Does the png file contain string `0.0.0.0`? - grep

I had upload the png file into my dropbox,you can download as /tmp/mount.png to reproduce my output.
mount.png in my dropbox
man grep :
-a, --text
Process a binary file as if it were text
Search '0.0.0.0' in a png file with grep.
grep -a "0.0.0.0" /tmp/mount.png
I have never seen 0.0.0.0 by eye.
Does the png file contains string 0.0.0.0 really?
The hex value of 0.0.0.0 is :
echo -n '0.0.0.0' |xxd
00000000: 302e 302e 302e 30 0.0.0.0
Let's search it with hex value:
xxd /tmp/mount.png |grep '302e302e302e30'
Nothing you can get.
xxd /tmp/mount.png |grep '302e'
Nothing you can get too.
Does the png file contain string 0.0.0.0 ?

It contains the string 00000008 part of which matches the regex 0.0.0.0. In a regex . matches any character, including 0.
To match the literal string 0.0.0.0 you can use fgrep or the -F argument to grep.

Related

Unable to exclude IPv4 addresses using regex in grep

I used a regex to grep and output only IPv4 addresses from the file content.
But when I try to use the same regex to exclude all IPv4 addresses, it just does not work.
File content:
# cat IPs
172.16.1.125
172.16.1.4
172.16.1.143
172.16.1.140
172.16.1.77
/dev/nvme101
/dev/sda1
/dev/sdb2
172.16.1.60
172.16.1.146
172.16.1.5
172.16.1.51
172.16.1.99
172.16.1.10
172.16.1.189
To grep only IPv4 addresses:
# grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" IPs
172.16.1.125
172.16.1.4
172.16.1.143
172.16.1.140
172.16.1.77
172.16.1.60
172.16.1.146
172.16.1.5
172.16.1.51
172.16.1.99
172.16.1.10
172.16.1.189
When I try to exclude the IPv4 addresses using the same regex:
# grep -voE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" IPs
#
No output at all.
I was expecting the following output:
/dev/nvme101
/dev/sda1
/dev/sdb2
Get rid of the -o. The -o flag says to only show what was matched rather than the entire line. That doesn't make sense when using -v for lines that do NOT match.
In ack, if you try to use -o and -v together, it throws an error.

regex start of line anchor alternative

I have "file.txt" with the following and I need to get only ip addresses that start a line.
I am using gnu utilities for windows and grep seems to be not behaving incorrectly.
Random Text Here
ABC 10.0.0.0 - 10.20.0.255
IP Ping Hostname
100.5.0.20 11ms N/S
GNU grep 2.5.4
grep -Po ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} file.txt
10.0.0.0
10.20.0.255
100.5.0.20
Correct behavior should only allow 100.5.0.20 since i specified the start line anchor.
Any other Linux command solutions?
I ended up improvising,
grep -oP "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]{1,3} " file.txt| awk "{$1=$1};1" > file.txt
This will grab the ip addresses with 2 spaces, and then remove the spaces with awk.

How to output tcpdump with grep expression to stdout / file?

