

It works great but now I need to do some actions after I find something (iptables and DROPing packets...). The problem I got is that tcp dumping is still running. If I had a complete file with data, the thing I'm trying to reach is easy to solve.

In pseudocoude, I'd like to have something like:

if (tshark and grep found something)
    iptables - drop packets 
    sleep 600 # a punishment for an user
    iptables accept packets I was dropping
else 
    still look for a match in the tcp dump that's still running

Thanks for your help.

Was it helpful?

Solution

Maybe you could try something like the following:

tshark OPTIONS 2>&1 | grep --line-buffered PATTERN | while read line; do
    # actions for when the pattern is found, the matched input is in $line
    break
done

The 2>&1 is important so that when PATTERN is matched and the while loop terminates, tshark has nowhere to write to and terminates because of the broken pipe.

If you want to keep tshark running and analyze future output, just remove the break. This way, the while loop never terminates and it keeps reading the filtered output from tshark.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top