Created
November 25, 2011 04:02
-
-
Save hplc/1392782 to your computer and use it in GitHub Desktop.
tcpdump Web POST content and parse the content
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Check yesterday's post.pcap file and | |
# report by Email if there's strange file post actions. | |
# Put this script in cron to run everyday. | |
pcapfile=`date -d"yesterday" +%m.%d` | |
grep -a Dispo post.pcap-$pcapfile | grep -aiE "php|asp" > t | |
if [ -s t ] ; then | |
mail -s "Strange file post action found!" hplc@hplc.org < t | |
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Watch CIFS directories stat, rsync while new modification happened. | |
# Scan the directories every 2 seconds. | |
# To run it like this: sh cifs_rsync.sh 2>/dev/null | |
# Would avoid stat errors if the directory doesn't exist. | |
# rsync all today's html files | |
fast_rsync(){ | |
rsync --progress -avz $news_html sh/news/html | |
rsync --progress -avz $download_html sh/download/html | |
rsync --progress -avz $apply_html sh/apply/html | |
rsync --progress -avz $product_html sh/product/html | |
} | |
init_mtimes(){ | |
news_html=bj/news/html/`date +%Y-%-m-%-d` | |
download_html=bj/download/html/`date +%Y-%-m-%-d` | |
apply_html=bj/apply/html/`date +%Y-%-m-%-d` | |
product_html=bj/product/html/`date +%Y-%-m-%-d` | |
news_html_mtime=`stat -c%Y $news_html` | |
download_html_mtime=`stat -c%Y $download_html` | |
apply_html_mtime=`stat -c%Y $apply_html` | |
product_html_mtime=`stat -c%Y $product_html` | |
if [ -z $news_html_mtime ]; then | |
news_html_mtime=0 | |
fi | |
if [ -z $download_html_mtime ]; then | |
download_html_mtime=0 | |
fi | |
if [ -z $apply_html_mtime ]; then | |
apply_html_mtime=0 | |
fi | |
if [ -z $product_html_mtime ]; then | |
product_html_mtime=0 | |
fi | |
} | |
init_mtimes | |
echo $news_html_mtime | |
echo $download_html_mtime | |
echo $apply_html_mtime | |
echo $product_html_mtime | |
for (( ; ; )) | |
do | |
sleep 2 | |
news_html_mtime_new=`stat -c%Y $news_html` | |
download_html_mtime_new=`stat -c%Y $download_html` | |
apply_html_mtime_new=`stat -c%Y $apply_html` | |
product_html_mtime_new=`stat -c%Y $product_html` | |
if [ -z $news_html_mtime_new ]; then | |
news_html_mtime_new=0 | |
fi | |
if [ -z $download_html_mtime_new ]; then | |
download_html_mtime_new=0 | |
fi | |
if [ -z $apply_html_mtime_new ]; then | |
apply_html_mtime_new=0 | |
fi | |
if [ -z $product_html_mtime_new ]; then | |
product_html_mtime_new=0 | |
fi | |
if [ $news_html_mtime_new != $news_html_mtime ] || \ | |
[ $download_html_mtime_new != $download_html_mtime ] || \ | |
[ $apply_html_mtime_new != $apply_html_mtime ] || \ | |
[ $product_html_mtime_new != $product_html_mtime ]; then | |
echo | |
echo `date` | |
fast_rsync | |
init_mtimes | |
fi | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# There're some bugs in cifs_rsync.sh: | |
# It would not rsync insinstantly by judge directory stat information. | |
# rsync all today's html sub-directories of news, download, apply, product. | |
# rsync all today's upload images. | |
# rsync all today's html files | |
fast_rsync(){ | |
rsync --progress -avz $news_html sh/news/html | |
rsync --progress -avz $download_html sh/download/html | |
rsync --progress -avz $apply_html sh/apply/html | |
rsync --progress -avz $product_html sh/product/html | |
} | |
init_mtimes(){ | |
news_html=bj/news/html/`date +%Y-%-m-%-d` | |
download_html=bj/download/html/`date +%Y-%-m-%-d` | |
apply_html=bj/apply/html/`date +%Y-%-m-%-d` | |
product_html=bj/product/html/`date +%Y-%-m-%-d` | |
} | |
# rsync all today's upload images | |
fast_rsync_images(){ | |
rsync --progress -av bj/eWebEditor/uploadfile/apply/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/apply & | |
rsync --progress -av bj/eWebEditor/uploadfile/download/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/download | |
rsync --progress -av bj/eWebEditor/uploadfile/news/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/news & | |
