#!/bin/bash if [ $# -eq 1 ]; then if [ $1 == "--help" ]; then echo echo 'tcpoo3 colorizing script by pete lesko (djekz @ djekz.com)' echo Usage : tcpoo3 [tcpdump options] [hostname] echo echo "-n is implied because it takes longer " echo "for the script to run while resolving hostnames" echo echo ex. echo tcpoo3 -vvv -i eth1 192.168.0.1 echo echo when run with no arguments it will echo default to autodetect your first listed echo internet ip in ifconfig echo tcpdump --help fi else if [ $# -lt 1 ]; then INETIFACE=`route|awk '/default/ {print $8}'` INETIP=`ifconfig $INETIFACE\ |head -n2 |tail -n1\ |awk '{print $2}'|sed 's/addr\://'` # INETIP=`ifconfig\ # |awk '/inet addr/ && !/192\.168/ && !/127\.0\.0\.1/ && !/addr:10./ {print $2}'\ # |sed -e 's/addr://g'` # TEMPVAR=`ifconfig\ # |grep -n $INETIP|awk '{print $1}'|sed -e 's/://g'` # TEMPVAR=$[ TEMPVAR - 1 ] # INETIFACE=`ifconfig| head -n$TEMPVAR |tail -n1|awk '{print $1}'` a="-i "$INETIFACE set "$INETIP" else a="" while [ $# -gt 1 ]; do a=$a$1" " shift done fi echo -e "\33[0m" clear echo "echo \"tcpoop started --- \"\`date\`" > testfile.out echo 'tcpdump -ln '$a' \ | awk '"'"'{print NR, $0}'"'"' \ | sed -e '"'"'s/\: /\ /g'"'"' \ | awk '"'"' \ /'$1'.80 / {print "\33[0;36;1m-WEB TRAFFIC-" $0 "\33[0m"} /'$1'.443 / {print "\33[0;36;44m-WEB SECURE-" $0 "\33[0m"} !/'$1'.80 / && /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.80 / {print "\33[0;32;1m-SURFING-" $0 "\33[0m"} !/'$1'.443 / && /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.443 / {print "\33[0;32;44m-SECURE SURF-" $0 "\33[0m"} /'$1'.666 / || /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.666 / || /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.ssh / {print "\33[0;1;44m-SSH-" $0 "\33[0m"} /'$1'.53 / || /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.53 / {print "\33[0;35;1m-DOMAIN-" $0 "\33[0m"} /icmp/ {print "\33[0;1m-PING-" $0 "\33[0m"} !/arpa/ && ( /arp/ || /who-has/ ) {print "\33[0m-ARP-" $0 "\33[0m"} /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.21 / {print "\33[0;31;43m-FTP-" $0 "\33[0m"} /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.27960 / {print "\33[0;30;42m-QUAKE3-" $0 "\33[0m"} /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.6699 / {print "\33[0;35;43m-P2P-" $0 "\33[0m"} /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.25 / || /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.993 / || /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.113 / {print "\33[0;30;47m-EMAIL-" $0"\33[0m"} /'$1'/ && ( /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.137 / || /NBT UDP/ || /\.445 / || /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.139 / || /[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.135 / ) {print "\33[0;37;43;1m-NETBIOS-" $0} !/'$1'/ && !/[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.80/ && !/NOV-/ && !/IPX/ && !/802.1d/ && !/ethertype/ && !/0x00/ && !/ipx/ && !/arp/ && !/who-has/ && !/icmp/ && !/.ssh/ && !/[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.666 / && !/[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\.6699 / {print "\33[0;31;1m--BROADCAST-- " $0 "\33[0m"} !/'$1'/ && /NOV-/ || /IPX/ || /802.1d/ || /ethertype/ || /ipx/ || / 0x00/ {print "\33[0;30;45;1m-NOVELL-" $0 "\33[0m"} /'$1'/ && !/> '$1'/ && !/\.135 . / && !/\.113 . / && !/\.139 . / && !/\.445 . / && !/NBT UDP/ && !/\.443/ && !/\.27960 / && !/\.993 / && !/\.25 . / && !/\.80 . / && !/\.53 ../ && !/'$1'\.666 / && !/bootp/ && !/\.21 . / && !/\.6699 / && !/arp/ && !/who has/ && !/\.22 . / && !/icmp/ {print "\33[0;37;41;1m!--REDALERT--!" $0 "\33[0m"} /> '$1'/ && !/\.135 . / && !/\.113 . / && !/\.139 . / && !/\.445 . / && !/\.443/ && !/NBT UDP/ && !/\.27960 / && !/\.993 / && !/\.25 . / && !/\.80 . / && !/\.53 ../ && !/'$1'.666 / && !/bootp/ && !/\.21 . / && !/\.6699 / && !/arp/ && !/who-has/ && !/\.22 . / && !/icmp/ {print "\33[33;41;1m--ALERT-- " $0 "\33[0m"}'"'" >> testfile.out echo "echo -e \"\33[0m\"\\n" >> testfile.out echo "echo \"tcpoop stopped ---- \"\`date\`" >> testfile.out clear chmod 700 testfile.out ./testfile.out fi