Date: Thu, 04 Aug 2005 16:03:10 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: Shell script question Message-ID: <C1F7FA7264DF76F53A475500@utd59514.utdallas.edu> In-Reply-To: <A1225E310DA8DA9B86364FA0@utd59514.utdallas.edu> References: <A1225E310DA8DA9B86364FA0@utd59514.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Thursday, August 04, 2005 12:46:20 -0500 Paul Schmehl
<pauls@utdallas.edu> wrote:
> I'm working on a shell script to use p0f to identify "unauthorized" hosts
> on our network.
>
> In the script I use an echo command to see what the output of the command
> is. This is what it looks like:
> /usr/local/bin/p0f -i xl0 -N -l -o /root/capture.1123177152.log 'src net
> 10.0.0.0/8 or src net 129.110.0.0/16'
>
> If I paste the output of the echo command to the cli and hit enter, p0f
> runs and writes to the log. Yet when I actually try to run that same
> command from the script, p0f complains:
>
> pcap_compile: illegal token: '
> See man tcpdump or p0f README for help on bpf filter expressions.
>
> Here's the script. It's very simple right now, but there's a lot more
> work to be done. I first have to figure out this problem, though:
>
># !/bin/sh
>
> P0F=/usr/local/bin/p0f
> EPOCH_DATE=`date -j -f "%a %b %d %T %Z %Y" "\`date\`" "+%s"`
> LOG=/root/capture.${EPOCH_DATE}.log
> NIC="-i xl0"
> ARGS="-N -l -o ${LOG}"
> DAEMON="-d"
> FILTER="'src net 10.0.0.0/8 or src net 129.110.0.0/16'"
>
> echo "${P0F} ${NIC} ${ARGS} ${DAEMON} ${FILTER}"
> ${P0F} ${NIC} ${ARGS} ${FILTER}
>
> Why is p0f complaining about the bpf filter? I've tried escaping the
> single quotes, but that generates a different error. I don't understand
> why the identical command works on the cli, but not in the script.
>
For the record, `eval ${P0F} ${NIC} ${ARGS} ${DAEMON} ${FILTER}` solved the
problem.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C1F7FA7264DF76F53A475500>