I have the following TcpDump command written in Python but it doesn't give me any output file with the requested packets although I have TcpDump installed and tested on my Ubuntu VM :
command = 'sudo /usr/sbin/tcpdump -i eth1 {} -c {} -s 0 -w {}'\
.format( 'tcp host 10.0.2.15','30000',
'/home/results/xyz.pcap')
cat test.py
import os
command = '/usr/sbin/tcpdump -i eth1 {} -c {} -s 0 -w {}'.format( 'host 192.168.254.74','30000','res.pcap')
print(command)
os.system(command)
sudo python test.py
/usr/sbin/tcpdump -i eth1 host 192.168.1.10 -c 30000 -s 0 -w res.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 10 bytes
^C0 packets captured
6 packets received by filter
0 packets dropped by kernel
ls -l | grep test
-rw------- 1 admin admin 155 Dec 2 23:05 test.py
Seems to work just fine for me.
The test file is 'test.py'. I run it under sudo and exit after some time. I can see that 6 packets were captured and the file size is > 0.
Make sure the command itself runs properly outside of python.
Related
i'm trying to save output of a python code that actually it has written with os.system
import os
os.system("sudo nmap -p5433 -P0 -oG - -sS 127.0.0.1 | \
sed -n 's/.* \([0-9\.]\{7,\}\).*\/open\/.*/\1/p' > result.txt")
As you can see at the end of a line,output should be save in "result.txt" and i'm sure the output should be an ip (127.0.0.1) but the output is something like this:
the output is a symbol or something like that,is there any way that i can save the output of this code correctly?
If I understood you correctly, you want to save only hosts, that are found in your nmap scan and have status up?
If so you could use:
sudo nmap -p5433 -P0 -oG - -sS 127.0.0.1 | grep 'Up' | grep -oP '\d*\.\d*\.\d*\.\d* > result.txt'
You use nmap, then you grep all lines, containing the Up status, then you only grep the ip-addresses and put them in the text file
If you just want all ip, addresses that return in the scan (without status Up check) you can simplify:
sudo nmap -p5433 -P0 -oG - -sS 127.0.0.1 | grep -oP '\d*\.\d*\.\d*\.\d*' > result.txt
Although there will be duplicates if nmap prints something like:
# Nmap 7.80 scan initiated Fri Dec 25 14:05:05 2020 as: nmap -p5433 -P0 -oG - -sS 127.0.0.1
Host: 127.0.0.1 (localhost) Status: Up
Host: 127.0.0.1 (localhost) Ports: 5433/closed/tcp//pyrrho///
As there are two lines with the same ip address
I am looking for a shell script which can ssh to multiple servers and grep the required process and send an email alert if it is not running .
I have 10 servers to monitor from the host and each server is having 8 applications running. Is that possible to setup the alert. I am on CEntos 7
Appreciate the earliest response !!
Thanks in advance !!
#!/bin/bash
for host in $(cat /tmp/host.txt)
do
echo -n > /tmp/$host.txt
for process in $(cat /tmp/process.txt)
do
ssh $host "ps ax | grep $process | grep -v grep" > /tmp/$host.txt
if [[ -s /tmp/$host.txt ]] ; then
echo $process is running in $host
else
echo $process is not running in $host
sendEmail -f -t -u "Subject" -l /var/log/sendEmail -o message-content-type=auto -m "" -s -xu -xp
fi ;
done
done
cat /tmp/host.txt
192.168.10.13
192.168.10.19
cat /tmp/process.txt
java
snmp
I'm using Python subprocess module to call "iperf" command. Then I parse the output and get the source port of the iperf client, e.g. 4321 but when I monitor the network 4321 is missing and I can only see UDP ports 12851 and 0. It is strange that when I call iperf command directly from Ubuntu terminal I can see the source port that iperf reports (4321) in the network.
Can anybody help me and explain why this change of port happening? And how I can enforce subprocess to send the data on the original port that iperf sends?
This is how I call iperf and obtain the source port:
import subprocess, sys, os
cmd = "iperf -c %s -p %s -u -b %sm -t 10 -l 1500" %(self.ip,self.port,self.bw)
print cmd
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
(output, err) = p.communicate()
o_list = output.split(']')
o_list = o_list[1].split(' ')
for i in range(len(o_list)):
if o_list[i] == "port":
self.my_port = int(o_list[i+1])
break
#endIf
And I use same command In terminal and get different output:
iperf -c 10.1.1.2 -p 5001 -u -b 10m -t 10 -l 1500
I'm doing a project in Software-Defined Networking area and using POX as network controller, so I can easily monitor desired packets (here UDP packets) and their source and destination ports. This is the code that I added to forwarding.l2_learning to monitor UDP ports:
if msg.match.dl_type == 0x0800:
if msg.match.nw_proto == 17:
log.warning("FOUND UDP" + str(msg.match.tp_src))
Thank you in advance
I am installing Hadoop 2.5.0 on a Ubuntu 12.04 cluster, 64-bit. At the end of the instructions I type $ jps on the master node and do not get a NameNode. I checked the Hadoop logs and found:
BindException error stating :9000 is already in use.
$ netstat -a -t --numeric-ports -p | grep :9000 returns that python is listening on this port. It appears I need to move python 2.7 to another port. How do I move python?
Followed the command below, the pid=2346.
