0

我编写了用于监控默认网关的 MAC 地址的脚本,如果发现 ARP 攻击则发出警报。但是我在执行中遇到了一些错误。

我不能用正则表达式返回结果。这是针对 linux 脚本的

#!/bin/bash
function getmac {
dg = netstat -rn | grep -Eo 'default.*([0-9]{1,3}\.){3}[0-9]{1,3}'  #grab the default gateway (DG)
dg_ip= $dg | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'         #strip the DG to just IP
dg_arp = arp -a | grep -w $dg_ip                                    #grab the arp entry for DG
dg_mac=$(echo $dg_arp | grep -Eo '[0-9a-f]{1,2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}') #strip the ARP entry to just the MAC
echo "netstat shows "$dg
echo "DG IP shows "$dg_ip
echo "arp shows "$dg_arp
echo "DG MAC shows "$dg_mac
}

提前感谢,对不起我的英语。

4

1 回答 1

1

我建议您使用类似的工具arpwatch

但是,当您请求帮助时,我准备了一个 bash 函数,它应该可以满足您的需求:

#!/bin/bash

# The function expects an interface name
# such as 'eth0' as param
#
function getmac {
    interface="$1"
    # grab the ip of the default gateway
    dg=`route -n | grep UG | grep "$interface"`
    # extract the IP from netstat's output
    dg_ip=`echo "$dg" | awk '{print $2}'`
    # grab the arp entry for default gateway
    dg_arp=`arp -a "$dg_ip"`                                    
    # strip the ARP entry to just the MAC
    dg_mac=`echo "$dg_arp" | awk '{print $4}'`

    # output
    echo "netstat shows $dg"
    echo "DG IP shows $dg_ip"
    echo "arp shows $dg_arp"
    echo "DG MAC shows $dg_mac"
}

# test it with eth0
getmac "eth0" 
于 2013-03-25T01:15:52.930 回答