This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

trigger a script

0
1

Dear all,

Is it possible to use a packet filter to trigger a shell script?

For example: I have a continuous incoming UDP stream with "0" as data. When it becomes "1" I want to run a shell command.

I want to run this as a service.

Best regards, Koen

asked 19 Nov '10, 02:38

KoenJ's gravatar image

KoenJ
1121
accept rate: 0%


One Answer:

1

Wireshark and tshark don't do well as a service when you want to monitor traffic. This is because their memory footprint will increase over time to keep state information that is needed to dissect all the packets.

You might want to write a script that uses libpcap/winpcap, it's not really that difficult to parse UDP that way.

You could also use tcpdump, although I'm not sure if it won't slowly eat up memory too. Here is a startingpoint:

tcpdump -nli en1 "udp[10]=1 and host 192.168.1.20"

This will only output packets where the third byte in the UDP payload (the 8 byte UDP header starts at 0, so 10 is the third payload byte) equals to 1 for a particular host (192.168.1.20). You can then pipe the output to a script that will fire off something else when it does see a line of output on it's stdin.

answered 20 Nov '10, 03:18

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 20 Nov '10, 03:18

may i know what exactly the service mean here?

(01 Oct '11, 00:21) Terrestrial ...

In this context "service" means a process that starts automatically and runs forever. "Service" is a term from the windows world where in the *nix world it would be called a daemon.

(01 Oct '11, 01:57) SYN-bit ♦♦