Description of the problem:
I want to print only the source and destination addresses from tcpdump [1].
You have one working solution, but believe that it can be improved. An example that captures 5 packets, as an example of what I'm looking for:
tcpdump -i eth1 -n -c 5 ip | \ cut -d" " -f3,5 | \ sed -e 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\)\..* \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*$/\1 > \2/'
Question:
Can this be made easier? Performance is also a problem.
[1] Part of the test if snort home_net is correctly defined or if we see traffic not defined in home_net.
Decision:
Ok, thanks to everyone who answered this. There were two problems associated with the answers: one was compatibility on different versions of linux, and the other was speed.
Here are the results of the speed test I did. First grep version:
time tcpdump -l -r test.dmp -n ip 2>/dev/null | grep -P -o '([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*? > ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' | grep -P -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | xargs -n 2 echo >/dev/null real 0m5.625s user 0m0.513s sys 0m4.305s
Then the sed version:
time tcpdump -n -r test.dmp ip | sed -une 's/^.* \(\([0-9]\{1,3\}\.\?\)\{4\}\)\..* \(\([0-9]\{1,3\}\.\?\)\{4\}\)\..*$/\1 > \3/p' >/dev/null reading from file test.dmp, link-type EN10MB (Ethernet) real 0m0.491s user 0m0.496s sys 0m0.020s
And the fastest, awk version:
time tcpdump -l -r test.dmp -n ip | awk '{ print gensub(/(.*)\..*/,"\\1","g",$3), $4, gensub(/(.*)\..*/,"\\1","g",$5) }' >/dev/null reading from file test.dmp, link-type EN10MB (Ethernet) real 0m0.093s user 0m0.111s sys 0m0.013s
Unfortunately, I could not check how compatible they are, but awk needs gnu awk to work because of the gensub function. In any case, all three solutions work on two platforms on which I tested them. :)