This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

Dear all,

Is it possible to use a packet filter to trigger a shell script?

For example: I have a continuous incoming UDP stream with "0" as data. When it becomes "1" I want to run a shell command.

I want to run this as a service.

Best regards, Koen

asked 19 Nov '10, 02:38

KoenJ's gravatar image

KoenJ
1121
accept rate: 0%


Wireshark and tshark don't do well as a service when you want to monitor traffic. This is because their memory footprint will increase over time to keep state information that is needed to dissect all the packets.

You might want to write a script that uses libpcap/winpcap, it's not really that difficult to parse UDP that way.

You could also use tcpdump, although I'm not sure if it won't slowly eat up memory too. Here is a startingpoint:

tcpdump -nli en1 "udp[10]=1 and host 192.168.1.20"

This will only output packets where the third byte in the UDP payload (the 8 byte UDP header starts at 0, so 10 is the third payload byte) equals to 1 for a particular host (192.168.1.20). You can then pipe the output to a script that will fire off something else when it does see a line of output on it's stdin.

permanent link

answered 20 Nov '10, 03:18

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 20 Nov '10, 03:18

may i know what exactly the service mean here?

(01 Oct '11, 00:21) Terrestrial ...

In this context "service" means a process that starts automatically and runs forever. "Service" is a term from the windows world where in the *nix world it would be called a daemon.

(01 Oct '11, 01:57) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×349
×31
×7
×3

question asked: 19 Nov '10, 02:38

question was seen: 4,887 times

last updated: 01 Oct '11, 01:57

p​o​w​e​r​e​d by O​S​Q​A