I am trying to output the following tcpdump grep expression to a file :
tcpdump -vvvs 1024 -l -A tcp port 80 | grep -E 'X-Forwarded-For:' --line-buffered | awk '{print $2}
I understand it is related to the line-buffered option, that sends the output to stdin. However, if I don't use --line-buffered I don't get any output at all from my tcpdump.
How can I use grep so that it will send my output directly to stdout / file in this case ?
I am trying to output the following tcpdump grep expression to a file
Then redirect the output of the last command in the pipeline to the file:
tcpdump -vvvs 1024 -l -A tcp port 80 | grep -E 'X-Forwarded-For:' --line-buffered | awk '{print $2}' >file
I understand it is related to the line-buffered option, that sends the output to stdin.
No, that's not with --line-buffered does:
$ man grep
...
--line-buffered
Force output to be line buffered. By default, output is line
buffered when standard output is a terminal and block buffered
otherwise.
so it doesn't change where the output goes, it just changes when the data is actually written to the output descriptor if it's not a terminal. It's not a terminal in this case - it's a pipe - so, by default, it's block buffered, so if grep writes 4 lines of output, and that's less than a full buffer block (buffer blocks, in this context, are typically 4K bytes in most modern UN*Xes and on Windows, so it's likely that those 4 lines won't fill the buffer), those lines will not immediately be written by grep to the pipe, so they won't show up immediately.
--line-buffered changes that behavior, so that each line is written to the pipe as it's generated, and awk sees it sooner.
You're using -l with tcpdump, which has the same effect, at least on UN*X:
$ man tcpdump
...
-l Make stdout line buffered. Useful if you want to see the data
while capturing it. E.g.,
tcpdump -l | tee dat
or
tcpdump -l > dat & tail -f dat
Note that on Windows,``line buffered'' means ``unbuffered'', so
that WinDump will write each character individually if -l is
specified.
-U is similar to -l in its behavior, but it will cause output to
be ``packet-buffered'', so that the output is written to stdout
at the end of each packet rather than at the end of each line;
this is buffered on all platforms, including Windows.
So the pipeline, as you've written it, will cause grep to see each line that tcpdump prints as soon as tcpdump prints it, and cause awk to see each of those lines that contains "X-Forwarded-For:" as soon as grep sees it and matches it.
However, if I don't use --line-buffered I don't get any output at all from my tcpdump.
You'll see it eventually, as long as grep produces a buffer's worth of output; however, that could take a very long time. --line-buffered causes grep to write out each line as it's produced, so it shows up as soon as grep produces it, rather than the buffer is full.
How can I use grep so that it will send my output directly to stdout / file in this case ?
grep is sending its (standard) output to awk, which is presumably what you want; you're extracting the second field from grep's output and printing only that.
So you don't want grep to send its (standard) output directly to the terminal or to a file, you want it to send its output to awk and have awk send its (standard) output there. If you want the output to be printed on your terminal, your command is doing the right thing; if you want it sent to a file, redirect the standard output of awk to that file.

How can I use xargs to recursively parse email addresses out of text/html files?

I tried recursively parsing email addresses from a directory of text/html files with xargs and grep but this command keep including the path (I just want the email addresses in my resulting emails.csv file).
find . -type f | xargs grep -E -o "\b[A-Za-z0-9._%+-]+#[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" >> ~/emails.csv
Can you explain what's wrong with my grep command? I don't need this to be sorted or unique. I want to match all occurrences of email addresses in files. I need to use xargs cause I'm parsing emails in 20 GB worth of text files.
Thanks.
When you tell grep to search in more than one file, it prepends the corresponding filename to the search result. Try the following to see the effect...
First, search in a single file:
grep local /etc/hosts
# localhost is used to configure the loopback interface
127.0.0.1 localhost
Now search in two files:
grep local /etc/hosts /dev/null
/etc/hosts:# localhost is used to configure the loopback interface
/etc/hosts:127.0.0.1 localhost
To suppress the filename in which the match was found, add the -h switch to grep like this
grep -h <something> <somewhere>

how to discard the first 4 RTP bytes on wireshark captures?

When capturing H460 data on wireshark (on multiplexed mode), wireshark does not parse RTP data correctly. it should discard first 4 bytes on any RTP packet. looking for hints how to do that
Thanks
Amit
shark (packaged with wireshark) has this functionality built in.
Make sure that wireshark/tshark is in your PATH variable, and open a new command line window if you've just set it. Let me know if you want me to be more clear there.
If you want to discard the first 4 packets of rtp data on the fly :
tcpdump -i eth0 port ! 5060 and dst 192.168.1.101 -T rtp -n -s0 -w- | editcap -F libpcap -C 4 - - | tcpdump -nlvvv -r - -w output.pcap
For already captured file (capture.pcap):
tcpdump -r capture.pcap | editcap -F libpcap -C 4 - - | tcpdump -nlvvv -r - -w output.pcap
or
editcap capture.pcap output.pcap -C 4
I didn't test these exact examples myself, but I think tshark's "chop" (-C) option might be what you're looking for.

Resources