2

I am trying to use dhcpdump to recognize people logging onto my home network and give them a tailor made greeting using a credential file.

I cannot get the mac address out of the results of dhcpdump. The machine I am running the script is not the DHCP server.

dhcpdump results :

  TIME: 2015-09-02 22:42:48.909
    IP: 0.0.0.0 (xx:xx:xx:xx:xx:xx) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
 HTYPE: 1 (Ethernet)
  HLEN: 6

The command I'm trying is:

dhcpdump -i eth0 | grep IP: | cut -d"(" -f2 | cut -d")" -f1

but it just won't work. Suggestions?

A.B.
  • 89,123
  • 21
  • 245
  • 323
Brian Hunking
  • 51
  • 2

2 Answers2

0

Using grep (thanks to A.B. for the --line-buffered suggestion):

dhcpdump -i eth0 | grep --line-buffered -Po ' *IP: .*?\(\K[^)]*'
dhcpdump -i eth0 | grep --line-buffered -Po ' *IP: .*\(\K[^)]*'

The first one will extract the first address, the second one will extract the last address;

grep command #1 breakdown:

  • *: matches any number of characters
  • IP:: matches an IP: string
  • .*?: matches any number of any character lazily
  • \(: matches a ( character
  • \K: discards the previous match
  • [^)]*: matches any number of any character not ) lazily

grep command #2 breakdown:

  • *: matches any number of characters
  • IP:: matches an IP: string
  • .*: matches any number of any character greedily
  • \(: matches a ( character
  • \K: discards the previous match
  • [^)]*: matches any number of any character not ) lazily

Sample output:

user@debian ~ % echo "IP: 0.0.0.0 (xx:xx:xx:xx:xx:xx) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)" | grep -Po ' *IP: .*?\(\K[^)]*' 
xx:xx:xx:xx:xx:xx
user@debian ~ % echo "IP: 0.0.0.0 (xx:xx:xx:xx:xx:xx) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)" | grep -Po ' *IP: .*\(\K[^)]*'
ff:ff:ff:ff:ff:ff
kos
  • 35,535
  • 13
  • 101
  • 151
  • The RegEx is ok, but I have no output with the command `dhcpdump`. :\ – A.B. Sep 03 '15 at 06:11
  • 1
    You need `--line-buffered` for `grep` – A.B. Sep 03 '15 at 06:38
  • @A.B. Strangely for me it works also without the `--line-buffered` switch, however I tested it using `tail -f foo | grep '.'` and running `echo bar >> foo` in another terminal, so I guess that makes a difference somehow. Thanks – kos Sep 03 '15 at 12:59
  • Hmm, ok, it's interesting... o_O – A.B. Sep 03 '15 at 13:23
  • 1
    And another thing: With `sudo dhcpdump -i eth0` I have ` IP: 192.168.20.67 (d8:d3:85:79:ad:aa) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)` with some leading spaces. Therefore in my case, the `^IP: ` fails. – A.B. Sep 03 '15 at 13:26
  • @A.B. Thanks again. I wasn't sure if there were actually some or if OP just added them himself. Fixed – kos Sep 03 '15 at 13:31
  • 1
    I have added the correct output format into the question. :) – A.B. Sep 03 '15 at 13:32
0

If you need grep you have to use the switch --line-buffered

An easier way is mawk and the -W interactive

sudo dhcpdump -i eth0 | mawk -W interactive '/IP: / {gsub(/\(|\)/,"", $3); print $3}'

Sample output (you have to wait some seconds)

64:31:50:30:ca:1e
40:61:86:7:ce:34
0:24:21:b1:6f:32
54:27:1e:19:7c:3b
0:23:7d:5f:4a:e8

If you need grep you have to use the switch --line-buffered

A.B.
  • 89,123
  • 21
  • 245
  • 323