rsync --progress -av bj/eWebEditor/uploadfile/study/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/study & | |
rsync --progress -av bj/eWebEditor/uploadfile/losefile/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/losefile & | |
rsync --progress -av bj/eWebEditor/uploadfile/product/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/product & | |
rsync --progress -av bj/eWebEditor/uploadfile/supply/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/supply & | |
rsync --progress -av bj-images/applys/`date +%Y-%-m-%-d` sh-images/applys & | |
rsync --progress -av bj-images/company/`date +%Y-%-m-%-d` sh-images/company & | |
rsync --progress -av bj-images/company/`date +%Y-%m-%d` sh-images/company & | |
rsync --progress -av bj-images/news/`date +%Y-%-m-%-d` sh-images/news | |
rsync --progress -av bj-images/product/`date +%Y-%-m-%-d` sh-images/product & | |
rsync --progress -av bj-images/supply/`date +%Y-%-m-%-d` sh-images/supply & | |
rsync --progress -av bj-images/TuiJian/`date +%Y-%-m-%-d` sh-images/TuiJian | |
} | |
for (( ; ; )) | |
do | |
sleep 2 | |
init_mtimes | |
fast_rsync | |
fast_rsync_images | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// Parse pcap file saved by tcpdump_post.sh. File name looks like post.pcat-11.26 | |
// Get all post files and save them to month.day sub-directory like 11.26/ | |
// Usage: php get_post_content.php post.pcap-11.26 | |
// Loop counter | |
$i=0; | |
// Mkdir an empty 11.26/ sub-directory | |
$dir = substr($argv[1],-5); | |
if (file_exists($dir)) `rm -rf $dir`; | |
`mkdir $dir`; | |
// Save necessary headers to 11.26/post_header.txt | |
$fp_header = fopen($dir . '/post_header.txt', 'a'); | |
$str = file_get_contents($argv[1]); | |
$start = strpos($str, "POST "); | |
$content_type = strpos($str, "\"\r\nContent-Type: ", $start); | |
$file_type = substr($str, $content_type-3, 3); | |
$end = strpos($str, "POST " , $start+1); | |
// Loop to find every POST | |
while ($start != FALSE){ | |
if ($i>0) $end = 1; | |
// Sub-loop to find file upload POST | |
while ($end != FALSE and $end < $content_type or strpos($file_type, '"')) { | |
$start = strpos($str, "POST ", $start+1); | |
$content_type = strpos($str, "\"\r\nContent-Type: ", $start); | |
$file_type = substr($str, $content_type-3, 3); | |
$end = strpos($str, "POST " , $start+1); | |
} | |
// Save upload file content to 11.26/file | |
// The content may not be file's full content for tcpdump ONLY catch the first POST TCP packate | |
// So tcpdump doesn't catch all the following TCP packages that also belong to the upload file | |
$fp_file = fopen($dir . '/file', 'w'); | |
$i++; | |
$post_content = substr($str, $start, $end?$end-$start:NULL); | |
// For DEBUG | |
// if ($i==219) {echo $start . "\n" . $end;echo "\n" . $file_type . " " . strlen($post_content);echo "\n" . $post_content;} | |
$first_return = strpos($post_content, "\r\n"); | |
$post_url = substr($post_content, 0, $first_return); | |
$second_return = strpos($post_content, "\r\n", $first_return + 2); | |
$host = substr($post_content, $first_return, $second_return-$first_return); | |
$post_forwarded = strpos($post_content, "X-Forwarded-For: "); | |
$first_return = strpos($post_content, "\r\n", $post_forwarded); | |
$post_forwarded = substr($post_content, $post_forwarded, $first_return-$post_forwarded); | |
fwrite($fp_header, $post_url . $host ."\n" . $post_forwarded); | |
preg_match_all("/Content-Disposition:.*\r\n.*\r\n.*\r\n/", $post_content, $out); | |
foreach ($out[0] as $header_str){ | |
fwrite($fp_header, "\n" . $header_str); | |
} | |
$post_boundary = strpos($post_content, "; boundary="); | |
$first_return = strpos($post_content, "\r\n", $post_boundary); | |
$boundary_str = "--" . substr($post_content, $post_boundary+11, $first_return-$post_boundary-11); | |
$file_start = strrpos($post_content, "\"\r\nContent-Type: "); | |
$file_type = substr($post_content, $file_start-3, 3); | |
$file_start = strpos($post_content, "\r\n\r\n", $file_start); | |
