Script to find the address udp packets are being sent to?

Question

Here is the scenario.

I have an IP address 1.2.3.4 port 2000 sending udp packets to one unknown IP. I would like to find the unknown IP so I can block it with iptables.

Is there a way to do it with a script? Right now I am doing it manually by using

tshark -i eth1 -f "net 1.2.3.4 and src port 2000"

I'm not sure how to pipe this into a script and automatically find the destination ip.

Jon Lasser · Accepted Answer · 2012-04-10T20:51:10.670

4

Just use tshark to output only the field in question by adding -Tfields -e ip.dst_host to your command line:

tshark -i eth1 -Tfields -e ip.dst_host -f "net 1.2.3.4 and src port 2000"

To get only the first occurrence, gather only a small number of packets and pass through head:

tshark -i eth1 -Tfields -e ip.dst_host -f "net 1.2.3.4 and src port 2000" -c 1000 | head -1

If you don't think 1000 packets are enough to turn up one packet to this port, increase that number.

edited Apr 10 '12 at 20:51

answered Apr 10 '12 at 20:42

Jon Lasser

Thanks this makes it easier. But how do I extract this into a script? I just want the first ip that shows up. – Bob Apr 10 '12 at 20:45
Edited to answer your question, Bob :) – Jon Lasser Apr 10 '12 at 20:53

1 Answers1