Extract unique IPs from live tcpdump capture

Question

I am using the following command to output IPs from live tcpdump capture

sudo tcpdump -nn -q ip -l | awk '{print $3; fflush(stdout)}' >> ips.txt

I get the following output

192.168.0.100.50771
192.168.0.100.50770
192.168.0.100.50759

Need 2 things:

1. Extract only the IPs, not the ports.
2. Generate a file with unique IPs, no duplicated, and sorted if posible.

Thank you in advance

Answer 1

To extract unique IPs from tcpdump you can use:

awk '{ ip = gensub(/([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/,"\\1","g",$3); if(!d[ip]) { print ip; d[ip]=1; fflush(stdout) } }' YOURFILE

So your command to see unique IPs live would be:

sudo tcpdump -nn -q ip -l | awk '{ ip = gensub(/([0-9]+.[0-9]+.[0-9]+.[0-9]+)(.*)/,"\\1","g",$3); if(!d[ip]) { print ip; d[ip]=1; fflush(stdout) } }'

This will print each IP to output as soon as they appear, so it cannot sort them. If you want to sort those, you can save the output to a file and then use sort tool:

sudo tcpdump -nn -q ip -l | awk '{ ip = gensub(/([0-9]+.[0-9]+.[0-9]+.[0-9]+)(.*)/,"\\1","g",$3); if(!d[ip]) { print ip; d[ip]=1; fflush(stdout) } }' > IPFILE
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4  IPFILE

Example output:

34.216.156.21
95.46.98.113
117.18.237.29
151.101.65.69
192.168.1.101
192.168.1.102
193.239.68.8
193.239.71.100
202.96.134.133

NOTE: make sure you are using gawk. It doesn't work with mawk.

Answer 2

While I'm a huge Awk fan, it's worthwhile having alternatives. Consider this example using cut:

  tcpdump -n ip | cut -d ' ' -f 3 | cut -d '.' -f 1-4 | sort | uniq