$file_end = strrpos($post_content, $boundary_str); | |
if ($file_end > $file_start) | |
$file = substr($post_content, $file_start+4, $file_end-$file_start-4); | |
else | |
$file = substr($post_content, $file_start+4); | |
fwrite($fp_file, $file); | |
fclose($fp_file); | |
if ($i < 10) $i ="000" . $i; | |
elseif ($i < 100) $i ="00" . $i; | |
elseif ($i < 1000) $i ="0" . $i; | |
`mv $dir/file $dir/$i.$file_type`; | |
} | |
// Loop to find all POST end | |
fclose($fp_header); | |
`dos2unix -q $dir/post_header.txt`; | |
`sed '/^$/d' $dir/post_header.txt > $dir/header.txt`; // Delete all empty line | |
`rm $dir/post_header.txt`; | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# rsync index files. | |
fast_rsync(){ | |
rsync --progress -avz bj/index.html sh/ | |
rsync --progress -avz bj/sitemap.xml sh/ | |
rsync --progress -avz bj/apply/index.html sh/apply/ | |
rsync --progress -avz bj/company/index.html sh/company/ | |
rsync --progress -avz bj/download/index.html sh/download/ | |
rsync --progress -avz bj/news/index.html sh/news/ | |
rsync --progress -avz bj/product/index.html sh/product/ | |
rsync --progress -avz bj/special/index.html sh/special/ | |
rsync --progress -avz bj/supply/index.html sh/supply/ | |
} | |
fast_rsync_products(){ | |
rsync --progress -avz bj/products/INVETEr/index.html sh/products/INVETEr/ | |
rsync --progress -avz bj/products/HV-Inverter/index.html sh/products/HV-Inverter/ | |
rsync --progress -avz bj/products/sensor/index.html sh/products/sensor/ | |
rsync --progress -avz bj/products/electric/index.html sh/products/electric/ | |
rsync --progress -avz bj/products/hmi/index.html sh/products/hmi/ | |
rsync --progress -avz bj/products/ipc/index.html sh/products/ipc/ | |
rsync --progress -avz bj/products/soft/index.html sh/products/soft/ | |
rsync --progress -avz bj/products/bus/index.html sh/products/bus/ | |
rsync --progress -avz bj/products/vision/index.html sh/products/vision/ | |
rsync --progress -avz bj/products/fluid/index.html sh/products/fluid/ | |
rsync --progress -avz bj/products/robot/index.html sh/products/robot/ | |
rsync --progress -avz bj/products/plc/index.html sh/products/plc/ | |
rsync --progress -avz bj/products/embedded/index.html sh/products/embedded/ | |
rsync --progress -avz bj/products/servo/index.html sh/products/servo/ | |
rsync --progress -avz bj/products/ins/index.html sh/products/ins/ | |
rsync --progress -avz bj/products/elec/index.html sh/products/elec/ | |
rsync --progress -avz bj/products/drive/index.html sh/products/drive/ | |
rsync --progress -avz bj/products/control/index.html sh/products/control/ | |
rsync --progress -avz bj/products/ethernet/index.html sh/products/ethernet/ | |
rsync --progress -avz bj/products/Component/index.html sh/products/Component/ | |
rsync --progress -avz bj/products/safety/index.html sh/products/safety/ | |
rsync --progress -avz bj/products/power/index.html sh/products/power/ | |
rsync --progress -avz bj/products/rtu/index.html sh/products/rtu/ | |
} | |
fast_rsync_trader(){ | |
rsync --progress -avz bj/trader/Energy/index.html sh/trader/Energy/ | |
rsync --progress -avz bj/trader/mach/index.html sh/trader/mach/ | |
rsync --progress -avz bj/trader/metallurgy/index.html sh/trader/metallurgy/ | |
rsync --progress -avz bj/trader/electricpower/index.html sh/trader/electricpower/ | |
rsync --progress -avz bj/trader/petro/index.html sh/trader/petro/ | |
rsync --progress -avz bj/trader/textile/index.html sh/trader/textile/ | |
rsync --progress -avz bj/trader/traffic/index.html sh/trader/traffic/ | |
rsync --progress -avz bj/trader/paper/index.html sh/trader/paper/ | |
rsync --progress -avz bj/trader/smartbld/index.html sh/trader/smartbld/ | |
rsync --progress -avz bj/trader/plastic/index.html sh/trader/plastic/ | |
rsync --progress -avz bj/trader/cm/index.html sh/trader/cm/ | |
rsync --progress -avz bj/trader/logistics/index.html sh/trader/logistics/ | |
rsync --progress -avz bj/trader/auto/index.html sh/trader/auto/ | |