$ ps -p 2346
PID TTY TIME CMD
2346 ? 01:28:13 python
Tried second command:
$ ps -lp 2346
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
4 S 0 2346 1 0 80 0 - 332027 poll_s ? 01:28:30 python
more detail:
$ ps -Cp 2346
PID TTY STAT TIME COMMAND
2346 ? Ssl 88:34 /usr/lib/cmf/agent/build/env/bin/python /usr/lib/cmf/agent/src/cmf/agent.py --package_dir /usr/lib/cmf
It appears a failed Cloudera Hadoop distribution installation has not been removed. It installed python 2.7 automatically. Not sure what else is automatically running. Will attempt to uninstall python 2.7.
To be clear a program written in python is using port 9000 and not python2.7 itself.
You need to track down this program and then work out how to config it to listen on a different port. You could use this command to get the full details of the process listening on port 9000
netstat -a -t --numeric-ports -p | grep :9000 | awk '{print $7}' | sed -e 's/\/.*//' | xargs echo ps -lp
It appears Cloudera installed python 2.7. This was removed / replace with python 3.2.
The $jps command on Hadoop now returns the expected results including NameNode.
I try to start the Python SimpleHTTPServer on port 7054 :
$ sudo python -m SimpleHTTPServer 7054
...
socket.error: [Errno 98] Address already in use
So, I ran the following commands :
$ sudo netstat -ntpu | grep 7054
$ sudo lsof -i -n -P | grep 7054
But I have no results.
From the netstat manpage:
netstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts] [--numeric-ports]
[--numeric-users] [--symbolic|-N] [--extend|-e[--extend|-e]] [--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c]
I use the following options:
sudo netstat -tanl | grep 7054
Which is --numeric, --tcp, --all, --listening
I think the minimal netstat options you need to show the pid of the process listening on a particular port are -nlp.
The lsof options you specify work for me. Using the example code at https://wiki.python.org/moin/UdpCommunication#Receiving and python -m SimpleHTTPServer 7054:
$ netstat -nlp | grep 7054
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:7054 0.0.0.0:* LISTEN 20458/python
udp 0 0 0.0.0.0:7054 0.0.0.0:* 20498/python
$ lsof -i -n -P | grep 7054
python 20458 michael 3u IPv4 143736 0t0 TCP *:7054 (LISTEN)
python 20498 michael 3u IPv4 173739 0t0 UDP *:7054
Extra credit: stick it in an alias:
listening() {
netstat -nlp | grep $1
}
And use it:
$ listening 7054
An address can be in use, but not shown by lsof, ss or netstat once bind has been used on a SOCK_STREAM socket, but before the named socket has been set the LISTEN state.
This was found with a test performed using AlmaLinux 8.6 with a 4.18.0-372.19.1.el8_6.x86_64 Kernel.
The source for the test program is in bind_local.c
Start the test program, specifying an IPv6 link-local address and port number (10000) to bind to:
[mr_halfword#haswell-alma ibv_message_passing]$ ibv_message_passing_c_project/bin/debug/bind_local/bind_local -6 fe80::207:43ff:fe15:2298%4 -p 10000 -l
fd 3 bound to fe80::207:43ff:fe15:2298 scope-id 4 port 10000
Press enter to listen on port
At the above port a SOCK_STREAM socket has been created, bind called and getsockname used to get the socket name which is displayed (i.e. the address the socket has been bound to).
The socket file-descriptor the test program has bound is shown as socket 398999:
[mr_halfword#haswell-alma ~]$ ls -l /proc/`pgrep bind_local`/fd
total 0
lrwx------. 1 mr_halfword mr_halfword 64 Sep 10 17:08 0 -> /dev/pts/0
lrwx------. 1 mr_halfword mr_halfword 64 Sep 10 17:08 1 -> /dev/pts/0
lrwx------. 1 mr_halfword mr_halfword 64 Sep 10 17:08 2 -> /dev/pts/0
lrwx------. 1 mr_halfword mr_halfword 64 Sep 10 17:08 3 -> 'socket:[398999]'
In this state attempting to use nc to listen on port 10000 fails with Address already in use, but neither lsof not ss show the address:
[mr_halfword#haswell-alma ~]$ nc -l 10000
Ncat: bind to :::10000: Address already in use. QUITTING.
[mr_halfword#haswell-alma ~]$ sudo lsof -i -n -P | grep 10000
[mr_halfword#haswell-alma ~]$ sudo ss -nlp | grep 10000
[mr_halfword#haswell-alma ~]$
Cause the test program to call listen on the bound socket, by pressing return:
Press return to exit
Now that the bound socket is in the LISTEN state attempting to use nc to listen on port 10000 fails with Address already in use, but now lsof and ss are showing the address and which program is using the address:
[mr_halfword#haswell-alma ~]$ sudo lsof -i -n -P | grep 10000
bind_loca 16929 mr_halfword 3u IPv6 398999 0t0 TCP [fe80::207:43ff:fe15:2298]:10000 (LISTEN)
[mr_halfword#haswell-alma ~]$ sudo ss -nlp | grep 10000
tcp LISTEN 0 1 [fe80::207:43ff:fe15:2298]%enp1s0f4d1:10000 [::]:* users:(("bind_local",pid=16929,fd=3))
I haven't yet tried looking at the Linux Kernel source code to determine if a SOCK_STREAM socket which has been bound to an address by being named, but left in that state, has any user space method which can locate the program using the address.
The reason the above was investigating how the iwpmd iWARP Port Mapper Daemon was claiming TCP ports, for which was unable to find a way to list the claimed TCP ports.