rsync --progress -avz bj/trader/water/index.html sh/trader/water/ | |
rsync --progress -avz bj/trader/medicine/index.html sh/trader/medicine/ | |
rsync --progress -avz bj/trader/bm/index.html sh/trader/bm/ | |
} | |
for (( ; ; )) | |
do | |
echo | |
echo `date` | |
fast_rsync & | |
fast_rsync_products | |
fast_rsync_trader | |
fast_rsync_images | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Watch post.pcap file status created by tcpdump | |
# Do rsync if there's new file POST action | |
# Require inotify-tools | |
# check whether post.pcap-month.day has new file POST action | |
wc_diff(){ | |
original_wc=`cat original_wc` | |
pcapfile=`date +%m.%d` | |
[ ! -e post.pcap-`date +%m.%d` ] && touch post.pcap-`date +%m.%d` | |
new_wc=`grep -a Dispo post.pcap-$pcapfile|grep -a file|wc -l` | |
if [ $new_wc -le 1 ] ; then | |
original_wc=0 | |
fi | |
if [ $new_wc -gt $original_wc ] ; then | |
original_wc=$new_wc | |
date | |
echo $original_wc | |
fast_rsync >> rsync.log 2>&1 | |
`echo $original_wc > original_wc` | |
fi | |
} | |
# rsync all today's upload images | |
fast_rsync(){ | |
rsync --progress -av bj/eWebEditor/uploadfile/apply/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/apply & | |
rsync --progress -av bj/eWebEditor/uploadfile/download/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/download | |
rsync --progress -av bj/eWebEditor/uploadfile/news/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/news & | |
rsync --progress -av bj/eWebEditor/uploadfile/study/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/study & | |
rsync --progress -av bj/eWebEditor/uploadfile/losefile/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/losefile & | |
rsync --progress -av bj/eWebEditor/uploadfile/product/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/product & | |
rsync --progress -av bj/eWebEditor/uploadfile/supply/`date +%Y-%m-%d` sh/eWebEditor/uploadfile/supply & | |
rsync --progress -av bj-images/applys/`date +%Y-%-m-%-d` sh-images/applys & | |
rsync --progress -av bj-images/company/`date +%Y-%-m-%-d` sh-images/company & | |
rsync --progress -av bj-images/company/`date +%Y-%m-%d` sh-images/company & | |
rsync --progress -av bj-images/news/`date +%Y-%-m-%-d` sh-images/news | |
rsync --progress -av bj-images/product/`date +%Y-%-m-%-d` sh-images/product & | |
rsync --progress -av bj-images/supply/`date +%Y-%-m-%-d` sh-images/supply & | |
rsync --progress -av bj-images/TuiJian/`date +%Y-%-m-%-d` sh-images/TuiJian | |
} | |
fast_rsync >> rsync.log 2>&1 | |
echo "0">original_wc | |
while true; do | |
[ ! -e post.pcap-`date +%m.%d` ] && touch post.pcap-`date +%m.%d` | |
EVENT=$(inotifywait -q --format '%e' post.pcap-`date +%m.%d`) | |
[ $? != 0 ] && exit | |
[ "$EVENT" = "MODIFY" ] && wc_diff | |
# [ "$EVENT" = "MODIFY" ] && echo 'file modified!' | |
# [ "$EVENT" = "DELETE_SELF" ] && echo 'file deleted!' | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# http://superuser.com/questions/286062/practical-tcpdump-examples | |
# tcpdump everyday(86400 seconds) HTTP post content to file like post.pcap-month.day | |
# For tcpdump to work, must run as root. | |
# For tcpdump Verion 3.9 in CentOS 5.6: default -s snaplen is 96 bytes | |
# /usr/sbin/tcpdump -Ai eth1 -w post.pcap-`date +%m.%d` -Z root -s 65535 \ | |
# 'dst host 192.168.168.208 | |
# For tcpdump Version 4.1 in CentOS 6.0: default -s snaplen is 65535 bytes | |
# tcpdump -Ai eth1 -w post.pcap-%m.%d -Z root -G 86400 \ | |
# 'dst host 192.168.10.5 | |
tcpdump -Ai eth1 -w post.pcap-%m.%d -Z root -G 86400 \ | |
'dst host 192.168.10.5 | |
and tcp port 80 | |
and (tcp[20:4] = 1347375956 | |
or tcp[24:4] = 1347375956 | |
or tcp[28:4] = 1347375956 | |
or tcp[32:4] = 1347375956 | |
or tcp[36:4] = 1347375956 | |
or tcp[40:4] = 1347375956 | |
or tcp[44:4] = 1347375956 | |
or tcp[48:4] = 1347375956 | |
or tcp[52:4] = 1347375956 | |
or tcp[56:4] = 1347375956 | |
or tcp[60:4] = 1347375956)' & |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment